From naked celebrities gaining allegedly unwanted publicity from hacked iClouds to Sony’s misfortunes at the hands of the inaptly named Guardians of Peace, hearts were left bleeding after an alarming number of scurrilous, high-profile cyber security attacks last year. As Lancope CTO, TK Keanini told E&T Magazine: “The big message in 2015 is that security is everyone’s problem.” Therefore, although essentially a top-down initiative, every employee needs to take responsibility and be accountable for security breaches; and every business needs to rethink their security strategy. However, various reports/studies reveal that several organizations are not taking the necessary actions to control security breaches. In their “Get Ahead of Cyber Crime” report, Ernst & Young found organizations remain unprepared and PWC discovered that 60% of Boards are not involved in security. These organizations seem to be taking the ‘ostrich stance,’ burying their heads in the sand, forgetting that their back end is exposed, making their hiding place visible, accessible and insecure.
There are several reasons for inadequate cyber protection. As Fred Piper, Emeritus Professor at Royal Holloway told delegates at the SC Congress 2015 that there is a deficit of education, knowledge and expertise in cyber security. Also, technology is developing faster than the rate at which security is advancing. A vast number of users access a plethora of resources, from myriad devices with variable security, using an inordinate number of identities… therefore, the usual security measures are simply not sufficient.
Dr Who, Doomsday and the Daleks
One of the five key critical areas, identified in the UK government’s Cyber essentials Scheme, is Access Control, Identity and Administrative Privilege. The inadequacy of perimeter security is driving us to adopt flexible solutions such as Cloud-based identity as a service (IDaaS), which enables the fast deployment of new features and increased agility for upscaling and downscaling security measures. A good security strategy teaches users what strong passwords look like, favors alternative security measures, increases multifactor authentication and reduces the number of identities per user. This may start to sound like the Cybermen and Daleks stand-off in the Doomsday episode of Dr Who, with both sides yelling “identify yourself” repeatedly; but worry not, there are some simple solutions to these challenges and at least, high profile attacks have raised awareness before your business got exterminated!
Keeping it Simple
There are three basic identity models. Cloud, Synchronized and Federated and Microsoft offer all three. So, let’s take a look at what they comprise, what the benefits are and how you can decide which one is right for your business. If you have a small number of users and don’t require any on-premise identity configuration, or your on-premise directory is complex and you want to avoid difficult integration or trial Office 365, then choose Cloud identity; however, bear in mind that users will have a siloed set of identities inside an Azure AD.
Synchronized Identity is a one-way sync between your on-premise Active Directory and Office 365. Users have the same username and password, but they will need to re-enter them. It’s simple to configure and eliminates the need to manage passwords in two locations.
Federated identity (single sign on) allows you to use your on-premise identity to authenticate Office 365, but there’s a real-time check against AD. So, users don’t have to re-authenticate if they are on the corporate network. Note that it requires deploying two-eight additional internal and internet-facing servers. This model works best when you already have an ADFS deployment, use a third party federated identity provider, have multiple forests in your on-premise AD or have an on-premise integrated smart card or multi-factor authentication (MFA) solution.
The good news is that with Microsoft, it’s simple to switch between the models. Therefore, you can start with the simplest model that fits your requirements and then switch according to the changing demands of the business. By doing this, you can rest assured that with regard to identity management at least, you have your head out of the sand and you’re protecting your business from the Daleks and Cybermen.