Fran Howarth, Practice Leader Security, Bloor Research, May 2022
2020 was the year that the traditional enterprise perimeter finally became an outdated concept. This has been talked about for years, but the pandemic was a catalyst as huge swathes of workers around the world were forced to work remotely. With them no longer in the office, things had to be done differently. Demand for the use of cloud services, which had already been growing considerably, saw a huge boost to provide access to resources and services as and when needed. Other factors dominating the modern IT environment include providing access to third parties such as business suppliers and contractors, enabling mobile access, and connectivity for remote offices.
Identity as the new perimeter
Now that the traditional perimeter has been blown apart, how can access be supplied in a secure manner? The answer is to focus on identities. Rather than relying on static entitlements and credentials that all too often provide greater privileges than are required, a method is required for ensuring that all actions can be tied to specific identities and that access can be provided on an as needed basis so that it can be tightly controlled.
This is where IDaaS (identity as a service) comes in. IDaaS works through a cloud-based model where identity and access services are provided by a third party. This removes all the hassle and complexity of deploying identity services in-house and provides access to a wider range of integrated features than if an organisation tries to do it itself. IDaaS will provide secured access across the technology estate, from on-premises to cloud.
It has long been recognised that users are hindered by having to remember credentials for every application or service that they wish to access, made worse by differing requirements such as length and complexity of passwords. IDaaS eliminates the use of passwords, replacing them with tokens and assertions. This results in increased security as login events can be more trusted than those using insecure passwords, which are a favoured target for hackers.
Federated identity
With IDaaS, a user’s identity is taken from an enterprise’s Active Directory (AD) core system of record, which can be on-premises or in the cloud, such as Azure AD. IDaaS is based on federated identity standards such as SAML, which passes XML assertions (or messages) rather than credentials. Once users have authenticated to the identity source of truth—or the primary identity provider—they are then able to onwardly access further applications—such as Office 365, Salesforce or Google—without having to login again. This provides Single Sign-On (SSO) so that users don’t have to remember and input credentials for each application that they wish to access, greatly reducing password vulnerabilities. However, where a user is attempting to perform a high-risk activity, such as accessing sensitive data, multifactor authentication (MFA) should be required as an additional check that they are who they claim to be.
Just in time provisioning
To ensure that no user has excess privileges, just in time provisioning is supported by some SAML-enabled apps so that users can be granted entitlements on the fly when they need them according to their AD Group membership. Changing a user’s group membership, or disabling or deleting them from AD immediately revokes all application access. This helps to lift some of the burden of the joiners, movers, leavers process from already overstretched system and application administrators.
Integration is key
Ideally, IDaaS should provide a range of services that include SSO, but also seamlessly integrate with adaptive Multi-Factor Authentication (MFA) solutions that takes context into account for more waterproof decisions regarding the veracity of a user, such as their location and the device used. However, there are other useful integrations to look for. Cloud access security brokers (CASB) enhance cloud application security by monitoring and governing the use of cloud applications with granular control over access to individual actions within cloud apps to provide stronger data protection by enforcing intelligent conditional and context-aware policies.
The combination of IDaaS and CASB provides a complete security solution for the cloud that can also help organisations to achieve their compliance objectives. The two together can ensure that policies such as access restrictions to applications or files, privileged account monitoring and detection of high-risk events and users. Through the use of machine learning, patterns of behaviour that appear to be suspicious can be identified and quickly dealt with, even across applications that are not officially sanctioned by the enterprise. Organisations can also determine what users can do within applications, such as enabling downloads from file-sharing apps such as Dropbox or Box whilst preventing users from uploading content to avoid sensitive data leaking out of the organisation to prevent data breaches.
Another useful integration is data loss prevention (DLP) capabilities in the form of a single policy engine that works across multiple channels, which are likely to include email, web and cloud apps. This will aid further in the prevention of data loss.
Censornet’s new IDaaS capabilities
Censornet is adding IDaaS at a time when the traditional perimeter is largely outdated and irrelevant, with context—including identity—the equivalent in the modern enterprise. IDaaS adds yet more context richness to underpin zero trust initiatives and the journey towards SSE or SASE. This new offering is part of its Autonomous Integrated Cloud Security platform that also provides customers with email and web security, cloud application security in the form of CASB, MFA and DLP. The addition of IDaaS rounds out these capabilities in a tightly integrated service that offers organisations a plug-and-play solution to their most pressing security concerns and compliance objectives. With identity now central to everything, this is the perfect time to introduce such an offering, which will help organisations as they continue down the path of digital transformation by enabling them to make use of new and emerging technologies in a manner that ensures that they can achieve their desired security outcomes.