As the CIO, you must see the big picture when it comes to implementing technology in your organization. It is not good enough to look at how a technology addresses a single issue; the CIO must evaluate how a technology will both positively and negatively impact the entire company.
Identity & Access Management (IAM) is a technology solution that impacts virtually every functional area of your company as well as your customers. It is a solution that makes a compelling business case with an almost immediate ROI. Let’s look at how specific IAM technologies will affect the different areas of a company and how each of them might be impacted and benefitted by implementing an integrated IAM solution.
What Makes an Integrated IAM Solution?
An integrated IAM solution is one that encapsulates as many of a user’s multiple logins and applications as possible and protects them with multiple layers of authentication across various platforms. This means all of the following:
- Single Sign-On
- Multi- or 2-Factor Authentication
- Mobile Authentication
- Directory Management
We’ll go into each of these in detail below.
Single sign-on (SSO) allows a user to enter a single username and password one time in order to gain access to all of their applications. After entering their single credential pair, the user is presented with one-click access to all applications they are authorized to use. Passwords are eliminated and replaced with a secure SAML transaction to the application.So how will SSO positively impact your business?
SSO adds significant value and immediate cost savings to your IT department by reducing help desk support costs by 20% to 50% from day one. Once SSO implementation is complete, the volume of help desk calls drops dramatically. According to Gartner, the number is between 20% and 50% less, with one recent report identifying calls for password resets and account lockouts to amount to 30% of total help desk calls. Forrester Research concurs: One recent study determined that 25% to 40% of help desk calls are related to password issues, and another estimated the number at 20% to 50%.
Using the META Group’s average of 1.75 support calls per user per month, along with Gartner’s conservative estimate of a 30% reduction in password-related calls, your ROI will look something like this:
The Business Case for Integrated IAM
1,000 Employees × 1.75 Help Desk Calls per Month = $25.00 (Cost to Resolve 1 Call) × 1,750 calls = 30% Call Reduction (1,750 × 30%) = 525 Less Calls × $25.00 = 1,750 calls $43,750/month $13,125/month in savings
Plug in your numbers to see how IAM will impact your IT support costs!
IT Process Streamlining and Productivity
Single sign-on streamlines the process of user management without changing the way you currently operate. Simply by adding a user into your company directory (LDAP), SSO has the ability to automatically provision new accounts simultaneously in all the applications required in less than a minute. When it is time to remove a user, access to all applications is terminated in less than 30 seconds. Add the significantly increased security that SSO brings and your IT department saves hundreds of man-hours.
In 2014, the annual average cost per company of successful cyber-attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in the communications industry. Approximately 76% of those network breaches were the result of compromised user credentials!
SSO protects the weakest and most targeted area of your IT security by significantly reducing the risk of compromised user credentials. No firewall in the world can protect your company if the hacker has the proper credentials. SSO acts as the first line of defense in your company’s security strategy. Mitigating your company’s risks has far-reaching effects on your company’s bottom line. As you can see, a proactive approach can protect your company from the catastrophic cost of a network breach. Additionally, a network breach damages your company’s reputation and may lead to the loss of customers and partners due to diminished confidence in your ability to protect critical information.
This is the situation that Target found itself in when over 70 million records were compromised, resulting in a potential liability estimated at $3.6 billion.
The external benefits of SSO are evident as illustrated above, but there are also significant benefits that can be gained internally. A productive workforce is the result of both efficient operations and high utilization of labor resources. Neither of these objectives are achieved when users are forced to continually enter and reenter logon IDs and passwords. By reducing the number of passwords to one with single sign-on, your IT department can enforce more secure password policies and eliminate password fatigue. Users who are forced to memorize multiple passwords often dismiss and avoid approved security practices by resisting the use of strong passwords, using simple patterns that expose a group of passwords if one is compromised, or reusing the same password for multiple accounts. Users might also just write their passwords down on a sticky note or an Excel spreadsheet, committing a security infraction of the first order. Many people also keep their passwords and user IDs saved on their phones, meaning that if the phone is lost, your network is compromised.
Single sign-on has been proven to significantly increase user satisfaction and productivity. While these effects might seem trivial at first glance, their impact can be significant when considered across an entire organization over an extended period of time. Redundant entry of login credentials can easily consume a minute or two per employee per day, even without login problems. Over the course of a year, this equates to more than one lost day of productivity per employee. Potential gains from SSO are far greater when the estimated average of 20 minutes of productivity loss per incident is caused by actual password problems.
The real question, then, is not one of “need,” but of cost and benefit. The cost of SSO implementation is increasingly more affordable, and choosing the right IAM solution adapts to the way your company operates.
2-Factor (or Multi-Factor) Authentication
You’ve probably heard the now-common saying about authentication: To be truly secure, you need at least 2 of the following:
- Something you know (a password or PIN)
- Something you have (mobile phone, email account, token,etc.)
- Something you are (fingerprint, iris scan, etc.)
This is the definition of 2-factor authentication. It’s a simple way to add another layer of security to any account, and can negate the effect of bad passwords by requiring a second factor that is much more difficult to replicate or steal.
2-factor authentication is also one of the easiest ways to prevent data breaches; with account credentials involved in the perpetration of roughly 76% of all security incidents, you can’t afford to be without this simple way of improving account security. It’s been well established that the iCloud and JPMorgan Chase data breaches of 2014 could have been avoided with 2-factor authentication. While most of JPMorgan Chase servers were outfitted with 2-factor authentication, a single server was overlooked and hackers were able to hack into it and compromise 76 million records. Servers with 2-factor authentication were not breached.
In addition to simply preventing account hacks, 2-factor authentication can also inform a user of a compromised account almost instantly. If a hacker uses the correct password to attempt to log into an account, a 2-factor notification is immediately sent to the “something” the user has (via a text message, mobile app, email, token, or phone call), making them instantly aware of an unauthorized access attempt. This means your users can deny access and the attempted breach is automatically reported to IT administrators, drastically improving your reaction and response times when a threat emerges.
Users are so accustomed to the convenience and speed that mobile access allows them that they will frequently use their smartphones and tablets to simplify their day whether your IT policies allow it or not. Mobile devices are thoroughly embedded in the business world today, so much so that if your organization doesn’t have a bring-your-own-device (BYOD) plan, you are already behind. Part of that BYOD plan should be mobile authentication.
One component of mobile authentication is an authentication app that accepts secure push notifications as a form of 2-factor authentication. After entering a password on their PC, the user receives and acknowledges a push notification to complete their login. Authentication using a mobile app is perhaps the most secure and cost effective form of 2-factor authentication available today.
Another part of mobile authentication is the offline passcode. If a user needs to log into an application while offline (such as on an airplane), a mobile authentication app can generate a one-time passcode (OTP) specific to the user and their device. The user simply enters the OTP at the login screen, and they are fully authenticated. This functionality allows 2-factor authentication to be utilized in virtually any login situation, so you can be assured your users can always securely connect and won’t feel the need to develop insecure workarounds. An authentication app today should also be able to provide secure password reset and user account unlock functionality. Because a mobile device using an authentication app can be so thoroughly vetted and directly associated with the user’s account, they can change a forgotten password or initiate a secure account unlock after too may failed login attempts, and IT can be assured that the attempt will not be unauthorized or fraudulent. This will also help you achieve the support cost savings from eliminating password-related IT support calls explained above!
There are a variety of benefits in getting a secure third party involved in supporting or managing your company directories. If your company uses multiple directories as a result of a merger or acquisition, an external provider can help by authenticating users in each directory on a priority basis. Additionally, they can provide a secure cloud backup/sync to manage users you do not want to add to your company directory, such as contractors and vendors. In the event of failure of your internal directory, users are automatically redirected to the secure cloud so they can connect to their applications without interruption. This can save you the time and effort of a complex merge of your directories.
Why Integrate Your IAM?
You may be asking yourself if just one of the IAM strategies laid out above would be sufficient to protect your organization’s users and data. But there are many, many ways in which these methods complement each other to become stronger as a whole solution rather than multiple separate ones. One major reason why is that security today is inconsistent. The dozens of applications your users access every day all have different security protocols and policies, forming a patchwork of security that is erratic and difficult for your IT department to control and manage. The level of oversight and insight that a full IAM solution provides is invaluable, and it will allow you to apply a single, uniform access control policy across all of your company’s applications all from a central location. Some of the authentication methodologies above are also clear complements to each other. For example, the combination of SSO and 2-factor authentication allows intricate customization for any user or group of users. Perhaps a group of users with access to a storage app where highly sensitive information is stored would be better protected with 2-factor authentication just for that app. Similarly, a user with admin rights to an application should logically have their access more highly scrutinized than a regular user, so 2-factor authentication could be added to the application just for admin users. SSO provides convenience here, but added and customized 2-factor authentication allows granular control over the balance of security and convenience for almost any user group to meet your organization’s specific needs.
A mobile component of your IAM program must be considered a need rather than a want because mobile devices are integral to almost every level of any authentication plan. Users must be able to access an SSO portal with a mobile device to remain productive anywhere at any time. A mobile device is almost essential for 2-factor authentication to allow offline or out-of-network access, and taking things a step further and using push notifications with a mobile app is possibly the most secure of the 2-factor authentication options. Efficient directory hosting also allows administrators to assign a mobile device number to a user’s account so that login attempts from the device can be pre-vetted, and to ensure that a mobile authentication app will only be installed by authorized users on authorized devices. You can provide enhanced productivity and mobility for your users while also closely monitoring and controlling access to your network and apps using a mobile authentication option.
So, does your organization need IAM? The answer is very likely a resounding “Yes!” Can your organization afford IAM? Again, “Yes!” IAM has very low startup costs and the “pay-as-you-go” model makes it easy to work into your operating budget. Be sure to choose a full service solution, where virtually no resources are required by the customer in order to implement the solution. Finally, there are usually no additional costs for ongoing support. Everything is included in the low monthly fee. Once all of the advantages are considered, the business case becomes very compelling with very little risk.
Finally, to make your integrated IAM strategy as strong as possible, it is important to use a single provider for all of these functions. Bringing on separate providers for SSO, 2-factor authentication, mobile, and directory services doesn’t solve the problem of disparate and possibly contradictory security protocols, and may in fact make things worse. A full suite of IAM solutions designed to work together by a single provider will enhance your security at all levels, provide a seamless overall login experience, and protect your company from what may be one of its biggest threats: End users.