Simplifying identity and access management in enterprise mobility
Making it easier for your IT team to monitor, control and simplify identity and access management on enterprise systems
Ensuring that corporate data is accessed only by those people who are authorised to do so should be a big deal for any business. In businesses with hundreds or thousands of employees using multiple devices to access huge amounts of data, Identity and Access Management becomes a serious concern. Keeping authentication reliable and secure while protecting your data from increasing risks of attack or loss can place a large demand on your IT team’s resources.
Let’s look at a few methods you can use to simplify authentication across all of your enterprise devices.
Single Sign-On (SSO)
Single Sign-On (SSO) is a broad description for any system by which users can access all of the applications and data that they need by signing in just once. Once a user has signed into their enterprise account they can make use of all of the business’s applications and resources, wherever they reside, without having to re-authenticate multiple times to access multiple applications.
In the majority of enterprises, Microsoft’s Active Directory (AD) is the authoritative user directory that governs access to key business applications. However, more and more Software-as-a-Service (SaaS) applications now sit in the cloud (e.g. Salesforce), each with their own native user directories, typically beyond the reach of AD.
Single Sign-On tools provide the solution to this problem by integrating with Active Directory and its cloud counterpart, Azure Active Directory Premium. Multiple vendors now provide these tools, either as standalone Identity and Access Management solutions (such as Ping, Okta and Microsoft’s own Azure Active Directory Premium) or increasingly as part of Enterprise Mobility Management suites (MobileIron, VMWare and others).
Not only does this reduce the need for IT staff to create accounts for every staff member for every tool they might use, but it dramatically reduces the number of passwords employees need to remember and, inevitably, forget.
Single sign-on, centrally controlled by your IT team, also gives you more control over user permissions as applications can be added or removed from an account as needed. What’s more, when an employee leaves your business you know that you can quickly and easily disable access to all their enterprise applications by deactivating a single set of credentials.
Reducing Authentication Risks
Another way to simplify authentication for your employees and reduce workload for your IT team is to cut the risk of invalid logins and stolen credentials. Thankfully a number of tools are now available to help.
Multi-Factor Authentication (MFA)
Also known as Two-Factor Authentication (2FA), this is an extension of authentication beyond a simple username and password. Even if an attacker manages to gain access to valid credentials, these are useless unless they are also in possession of an additional authentication method. Another way to think about MFA is that you require:
Conditional Access is a series of definable controls to restrict or allow access to corporate data based on device type, location, suspicious behaviour, device settings and a host of other variables. These controls can determine the response when an elevated risk is identified (for example refuse access or request Multi-Factor Authentication). You can read more about the conditional access controls enabled by tools such as Microsoft’s Enterprise Mobility suite in our blog post here.
Identity Outside your Organisation
Increasingly businesses need to collaborate safely and securely with external organisations and partners – perhaps customers, suppliers or contractors. Maintaining control of this can be a challenge with information often being shared via email. While this may be effective as a quick method of data transfer in the short-term the long-term impact is potentially sensitive corporate data residing outside of your organisation’s view or control.
Azure AD Business to Business
Microsoft’s Enterprise Mobility suite includes functionality to specifically address this challenge. Azure AD Business to Business allows you to provide third-parties access to your applications and resources, even if the other business doesn’t use Azure Active Directory, all without giving up control over your corporate data.
Partners can be granted access to your applications piecemeal, with you retaining ultimate control over what they can use. Many of the controls mentioned above can be enforced too, including MFA, on either individual third-party users, certain applications or files, or even their entire organisation.
This kind of approach means your existing rules can be rolled out to third-party users without the need for an extensive risk-assessment or set-up process, streamlining the process of protecting your corporate data.
These are just a few examples of tools that can make it easier for your IT team to monitor and control and simplify identity and access management on enterprise systems, no matter the device, application or location.
For more on enterprise mobility, be sure to check out our ultimate resource for secure device freedom here.