Most IAM tools utilize browser extensions or applications installed on the end-user’s machine, or on an Active Directory, for access to identity. But why?! A user can be identified even without an agent – so having an so-called ‘lightweight agent’ sitting in your Active Directory itself is not the most secure way to manage user identity.
Whenever you create a dependency to achieve a particular solution, it is important to ensure the solution is 100% secure and that applies for the dependencies (Agents) too. This could make the architecture slightly complicated, depending on how it works.
Another important factor against the use of an Agent-based architecture is that you have to trust the Agent not to exceed its scope. This is very important because even many of the applications and services that we trust these days are not actually secure, and many act beyond their scope. For example, as per Digital Content Next, even the big boy of the tech industry, Google, still collects user location information even after turning off location settings.
So the big question is, when the things can be done without an agent, then why use an agent at all? People say it is for efficiency, and may be they are right. But is this worth the compromise on transparency and security?
Whether or not you know what it is called, you have likely used 2FA at least once in your life online.
Remember the time you tried logging into your email account from a new device and your email service provider sent you an SMS with a PIN (OTP), to re-validate that it was actually you attempting to login? You would have been allowed access to your inbox only after you entered the correct OTP.
Or the time you tried to transfer money to someone through internet banking. Even though you already entered your customer ID and password, your bank’s application would want to make sure that someone else hadn’t stolen your credentials. They do this by sending you an email with a PIN or a link to click on, for additional validation.
Known by many names – two-factor authentication, two-step authentication, two-step verification or dual factor authentication, 2FA refers to a second level of authentication added on in order to enhance security inherent to a login process. This is in addition to the username and password step, which is relatively susceptible to hacking.
When two or more layers are added to the login authentication process, it’s also known as multi-factor authentication or MFA.
Types of MFA security
A two or multi-factor authentication process typically asks you for ‘something you know’ in the first step, such as your email ID/username and password.
In the second step, it may ask you to authenticate your identity with ‘something you have’ or ‘something you are’.
Something you know – the knowledge factor:
This could be your username and password, as in any ordinary login process, or it could be a PIN.
Something you have – the possession factor:
This traditionally referred to hand-held token items, such as smart cards or Yubikeys embedded with a certificate to identify the user. Nowadays, a ‘possession’ could also be your smartphone, containing an app which sends a push notification or a TOTP. This is especially beneficial since tokens like smart cards are relatively more prone to being lost, stolen or misplaced.
Something you are – the inherence factor:
Biometric authentication could involve the scanning of a biological element that is exclusively yours – such as your fingerprint, hand geometry, retina, iris and so on. Voice recognition can also be used.
Two-factor authentication for your business
If your business relies on highly sensitive data or handles personal data of clients, you need to have an information security management system in place. This is especially crucial these days as several governments are imposing stringent regulations to ensure that the privacy of their citizens is not compromised. Some business standard certifications also require security compliances to certify your business and, therefore, it is important for you to protect sensitive data with more than just single-factor authentication (SFA).
By setting up 2FA or MFA security in all your business applications, you are assured of a higher degree of protection. In this manner, even if somebody does steal, guess or hack a password or even a list of passwords, through a brute force attack, they will be stopped at the second level as they attempt to log in to a specific individual’s account.
Multi-factor authentication solutions by Akku
When your business uses multiple applications, it may be both expensive and difficult to set up and streamline multi-factor authentication in each. That is where Akku comes in, with the promise to address all these concerns once and for all.
Once you opt for Akku, it becomes a common identity provider (IdP) across all your enterprise applications and creates a single sign-on (SSO) page through which your users can access them. Having brought all of your applications to a single platform through the SSO, Akku then seamlessly implements the multi-factor authentication functionality across them all.
With Akku, users can decide to use any of the following options as their second factor for re-validating their identity, giving them the power of choice:
A push notification delivered to their smartphone through the Akku mobile app
A time-based OTP (TOTP) which expires in 30 seconds through an authentication app (such as Google authenticator)
A PIN sent through an SMS to their registered mobile number
Your password – your secret passphrase or PIN that you use for your email, social media profile, or applications at work – is necessary for you to gain access to your accounts. But more importantly, your password plays a critical role in ensuring that no one else has access to your accounts, ensuring the security and privacy of your own as well as your organization’s data and applications.
With advancements in technology, it is important to be aware that there are equally advanced ways in which people steal information belonging to others, and even more ways through which they can misuse that information. Therefore, it goes without saying that secure passwords are of prime importance.
Common Password-Related Mistakes
You can’t blame yourself for being naturally inclined to choose a simple password that will be easy to remember. Unfortunately, these are the very same passwords that are also easy to guess or crack with a hacking software. Remember that, if information about you that can be found online – your date of birth, favourite colour, pet’s name, and so on – is incorporated into your password, it becomes even more vulnerable.
Another mistake made by most people is that a common password is used across multiple online accounts. The problem with doing this is, if someone manages to crack your password to one account, you are giving them free access to the rest!
Writing down your password or saving it somewhere online? This is a very naive act that can put your entire online data at risk of being accessed and stolen easily. Some of the other mistakes you might be making when it comes to passwords is that you don’t change the factory-set or default password, you use the same password for too long, and so on.
Tips to Set Up a Secure Password
Create a long password with a minimum length of 10-12 characters
Use a combination of uppercase letters, lowercase letters, numbers, and special characters
Special characters need to spread out across the password and not be limited to the first or last place
Do not use the same password for multiple security points
Change your passwords every 1-3 months
Avoid using words with obvious references to your personal life
Avoid using dictionary words as a whole
Passwords in the Workplace
In the workplace, the importance of a secure password is further amplified because the breach of a corporate network can have consequences that will affect the entire business.
Employees, who are otherwise the biggest assets to a company or business, also become the weakest link in the security chain protecting its data. The reason? Poor password selection and the subsequent compromise to data security. A single password, if compromised, can open the security gates and let intruders in.
Combating Weak Passwords in the Workplace
A good password policy is the weapon of choice when it comes to combating the threat of weak passwords.
A password policy is a set of guidelines that help users set up strong and secure passwords. When a password policy is enforced, a user is not allowed to create a password that does not abide by these guidelines.
Some essential features of a password policy are:
1) Password Length & Complexity Requirement
The password policy ensures that every password created is of a minimum length (for example, at least 6 characters long) and needs to use a variety of character types (uppercase letters, lowercase letters, numbers, special characters).
2) Minimum & Maximum Password Age
This part of the password policy decides how often a password is to be changed. Ideally, a good password policy ensures the expiry of a password once in 3 months, so the user is forced to create a new password. However, if a policy prompts the user to change their password too often, they may be tempted to write it down or store it elsewhere. This, again, will compromise security.
3) Password History
When a user is prompted to change a password, he/she may tend to reuse a password they had earlier used for the same application. By enforcing a good password policy, users will not be allowed to reuse an old password at least for another 5 times.
4) Number of Failed Attempts
A password policy also establishes the maximum number of invalid attempts allowed before an account will be locked out temporarily. Once locked, the account may need administrator support to be unlocked and made accessible again.
Beyond Password Security
For companies and businesses that use highly-sensitive data, it may be required to go one step beyond just a good password policy that enforces strong passwords. In such cases, a two-factor or multi-factor authentication functionality may be enforced, where additional layers of security are integrated into the sign-in process.
With such a functionality, users will be required to re-validate their identity using one or more of the following:
A one-time password or PIN
A thumbprint or retina scan
A Yubikey, smart card, USB token, or magnetic strip card
Are your users’ weak passwords keeping you up at night? Speak to us to see how Akku can help with Password Policy Enforcement and Multi-factor Authentication.
The European Union enforced the General Data Protection Regulation (GDPR) in May 2018 with three main aims: to harmonize data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy. As you can see “data privacy” is the keyword in all three of the above mentioned aims. With multiple data breaches coming to light in the recent years, even from several of the world’s biggest corporates, the European Union has enforced stringent measures to regulate the use and prevent the misuse of citizens’ data through the GDPR.
Compliance and Consequences
As stated specifically in the GDPR, all enterprises (whether businesses or organizations) must take a “high level of protection of personal data” as one of their top priorities so that the “abuse or unlawful access or transfer” of such data may be prevented. If data is breached, or if GDPR procedures are compromised, the enterprise will face serious penalties. The fine for the non-compliance to GDPR for breach of data could be up to €20 million or 4% of annual global turnover, whichever is higher, depending on the type and extent of the breach.
This applies not only to enterprises within the EU, but also to those that may be located outside and offer goods or services of any type to the EU. The GDPR rules also apply to cloud controllers and processors.
The Emphasis on Passwords
Interestingly, the GDPR does not place any direct regulations on the way passwords are created or used. However, when it comes to the protection of online data, it’s hard to argue against securing passwords being the logical first step. On the one side, businesses that provide access to customers through an online portal typically ensure that they are creating secure passwords to sign in to by enforcing password policies that define their length and other parameters.
However, the slip often occurs when the employees of these enterprises are allowed to create weak passwords for accessing in-house applications. What is often forgotten is that these applications also carry sensitive data that belong to both the enterprise and its customers. A compromise here can cost the enterprise more than just the data; it will cost its credibility as well.
A strong password policy, therefore, becomes a key first step in the path to GDPR compliance.
The Inevitability of a Password Policy
By enforcing a strong password policy, administrators can ensure that users of an enterprise’s applications set up and use only passwords that are secure and, therefore, much less susceptible to brute force attacks and other hacking attempts.
A password policy defines and enforces a set of rules that include the minimum length, acceptable combination of small and upper case letters, use of numbers and special characters, expiration period of passwords and so on.
Without a password policy, the administrators of an enterprise would have no control over the type of passwords their users set, and would have their hands tied when it comes to situations that lead to a data breach, making it hard to demonstrate the GDPR’s requirement of a “high level of protection of personal data”.
This makes a strong password policy a critical requirement for every on-premise as well as cloud-based application, both for data security and to work towards complying with this aspect of the GDPR.
The Hybrid and Multi Cloud Conundrum
Unfortunately, setting in place a password policy across all of an enterprise’s applications is much easier said than done.
Most enterprises use a wide range of applications across different platforms – both cloud-based and on-premise – with each application operating on different technologies and each with its own identity management and password policy, controlling how users set up passwords in each application can often be an expensive and time consuming process.
Implementing a common bridge layer across of the applications used by the enterprise in the form of an Identity and Access Management (IAM) solution to act as the identity provider (IdP) across all applications is the best way to overcome this challenge.
The Akku Solution
Akku is an identity and access management solution that integrates all of the on-premise and cloud-based applications of an enterprise, providing a single platform for administrators to control employee access, permissions, and levels of control within its different applications.
With Akku playing the role of the identity provider (IdP), it enables administrators to set up a single password policy that will instantly be applied to all of the applications that are accessed by a user at the workplace. This password policy holds good, irrespective of whether the application is on-premise or cloud-based, or across different platforms. Akku also allows for the secure resetting of passwords, as specified by GDPR standards. Besides password policy enforcement, Akku also utilizes a custom salted-hash function, users’ credentials are also encrypted to ensure a high level of security.
Want to explore a quick and hassle-free password policy implementation across your enterprise applications? Get in touch with us today at sales@akku.work
An array of information being stored online comes with major security risks. Therefore safeguarding data is an important consideration at any organization. And the security of your data relies heavily on the strength of your users’ passwords. The stronger your passwords, the more secure your data! It is important for administrators to drive a strong password policy enforcement, as it is the first layer of defence against black hat hackers and scammers.
A password policy is a set of rules created to upgrade an application’s security by requiring its users to frame a strong password and to utilize it in an appropriate way.
Why is Securing your Border Vital?
In today’s scenario setting up unique passwords for multiple applications is a burden for any user. Most users rely on using a single password for multiple applications, which can put the organization’s data at risk.
This makes implementing a strong password policy essential in protecting your data. Additionally, setting a Password Policy forms a part of the policies or rules for an organization to comply with ISO and PCI certifications.
Top Four Factors for Password Policies
Enforcing a strong password policy in an organization is an uphill task. There are some fundamental norms which are followed by a majority of organizations.
1.Length: The longer the password, the more difficult it is to crack. Set a minimum of 8 characters for your users’ passwords.
2.Complexity: The level of security depends on the complexity of the password framed. Passwords must have a mix of uppercase characters (A-Z), lowercase characters (a-z), numbers (0-9) and punctuations ( eg. !, #, $,*).
3.Expiration: A best practice in improving password security is to have a periodic password expiry. Most often the validity is 30/45 days and at the end of expiry date, the user is forced to change their password.
4.Uniqueness: Require users to set a unique password that has not been used previously when they reset their password.
How Can a Forgotten Password be Securely Retrieved?
When a user logs in with the right password, he is permitted to access the organization’s applications. On the other hand, when a user logs in with incorrect credentials, if the organization allows SSPR (Self Service Password Reset) then the system prompts the user to reset the password on his own.
Here’s how it works – a window pops up with a certain number of questions, and when the user answers all the questions correctly, he is permitted to reset the password. However, this process leaves the door open to social engineering attacks by black hat hackers.
A safer approach is to disallow SSPR in the password policy of an organization. In this scenario, the only way to reset a user’s password is to reach out the admin – this is safer and does not allow any intrusion through social engineering, and therefore reduces the data security threat.
How can a Forgotten Password be Securely Retrieved
I shall write more about SSPR and social engineering in my next article.
Enforce a strong custom Password Policy across your organization using Akku’s Password Policy Enforcement feature which brings it all together for improved security.
Allowing your users to access your official data from anywhere and at any time sounds like a great idea! They can complete their work even when they are on the move by accessing your company’s cloud-based applications. So, why should we restrict access when it has all these pros?
When you permit unshackled access to your company’s applications from any location and device then you also expose your company’s sensitive data and apps to the risk of security or privacy breaches. The possibility of unauthorized access to your sensitive data is a major concern for any company using cloud-based applications.
Why do you need IP restriction?
IP-based access restriction is a great way to secure and protect your mission-critical business data outside your LAN by preventing access to your apps from any IP addresses other than your trusted whitelisted IP ranges.
How does IP-based restriction work?
An IAM solution offering IP-based restriction uses a customized SAML API and integrates with your cloud-based applications. That way, identity management is brought into a common platform across all service providers, with the IAM solution acting as the identity provider. With the identity provider enabling one point control, it is possible to restrict access to your applications only from permitted locations, regulations and IP addresses.
Why restrict based on device?
Device-based access restriction allows you to allow access for specific users only from authorized devices, to prevent misuse or loss of data – that way, users cannot access applications from devices that have not been approved for their use, and unauthorized people cannot access data from devices that may have been approved for other users.
How does device-based restriction work?
With many IAM solutions, device-based restriction is applied through the use of plugins – however more advanced solutions make use of a certificate-based authentication method which has the major advantage of being tamper proof.
A secure certificate-based authentication is completely platform and browser independent and enables cloud administrators to provide or revoke access to SaaS based applications only from specific devices, even when they are outside the office network. Restricting access based on device helps to minimize data breaches and provides the right access to the right people.
Akku offers an IP and device based access restriction feature to help ensure that your data is secure and well protected.
Cloud technology has broken several operational barriers to make remote data access easy. It allows you to scale your business with minimal cost while securely holding business-critical data and applications. But with all these advantages comes a catch – managing personnel access for all the applications and files in your network has become increasingly cumbersome.
Why does your organization need an Identity and Access Management Solution?
Managing the credentials of all your employees across all the verticals of even a small to mid sized organization is time-consuming. It can drain the productivity of your company’s Human Resource and IT management teams. They are valuable resources who could otherwise focus on their core competencies to help you grow your business.
In addition to this, securing your network from breaches and other threats can be challenging with so many people accessing your cloud from various devices and locations. If your network is compromised, all your critical business data is compromised along with it.
This is where an Identity and Access Management (IAM) solution can come in handy. It allows you to seamlessly manage access while protecting your cloud network from breaches.
Building blocks of an IAM solution
A strong Single Sign-on (SSO) function is at the heart of an IAM solution. The first step in implementing an SSO is to determine and streamline the role of the identity provider (IdP). The IdP is responsible for bringing all the applications and data on your cloud network to a centralized platform. From this platform, access and identity services are managed through a customized Security Assertion Markup Language (SAML). When a high end, customizable SAML is integrated with your enterprise cloud network, it can result in a secure Single Sign-on solution.
With a cloud SSO setup, you can provide each member of your organization with single login credentials for any or all the applications in your cloud network. With your own powerful Identity Provider, you can redirect all access authentications to a safe and fast network. With this setup in place, it is possible to consolidate a single node in your network to control access to your entire organization’s cloud network.
Features of an IAM System
With an efficient Identity and Access Management system, you can accomplish so much more than just rudimentary monitoring of your cloud network. It will come with a well rounded set of features which allows you to control your cloud in a convenient platform. If your network is fitted with a powerful cloud IAM solution, it will automatically come with provisions in place to handle password standardization and multi-factor authentication frameworks.
Single Sign-on
Allocating a single set of credentials for your employees to access relevant data and applications is made easy by implementing an SSO solution for your cloud network. As the admin of your network, it also becomes simple for you to handle access operations in a single dashboard. In addition to this, if the need arises for a user to be removed, it can be done in a few short steps instead of removing access individually for all your applications. When all of this comes together seamlessly, it results in improved productivity across your organization.
Multi-factor Authentication
Sometimes, in spite of the password protection measures you have implemented to secure your cloud, you might feel the need to bring in an additional layer of security to protect all your critical business applications. When that need arises, a well structured IAM solution allows you to keep in place, a multi-factor authentication system. It ensures that your system is insulated against remote attacks and prevents unauthorized access from getting a foothold in your secure network. This will enable you to extract data from TOTPs, thumbprint scanners or even Yubikeys and verify the users accessing your cloud network.
Password Policy Enforcement
Another challenge faced while trying to secure a cloud network is the varying standards of all the passwords of all the users who access it. The difference in standards can make breaches easier to happen and there rises a need for standardization of all the password credentials issued to the users of your cloud. But with an IAM solution, you can set the minimum standard required to set a password. With an effective password policy enforcement, you can rest assured that all your critical data is protected irrespective of the number of service providers you are associated with. It consolidates all the applications on your network under a single identity and verifies that all the passwords required to access your network comply with PCI and ISO/IECt standards.
Securing your cloud with an effective Identity and Access Management solution can empower you to control identity and access across your cloud environment. In addition to this, an IAM solution helps you improve data security, privacy, standards compliance, and productivity.
Logging on to different applications using different user credentials every single time is frustrating, isn’t it? The use of a Single Sign On (SSO) application makes it easy to access all your applications with just a single set of login credentials. The SSO acts as the identity provider – a common platform to handle user identity and access across all your applications – and also provides authentication, authorization and access control.
Single Sign On solution offers a secure and convenient way to manage access credentials and user provisioning.
Advantages of Single Sign On (SSO)
Reduce Your Help Desk Costs
Gartner’s research says that about 50% of all calls made to help desks are requests for resetting passwords. In this scenario, deploying a Single Sign On application reduces the time, effort and cost spent by your help desk, resulting in savings for your organization.
User Experience
Through automated login using Single Sign On, users can switch between applications without having to login to each applications each time. This saves employee time and increases productivity.
Reduce Password Fatigue
Users don’t need to remember and manage multiple passwords – SSO reduces the number of passwords to one and makes it much simpler to remember and manage.
Easier Accounts Management
SSO gives clear visibility on what access is permitted for whom. It also helps in improving the speed of adding and disabling the accounts of outgoing employees.
Right Access To The Right People
Admin users can provide or deny access to specific users. For instance, if a particular user in a department wants an application to work on the admin can give access only to that person instead of giving it to the team which could result in confusion.
How does it work?
An SSO acts as an identity provider, acting as a common platform to manage identity and access rules across all of an organization’s cloud apps. When a user connects to the service provider to authenticate their identity, it transfers authentication to the identity provider. The identity provider validates the user’s credentials, and then sends a SAML token to the service provider for accessing the application.
Akku packs a powerful Single Sign On function whose customized SAML enables you to integrate a highly secure Single Sign On (SSO) with any cloud or in-house application, developed on any platform, including support for your intranet.
So, why continue to be frustrated with multiple passwords and multiple user accounts to access multiple applications? Make access easier for users and control easier for administrators with Akku.
Identity and Access Management (or IAM) solutions – also known as Identity Management (IdM) solutions – form a critical component of an enterprise’s IT security. And when used with cloud-based applications, they form part of a powerful cloud security set up too.
In simple terms, an IAM helps to control which users can access what data, as well as from where and when this access is permitted.
So how does an IAM work?
In any Identity and Access Management solution, one of the core concepts at play is that of an Identity Provider (IdP). The IdP brings all of the enterprise’s cloud-based application on to a common platform from where identity information can be managed and authentication services provided through the use of a Security Assertion Markup Language (SAML).
Through this process, it becomes possible to establish a single point of control across all of an organization’s cloud applications, and to provide a single point of access to all users, in the form of a Single Sign-on (SSO) – one of the fundamental functionalities of an IAM.
What features do IAMs offer?
Most IAMs offer some or all of the following features:
Single Sign-on
Enables administrators to provide each user with a single login to access any or all of the local and cloud applications used by the organization.
Multi-factor Authentication
Provides a powerful additional layer of access protection through a TOTP or other methods.
Password Policy Enforcement
Enables enforcement of a custom password policy across the organization, to comply with statutory (or the company’s own) security standards.
Is Akku an Identity and Access Management solution?
Akku is indeed an IAM solution, but it’s also so much more. It brings to the table all the security and access restrictions that a standard Identity and Access Management solution has to offer, along with several additional features to boost security and productivity across your cloud environment:
