Chakib Jaber
Chief Technology Officer
SpinSys

The need for a robust identity and access management (IdAM) strategy has become an integral part in today’s sophisticated enterprise IT environment. IdAM continues to play a major role in the growth of cloud computing due to the complexity caused by an increasingly distributed mobile workforce. As organizations and their networks grow, their benefits will only be as great as their network security. One weakness in the system could lead to a potentially fatal security breach which could severely compromise the organization. Hackers are most likely to target these neglected loopholes in order to gain unauthorized entry into a private network.

For this reason, strong IdAM strategies are of paramount importance to every organization that launches onto digital platforms. These strategies are a fundamental part of IT security, similar to the risk management framework (RMF), which evaluates all the required security mechanisms for any network.

Access Management Development Today

Organizations face a wide range of hurdles when looking to address security concerns in today’s world. The increasing responsibility for authenticating user identities and managing access to enterprise resources require robust security controls which may lead to a decrease in productivity. How can organizations maintain information security for their remote workforce when they have inherently less control over their work routines?

Historically, Department of Defense (DoD) and commercial organizations relied on integrating a wide range of products from multiple vendors to meet the security demands of the business. Today however, we are seeing a shift in the market in which consolidated vendor solutions aim to provide a centralized IdAM solution that includes centralized access management, automation, reporting, and contextual application of security policies. This solution is able to provide IT departments the visibility and control they need.

As part of these robust security controls, many cloud-based applications also require multiple, separate passwords. Organizations are looking to leverage secure single sign-on (SSO) solutions to help employees manage user names and passwords when using multiple SaaS applications, like Salesforce.

In addition, adding and removing employee access to enterprise systems adds a further layer of complexity. It’s necessary for managers to track everything a former employee has accessed in order to ensure all accounts are closed as unattended accounts create an open door for hackers. Manually de-provisioning old user rights are time-consuming, labor-intensive and susceptible to human error. Automating the process of provisioning and de-provisioning rights with the timing of employee additions or subtractions will help ensure the IT system is fully secure. This automated approach has the ability to grant and remove access for outside contractors, guests, and vendors at exactly the right times, which will further prevent any security issues.

Another challenge for the IT department is monitoring user systems when the organization permits employees to bring their own device.  Organizations need scalable user-access solutions that can accommodate the growing number of smart devices on the “Internet of Things.” Considering both corporate guidelines and the regulatory compliance standards of the industry, the right system will allow users to easily grant and remove user privileges in a fast and secure way.

Government Transition Away From Smart Cards

Currently, the U.S. Department of Defense (DoD) relies  primarily on credit-card sized common access cards (CAC) and personal identity verification (PIV) cards for security. While these technologies provide multi-factor authentication and help restrict access to websites, applications, devices, and Federal facilities, they aren’t a foolproof security measure.

Interviews with DoD staff for C4ISRNET.com, reveal plans to update their security systems. CAC and PIV cards will become part of a two-factor verification process; DoD employees scan their card in smart card readers attached to desktop and laptop computers, and then they must enter the correct password or PIN combination to access the network, application, or device.

However, such methods aren’t suitable for smartphones and other mobile devices. These mobile devices would require an external card reader that may be cumbersome or even dangerous to use in certain active duty situations.

To tackle issues with security for mobile devices, the government’s Defense Information Systems Agency (DISA) created two special programs to maintain strict security controls. The Defense Department Mobile Unclassified Capability handles sensitive communications with unclassified mobile devices and the Defense Mobile Classified Capability program oversees the approval of classified mobile device communication.

DoD is currently piloting the use of “soft” certificates on mobile devices. The “soft” certificates, also known as derived credentials, will allow a mobile device to join their network securely once the user validates their identification elsewhere; usually through a PIV card or CAC. Such methods allow the military to securely support the use of many commercial off-the-shelf (COTS) mobile devices. It’s likely that advanced biometric security measures will come into play to combat any security risks created by incorporating derived credentials on mobile devices.

The Evolution Of IdAM

Even though the number of digital activities and projects will continue to expand, network-access strategies need to maintain scalability to keep a comprehensive, in-depth overview of the flow of information. Developing a centralized approach to a robust IdAM solution can ease management pains, streamline provisioning and de-provisioning, and boost user productivity while lowering costs, and reducing demands on the IT department. Those specializing in managing network accounts must continue diversifying their skill sets to include backgrounds in IT security, risk management procedures, and the latest privacy innovations.