Proper user and permission management has become key in protecting applications and data.
Throughout 2020 and 2021, organizations that had listed “migrating to the cloud” as one of their priorities in years prior were almost all forced to put that plan into motion. Employees found themselves not only working from home but also from almost anywhere.
Even as offices begin to welcome employees back on either a full-time basis or as part of a hybrid arrangement, cloud applications have become ingrained in day-to-day tasks. Although businesses have eliminated some classic security threats by migrating to cloud software and SaaS products, many of these security threats have reinvented or redefined themselves and still pose a risk to organizations.
The New, Old Security Issues for Organizations
On average, organizations used 110 SaaS apps in 2021, all of which require at least one administrator. With so many of these systems filling different needs, it would be impossible for one or two people at an organization to admin all these systems. Therefore, long-time IT admins are giving administrator access to people who have never been system admins, who in turn aren’t fully trained in how to set up granular permissions. As a result, these new admins are over-permissioning users, giving employees administrator access they do not need to do their job. This can result in improperly trained users having power as administrators, which has resulted in three-quarters of compromises coming from over-permissioned users.
Old-fashioned email scams have resurfaced … with a new twist. Phishing has become a popular way to gain users’ trust and get their credentials, which in turn will give them access to user account (or accounts, if they’re reusing passwords). Last year, more than 75% of organizations said they experienced a successful phishing attempt, experienced bulk phishing attacks, faced business email compromises, or saw spearphishing attacks (which are targeted phishing attacks on specific users). By compromising users, especially in tandem with over-permissioning, you have a recipe for serious security issues.
It’s enough to worry about current employees and insider threats, but improper user lifecycle management is yet another issue that has seemingly reinvented itself in the era of SaaS.
It used to be that when an employee left their company, an organization would set up an email forward, reset the password, and that was it. Now, users have access to so many different SaaS systems (again, on average about 110 of them per organization) that it’s easy to miss systems when users are being offboarded. In fact, more than half of people recently surveyed said they know someone who, after leaving their organization, still had access to their former employer’s applications or data.
The solution – IAM: Identity Access Management
What is Identity Access Management?
A popular solution to these new IT issues is a solution called Identity Access Management, or IAM for short. IAM is made up of two key parts: identity management, which deals with authenticating users into applications, and access management, which deals with providing users permission to use applications. Although these two things sound very similar, there’s a key difference: identity management involves things like usernames and passwords, but it doesn’t guarantee access to a platform. Access management provides users with the ability to sign into applications, as well as granting granular access roles as needed. These roles can be based on rules, groups, and profile data.
How Does Identity Access Management Protect Your Company?
An IAM can help solve the three main security issues noted above.
- Through granular access roles, over-permissioning can be thwarted via a least-privileged-access model, granting users only the appropriate level of access needed to perform their role and nothing more.
- While passwords and sign-ins can still be compromised through phishing attacks, some IAMs enable you to eliminate passwords entirely by signing into applications via the IAM’s console. This method of signing into applications frees users from needing to remember their password, which in turn enables IAM admins to set up stronger passwords in tandem with two-factor authentication, requiring the user to approve access via text message or an app.
- IAM is a huge help with offboarding. In tandem with a SaaSOps platform, an IAM empowers admins to fully automate offboarding of users, not only by signing a user out of their accounts and resetting their passwords but also by suspending their account and transferring data. Locking down a user’s access to this degree ensures they won’t be able to gain access to any company data once they’ve left the organization.
In short, an IAM will help organizations limit insider threats. IT administrators are increasingly finding that, when it comes to security issues, the calls are coming from inside the house. By having an IAM, IT admins can have more control over user access, permissions, and lifecycle management.
If your organization is using a high number of SaaS apps, you should look into adopting an IAM system. If you don’t know how many apps your organization is using, or who all your admins are, adopting an IAM is mission-critical. For information about IAM and other cloud services, contact DWD’s network professionals today!
Register for our IT/Network newsletter today!