Identity conversations: Challenges & lessons from CISOs and CIOs
- Posted on February 1, 2021
- Estimated reading time 4 minutes
This article was originally written by Avanade alum Brandon Nolan and Arno Zwegers
Hi! I’m Brandon Nolan and I look after the Digital Identity business for Avanade. I’ve spent my career focused on helping customers recover from cyber compromise, to help bring businesses back online safely and quickly. Together, with my close colleague, Arno Zwegers we’ll be sharing a collective of Digital Identity challenges recently faced by security leaders, as well as the lessons learned.
In our respective roles, we get to share time and learn from many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) across different industries around the globe.
This post will provide an overview and set the stage for the series, which will be split in to 5 parts:
- Authentication & Access Management
- Privileged Access Management
- Identity Governance
- Monitoring and Intelligence
We’ll be exploring these with Patrick Parker, the CEO of our partner EmpowerID. As well as asking some hard questions, we will share experiences from cyber risk, resilience and business productivity perspectives.
Let’s start by defining Digital Identity
To us, Digital Identity (DI) can be thought simply as the username you use to sign into your email or watch Netflix. Underneath that simple username is a complex system that protects, governs, and authorizes access to resources we are looking to consume. When you take this concept into the enterprise a DI system has the ability to provide the right level of access (authorization) for the right person or thing (authentication) for the right resource (data, server, service, etc.) for the correct period of time. Outside of the core DI system we have technologies that enhance the experience such as single sign-on (SSO), or provide control and compliance over the administration of the systems (privileged access management & identity governance), and those that alert us to events that are interesting (Monitoring and Intelligence).
Part 1: Authentication & Access Management
The modern authentication system must have the ability to ensure the right person or thing is requesting access to a given resource. This should be leveraging strong authentication methods, which can look at different signals across the enterprise with the ability to ask questions like:
- Where is the access request coming from?
- Is this a known computer, browser, client, network, etc?
- Is this normal behavior for this identity?
- Is this expected in current time?
Combining this intelligence with multi-factor authentication (MFA) allows us to have good confidence in this access request. MFA, simply stated, is the requirement that a user must present more than one piece of evidence to prove their identity and that the evidence provided must be from different categories. Your username and password is something you know, so this counts as one category. Other categories include something you have, like a physical security key, or something you are like your fingerprint.
A question we often hear is: “Is it a better strategy to spread your risk by having multiple authentication directories or to attempt to consolidate down to one?”
If fewer directories are better, which should I choose and how to get there? Do you have a point of view on this, Patrick?
Patrick: Yes, I do. I believe that fewer authentication directories are better. A single authentication directory allows an organization to focus its efforts and energies on securing one checkpoint into the organization. At this checkpoint, they can employ all their technological muscle to ensure that any user accessing their applications and data are who they say they are. Centralization also focuses the “signals” you mention. This single source now has the full picture of the comings and goings of various users, their devices, normal patterns of behavior, and the applications they access and from where. Having access to more data enables machine learning algorithms build a more accurate picture of the user and an organization’s overall risk patterns.
In the event that one part of the systems are old and legacy and cannot be updated and the replacement is too expensive/not feasible and another group of systems are modern, continuously kept up to date, would that change your view in that situation?
Patrick: We all have legacy systems and can expect to have them for quite a while longer. These systems are often limited in the options they support for external or centralized authentication. For legacy applications that support Active Directory, they can be configured to continue using Active Directory in a “hybrid” architecture with Azure. Options such as password hash sync can maintain a unified password for on-premise and the Cloud. One recommendation is to establish a separate “legacy” Active Directory just for these applications to avoid any compatibility issues that would prevent keeping your primary Active Directory up to date. An organization’s worst case legacy applications do not support using any external directory at all. In these cases, the best approach is to at least attempt to maintain “same sign-on”. Same sign-on is where you use a provisioning engine to enable the user to have the same username and password as they have in their primary directory.
A question asked is often around MFA, which form would you consider to be the ‘best’ at the moment, a separate token, an app on your phone or a SMS text message?
Patrick: The biggest challenge facing organizations with MFA is user adoption. Opt-in strategies allow users to choose whether their account requires MFA or not often suffer very low adoption percentages. Mandating MFA as a requirement is becoming more common. Still, organizations will face considerable push back unless they provide users with as painless an experience as possible and multiple MFA options that support their work and personal devices. Today's most common and well-liked options are mobile phone apps for “push approval” MFA and hardware tokens like those from Yubikey. Offering users both options allows them to use whichever is most convenient when working from home or on the go.
Next month we continue our conversation on the topic of authorization. For more information, you can also visit Avanade.com/DI.