In part one of this blog series, we showed how access governance, in conjunction with automated provisioning and de-provisioning of user accounts are essential in preventing internal data breach on an organization’s network. Today we are going to discuss how to take it a step further, and protect against these internal threats in a hybrid IT environment.
There are many solutions on the market focused solely on cloud data protection or network data protection. We have found the reality of most IT environments to be a combination of both. To best offer guidance in protecting against internal threats, let’s look to a hybrid solution for a hybrid problem; namely, HelloID.
Current Situation
Password protection is currently a high priority for corporations, with scandals such as the Hawaii Emergency Management Agency accidentally divulging a password written on a Post-It note on television capturing increased attention. This was one of the higher profile cases however—with 18 years in the Identity Governance and Administration (IGA) industry, we see this kind of data breach day after day in organizations of all sizes.
Today’s corporate environment relies on so many systems and applications, that users can become overwhelmed with the numerous sets of credentials required to individually gain access to each. Different logins have different complexity requirements and/or different password expiration schedules. It’s no wonder that Post-It notes are a popular option for keeping track of passwords.
Ease of Access
Recently, it has become more popular for employers to allow their employees to work outside the traditional office space. With the use of laptops, tablets and mobile devices, there is little reason for an employee to be at their desk in order to get their work completed. However, while this expansion of work outside the office benefits employees; it has brought with it numerous security issues. Employers need to ensure that employees have access to all applications they need to fulfill their work, while also safeguarding that the organization’s data is being securely accessed and by the intended user. With the ever-increasing threat of data breaches, the security of company information is of the utmost importance. The question becomes, is it possible for employees to access company applications securely from anywhere and on any device? The answer is yes, with Tools4ever’s Identity-as-a-Service solution, HelloID.
HelloID is a web based Single Sign-On solution that allows employees login to a portal with ONE single login to gain access to all of their applications. The user’s view of the portal will only show them applications that they are permitted to access. Users can login to this portal from anywhere at any time, on any device – all they need is an internet connection.
Efficiency
Now that we have ensured access is simple with just one login (reducing passwords written on Post-Its and downtime for users), how can we ensure granting and revoking access is efficient?
When an employee begins their position, the first thing they will need is access to the applications and file shares relevant to their job. To avoid the labor intensive and error prone manual process of provisioning, HelloID offers provisioning and self-service features that bypass IT and the helpdesk.
With HelloID’s Self-Service and Workflow Management feature, you can easily publish and manage your internal IT product catalog. Via the portal, users can request access to applications or data from the catalog. The data owner (typically the manager) can approve these requests with a single click. Then, the approved changes are processed automatically within the IT infrastructure. For example, an employee can request access to a project folder via the HelloID portal and the data owner can click approve to grant instant access to that employee.
Changes are handled and registered uniformly without ever passing the helpdesk. This dramatically reduces their workload and human error that can lead to internal breach. Instead, changes are handled and registered uniformly, contributing to more secure and efficient IT infrastructure.
A major benefit of SSO is the scalability it provides. Automated credential management means that the Systems Administrator is no longer required to manually take care of all users access to files and applications they want. This in turn reduces the human error factor and frees up IT time to focus on more important tasks. HelloID also offers companies insights such as which employees are active on specific applications they are licensed for. This allows managers revoke excess licenses and save money.
Secure Access
HelloID allows IT administrators to enforce company access policies via the configuration of the portal’s settings. The customizable and transparent nature of HelloID’s portal enhances security measures and aids the creation of audit trails to meet compliance such as HIPAA, SOX, PCI and FERPA. For example, an administrator can decide how the end-user authenticates to the portal and apply the method on an individual or group level. The authentication method can also be modified to allow a PIN code to be delivered via email or SMS for a second factor of authentication (aka Two Factor Authentication). This PIN code adds an extra layer of security, further ensuring the users identity. IT administrators can limit the time of day the portal is accessed and put a boundary on the location of the login to safeguard against any unauthorized access. Most importantly, when a user leaves the organization, they can be deactivated in the portal without ever having known individual credentials for each application. Access is easily and safely revoked for all apps with one click, preventing a potential internal data breach.
HelloID’s RADIUS support extends the existing Two-Factor Authentication functionality to connect to any One-Time Password (OTP) client. When accessing the HelloID portal with RADIUS enabled, a user will be authenticated according to the configured Access Policies (time of day, acceptable IP address, acceptable geographic location, etc.), the prompted input and verification of AD credentials via the HelloID agent, and then prompted input and verification of an OTP via the RADIUS client. Any desired OTP client is configured within HelloID’s management dashboard and will display the user’s given OTP – commonly valid for 30 seconds and typically via a smartphone app.
The main cause of internal breaches is compromised credentials and the more usernames and passwords we have, the worse our password management becomes. HelloID combines SSO with two-factor authentication to keep both the user and system administrator happy, as secure and simple access is available to users 24/7.