Where and how employees work has changed drastically in the last decade. Workers used to only be able to access corporate resources while working at the office.
But in today’s working environment, employees have taken work out of the office and into our homes and onto our mobile devices. In the age of this digital transformation—and to support an increasingly mobile and remote workforce—it is crucial for IT and cybersecurity teams to get security right.
Modern corporate security goes beyond traditional perimeter-based security models and also employs “zero trust” security models. Zero trust security models provide additional layers of security, particularly for remote work and cloud environments. Authentication is a first step in achieving a zero trust security model, and it starts with verifying that the person at the other end of the desktop, laptop, or mobile device is indeed a colleague, not a cybercriminal.
Identity and access management (IAM) software, also known as “workforce identity” or “employee identity” and access tools, help companies ensure that only permissioned users--such as onsite employees, traveling employees, or remote contractors--can access corporate applications and data. The IAM software authenticates a user’s identity before granting them access to company assets they have specific permissions to use. For example, a company’s chief financial officer should likely have access to the company’s accounting software, but a person on the sales team should not. Getting employees to adopt these kinds of security tools on a daily basis is critical, which is why IAM solutions are designed to offer intuitive, user-friendly experiences.
What is authentication?
Authentication is the process of verifying users' identities; that users are who they say they are. The process requires users to prove their identity in one or multiple ways before receiving access to an account. Authentication can include a combination of factors, such as something a user knows, owns, a personal user habit, or location. These might include passwords, mobile phones, fingerprints, a specific hand gesture, or the user's device’s IP address.
Providing positive, secure authentication and access experiences for remote employees
The best security tools are ones that people actually use. Slow, outdated technology can prevent employees from being productive at work. Therefore, providing remote workers with easy-to-use access to their everyday systems is critical for a company’s productivity and bottom line.
IAM software offers a number of user-friendly tools—including single sign-on functionality—that facilitate a smooth, secure authentication and login process for end users to access all of their business-critical applications by signing in only once. This reduces password fatigue and gets employees up and running with their applications faster.
Deploying authentication solutions like IAM software also helps prevent users from implementing shadow IT solutions, where employees utilize their own, unsanctioned (and potentially risky) software or hardware to solve their business needs. Having easy-to-use access processes also helps prevent employees from accessing data via other means, such as downloading personal copies of sensitive business data to use on their own local machines, which introduce security and privacy risks. Data loss prevention tools can also assist with preventing data from being downloaded in this fashion.
To help buyers of IAM software determine which software is best for them, G2 has compiled a Usability Index for Identity and Access Management (IAM) | Winter 2020, which scores software on ease of administration and ease of use based on reviews of current IAM software users. The next iteration of this report will be published in late March 2020, so check back for updates.
Using IAM software in a zero trust security model
According to a 2019 study by the Cloud Security Alliance, 69% of organizations are migrating data for business-critical applications to the cloud—which means security needs to adapt. Previously, perimeter security was considered sufficient to protect on-premises assets; however, to secure data that resides offsite, companies have adopted a zero trust security model to protect their businesses. IAM tools are part of a zero trust security model solution.
What is the zero trust security model?
The zero trust security model can be summed up as, “trust no one,” meaning that companies do not trust any user on their network, even those who are working inside the network perimeter, such as on-site employees. Zero trust security tools provide ways for security administrators to monitor endpoints like laptops and mobile phones. They also monitor user behavior while on the network to flag any abnormal activities, like data extraction or other actions taken by criminals and malevolent actors.
Let’s use an analogy to explain perimeter-based security. Imagine a charity is hosting a gala dinner at a hotel ballroom. As attendees enter the hotel lobby, they are greeted by bouncers who ask guests for their names and a secret phrase. Once the attendees’ names are referenced on the list and they provide the correct secret phrase, the bouncers open the red velvet ropes and let the attendees into the party. While the attendees are at the event, they are free to move around, mingle, perhaps stop at the bar, peruse the dessert tray, and generally have a merry time no questions asked. In this analogy, the bouncers represent the company’s perimeter security and the attendees represent corporate users, like employees. Once the attendees provide their names and the correct secret phrases (i.e., usernames and passwords), they are free to wander around the party (i.e., access what they need to on the corporate network).
Zero trust security model for mobile workforces and cloud environments
However, with today’s mobile workforce accessing corporate applications—either on-prem via VPNs or via cloud-based applications—is perimeter security enough? No. This is why, in addition to perimeter security, many companies employ a layered, zero trust security model. In this model, no users are trusted and they must authenticate to access assets, even if they are already in the network.
Let’s get back to the hotel gala event analogy to this time explain how zero-trust security works. Say in addition to attending the event, some attendees are also spending the night in hotel guest rooms. A zero trust security environment operates similarly to how hotel guest rooms are secured, by checking in and being given a keycard to access the elevators and the guest room lock. Just because a guest has access to the hotel’s main lobby and public meeting rooms (i.e, the network) does not mean that the guest should also be able to access the hotel elevators or ultimately the hotel guest rooms (a company’s data or applications) without permission.
Ultimately, whether a company needs to secure a hotel guest room in the physical environment or a dataset in the cloud, a layered approach to security is key.
IAM software makes user adoption and administration easier
The best security solutions are the ones that are used. Having security tools that are easy to use, and that improve the end-user authentication experience, is critical for solution adoption. The best security tools are ones that are used, and IAM software meets the needs of both security teams and a company’s workforce.