Centralized Access Management Needs to Be Secure and Selective
Give a kid free reign in a candy shop, and you know what will happen. They won't fill their bag with gummy bears alone—they’ll go for a mix of different treats! Gummy worms, sour patches, peanut butter cups, M&Ms, you know the list.
Much like a kid in a candy shop, the modern employee now demands the freedom to use best of breed applications to do their job. They won't be restricted to the legacy tools provided by their organization. Employees want the ability to work on any device, from any location. At the same time, businesses are not only managing more applications, locations, and devices, but also more types of users. As businesses continue to expand their network of users to outsiders like partners, vendors, and contractors, it's becoming more difficult to secure their environment.
This expanded network means an increased number of outside users that move in and out of a business’ environment more frequently than traditional employees. They are also coming from locations and devices that organizations may not recognize and/or control. Plus, these third-party users typically only need limited access to specific internal resources, so it’s imperative that businesses have a process for providing them with secure and selective access.
Satisfy a third-party user’s sweet tooth—securely
To address these challenges, businesses need to deploy technologies and tactics that enable secure and seamless access to their systems. This begins with a strong Identity and Access Management strategy, which can be deployed in a number of ways, depending on the organization’s level of maturity.
Adopt single sign-on
The first step is providing partners and contractors with secure and seamless access to business systems. Single sign-on (SSO) centralizes user access to all apps through a single portal that can be used on any device, reducing all of the user’s business-related usernames and passwords to just one set of credentials.
Take a federated approach
Federation standards, such as SAML or OpenID Connect, can help businesses take control of vendor access management by removing potential access to resources outside of Okta. Behind the scenes of SSO products, federated approaches are inherently more secure, as they use public and private keys to validate identities, removing the need for passwords, which can be forgotten or stolen. A federated approach also enables organizations to immediately revoke partner access to their identity provider once a contract has ended.
By using federated SSO, businesses can simplify resource access and ensure that users—both internal and external—only have access to the apps they are authorized for. As a result, partners, vendors, and contractors can quickly connect to the tools they need, and nothing more.
Implement password vaulting
Since many applications still don’t support federation, password management will continue to persist in the short term. Password vaulting simplifies managing passwords as stores and protects usernames and passwords in a secure, encrypted format. Users can access their credentials through their SSO solution, which can generate and suggest complex passwords for each application they use. With this approach, users only have to remember a single password and can improve their password hygiene by not using the same easy-to-guess password across multiple systems.
Go passwordless
We are quickly moving to a world where we can be rid of passwords altogether. As businesses grow and their partner networks expand, passwords (inherently insecure) are becoming unmanageable. Opting for other authentication methods like OTPs or biometrics could help minimize the risks of working in a password-centric environment.
Securing user choice
Working with hundreds or even thousands of users means that there’s an increased opportunity for bad actors to sneak in through the cracks. As such, it is business-critical that organizations are certain that each user is who they say they are when they try to access a system, file, or app.
Weave in adaptive multi-factor authentication
Building multi-factor authentication (MFA) into identity management puts extra precautionary steps in place to minimize security risks and protect both the employee and the business. By adding additional layers of security, MFA goes the extra mile in verifying identity.
Modern SSO and MFA solutions have unique insights into user behavior and user context. What device is the user coming from? Is it updated with the latest patches? Do we trust the IP address? Is this a new location that the user has never signed on from before? These signals, among many others, are used to drive policy decisions that ultimately allow or deny access to users.
Technologies like single sign-on and multi-factor authentication will help ensure that users can continue to be the proverbial kid in a candy shop, but in a secure way. Providing secure access to internal system and apps that users need will be vital as businesses expand their networks and as contractors come and go.
Interested in learning more about how companies can provide secure and selective access to vendors, partners, and contractors? Read our whitepaper, 5 Questions IT Must Address to Provide Secure Access for Vendors and Partners.