Identity management and access control are two sides of a coin; both are essential for security, but neither are adequate by itself. Identity management allows a network or system to authenticate the identity of a user through some type of credentials, which can range from a simple user name and password to digital certificates, physical tokens, biometric factors (fingerprints, iris scans, facial recognition, etc), or some combination of these factors. The strength of the authentication required will depend on the sensitivity the material being accessed as well as the impact should these resources fall into unauthorized hands. Public information might require little or no authentication, while proprietary or classified data or accounts with administrative privileges should require stronger authentication, possibly using multiple factors.
Single Sign-On and Maximum security
But authenticating identity is not the first step. Each user should receive only the appropriate access privileges, based on the need and the level of authentication that has been performed. The fact that someone has established his or her identity as an employee should not result in unfettered access. Studies have shown as many as 35 percent of all hacking attempts are made by employees, and the insider threat to enterprises is serious. These threats can be the result of malicious activity or of errors, but both scenarios present real risk to the enterprise.
In addition to threats from otherwise legitimate insiders, there also is a risk that the user credentials can be compromised and that the ID authentication process can be exploited to let malicious outsiders into the system.
For these reasons, the principle of least privilege is considered a best practice in access control. As the name implies, this means that every user – whether an individual, a device, a program or a process – is granted access only to the resources necessary to accomplish the job at hand.
The concept is simple. A low-level clerk does not need and should not have administrative privileges on IT systems; a worker in sales does not need access to sensitive financial information. In practice, however, it frequently is difficult to manage. Users often are assigned access privileges based on their role in an organization, but individuals seldom fit neatly into single roles. They often need special one-time access, and each person fulfilling the same role might need slightly different types of access.
Effectively managing access requires not only authentication and secure connections, but granular controls for each user and the ability to monitor their activities.
Hypersocket Framework and Single Sign-On
All action within Hypersocket Framework (HSF) requires a permission, and business domains are defined by specific resources for the system being developed. Users are placed in roles that are associated with a specific set of permissions by assigning resources to each role. All actions within the HSF generate Events, which allows detailed reporting and analysis of the system by the applications using it. Events also can trigger responses, such as notifications or alerts.
To ease the burden of managing multiple accounts, Hypersocket Single Sign-On lets users log on once to the Hypersocket server to get access to all cloud-based and web-based sites. The SAML protocol seamlessly connects users to cloud services once identity is authenticated by the server. When a cloud services does not support SAML, the Hypersocket Single Sign-On server provides a browser plugin to automate the login process.
Bringing it all together
Managing identity and access privilege of users is essential to cybersecurity, and Hypersocket IDM and Hypersocket SSPR are available to help provide identity and user management with the granularity needed to make them effective and the ease of use needed to make them practical.