A holistic approach to security: Identity and Access Management (IAM)

Identity and Access Management (IAM) extends far beyond the simple notion of authenticating users. While that is certainly a central point, modern work environments require changes to IT infrastructure for users to remain safe while being productive from any device, over any network while physically being anywhere. That’s where the modernized IAM workflows coupled with first- and third-party integrations are critical to extending access through greater flexibility while enhancing security for all stakeholders.

November 17 2022 by

Jesus Vigo

Viewport offering a deep, fisheye view into a long hallway and all angles

When you think of identity and access, usually, the first example that pops into many an IT admin’s minds is authentication. Digging a little deeper down the rabbit hole, we come to provisioning user accounts. This leads us to the ever-present 800lbs gorilla in the room – passwords.

It’s a simple workflow and one that has served as the cornerstone of securing access to resources from unauthorized users. A combination of eight to twelve characters and numbers – maybe a few more if your organization wants to make the password a bit tougher to crack – is all that stands between a bad actor and critical organizational data or sensitive personal and user privacy data.

But…is that enough? Before you answer that, ponder the following statistic and continue to read on why exactly IAM matters when establishing identity and access workflows within your organization.

“One-third (29%) of organizations had at least one user fall for a phishing attack in 2021.” – Jamf Threat Labs

Why IAM matters

Effectively protecting resources from the modern-day threat landscape means more than just a strong password. While that’s still important no doubt, as the statistic above points out nearly a third of organizations will experience at least one authorized user falling victim to a phishing attack. This means that regardless of the relative strength of the affected user’s password or which password policies are implemented to limit password weakness – neither of these practices will do anything to prevent unauthorized access if the user simply hands over their credentials.

To address this in addition to other security challenges affecting access management and user authentication, identity and and access management solutions must work with security. After all, it makes sense that management and security workflows – both working toward keeping organizational resources secured – should draft off the same infrastructure, doesn’t it?

Jamf Connect is a perfect example of how this interconnectivity between IAM and security works to not only secure authentication, but also continually access resources securely by ensuring that workflows are consistent and in alignment with everything else a user interacts with, regardless of the device.

Modern authentication

Identity is firmly engrained in securing everything from devices and user accounts to organizational resources, it is already something organizations are investing in and relying upon to drive the employee experience. By pairing this with cloud identity providers, such as Google, Microsoft and Okta, alongside many others, IT can enable zero-touch deployment and streamline account provisioning based on user cloud identity attributes and management that extend far beyond the physical walls of the office.

This not only ensures that a user-friendly IAM solution authenticates corporate apps on all devices, including mobile, but extends to all organizational resources – on-premises and cloud-based – securely managing access regardless of device type, ownership level or where the user may be working from.

Policy enforcement

Access policies built-in to IAM solutions help fortify security in a number of ways. One such way is by incorporating policy-based device risk assessments, IT and Security teams ensure that the device’s risk posture is considered. Let’s revisit the example above where a user’s password was provided to a bad actor during a phishing attack. A policy that is tied to conditional access, by integrating with Microsoft or Google, would result in a workflow that automatically limits user access permissions tied to the compromised credentials, effectively restricting access to organizational resources.

Another example leverages Zero Trust Network Access or ZTNA which we’ll cover a bit later. By utilizing ZTNA – a central component of Jamf Private Access – an authorized user is required to allow access to critical business apps. Additionally, an authorized device policy restricts access only to devices in your fleet that are allowed by IT and Security teams.

Modern threat landscape

Just as the modern computing landscape has vastly changed work environments through the adoption of mobile devices and organizations migrating to remote/hybrid work environments, the modern threat landscape has evolved much to our chagrin, challenging bad actors to develop clever, yet novel ways to continue targeting your devices and users in their quest to obtain organizational data.

Effective IAM solutions require adaptive and flexible security controls that extend far beyond the office’s network perimeter. One such practice continuously evaluates a device’s risk posture as we mentioned previously but continues to do so throughout the duration of the session. After all, making sure a device isn’t compromised before permitting access is one thing, but what happens if drops out of compliance during the session? The end result would still be the same – unauthorized access.

To mitigate this risk, continuous risk assessment through ZTNA or conditional access leverage context-aware policies that grant or deny access to sensitive data, apps and resources while the cloud-based nature offers IT effective, scalable network protections to meet the demands of their unique needs. All without needing to manage security appliances, complex software configurations or expensive support contracts.

More than just connecting users to resources

We keep stressing the word modern because it's important to discern from merely providing an authentication mechanism and the myriad protections afforded beyond authentications that are provided by a true identity and access management solution.

Think of IAM as a puzzle piece. While it is a solution in its own right, capable of operating independently, it’s far more potent when paired with other solutions as part of a larger defense-in-depth strategy. Not unlike the puzzle piece that is an image unto itself, the entire picture isn’t revealed unless all the pieces fall into the correct placement.

Some of the security benefits are inherent while others are made possible by integrating with first- and third-party solutions, such as:

One password to rule them all

Unifying identity management across all enterprise apps and organizational resources is something we touched upon earlier. Standardizing protections across your entire infrastructure, particularly the various managed and unmanaged devices that access it made possible by enabling Single Sign-On (SSO). Not only does this streamline access management for IT, but the simplified workflow sees users needing to remember only one password – not juggling multiple credentials that may (or may not) be out of compliance with company policies.

Furthermore, SSO eases the burden of managing multiple services, each with its own set of credentials by synchronizing passwords between corporate resources and your Mac endpoints in the background, delivering IdP that works for all stakeholders.

Two’s better than one

Passwords are a mixed bag when it comes to security. While it is an accepted aspect of securing access to resources, it isn’t without its headaches – both from an administrator’s perspective and the user’s. Add to that what we stated previously about password security and how, despite best efforts, a phishing attack can rather easily side-step all but the strongest of controls and we find ourselves wishing for something better, and more effective when protecting resources.

Multi-Factor Authentication (MFA) provides just that by requiring users to attest that they are whom they claim to be using a combination of factors:

  • Something you know
  • Something you have
  • Something you are

Enabling this functionality within Jamf Connect and your IDP ensures that it’s the right user on the right device requesting access to organizational resources, minimizing the risk of sensitive data getting into the wrong hands.

Never trust – always verify

We mentioned ZTNA earlier and in this section, we’re going to discuss a few of the benefits to security that organizations can gain by extending IAM with ZTNA.

First, microtunnels. The concept of tunneling data is not new in the security world. VPN has been doing so for decades, after all. But remember, we’re discussing modern solutions – not legacy ones – and legacy VPN certainly has several security challenges that only ZTNA can and does resolve when set against the backdrop of the modern threat landscape.

Microtunnels are one of these solutions, with each protected resource requiring its own unique microtunnel when users request access. Instead of granting access to the entire network like legacy VPNs, ZTNA utilizes independent microtunnels to secure access to each resource. This is done to ensure traffic is segmented from one another to prevent lateral network attacks, but also ensures that if an app becomes compromised, access need only be denied to the affected app – leaving users to remain productive on unaffected apps/resources while IT resolves the issue.

Another challenge ZTNA addresses are network bandwidth utilization issues since it operates each microtunnel on-device and in-network without requiring traffic to be backhauled through VPN hardware. An additional benefit to performing so efficiently is the use of split-tunneling technology that automatically identifies business traffic, securing it through a microtunnel while non-business traffic is routed directly to the internet —both preserving user privacy and securing organizational data without compromising either.

The best of all worlds

Expanding capabilities to take advantage of first- and third-party solutions is a powerful ability in a modern IAM. One that should not be overlooked when considering that security, much like technology evolves at such an incredible pace. Perhaps in the past, your organization only required an on-premises IdP and MDM solution to holistically manage your Apple fleet. But today, the organization relies on its employees working remotely and as such, today’s needs require cloud-based IdP, MFA and MDM solutions just to get the device and identity management portion of your infrastructure operating.

Fast forward and perhaps that requirement expands to include mobile threat defense and greater access management capability, such as ZTNA. A flexible IAM solution will make all the difference in the world when addressing the current and future needs of your organization.

Consider passwords once again. What if we told you there is a way to implement an MFA solution to provide an additional layer of security to access requests while eliminating passwords altogether? Is passwordless Mac authentication even possible or secure?

Yes, and absolutely yes! (Dare we say, even more secure.)

Enter Jamf Unlock, the passwordless workflow made possible when integrating Jamf Connect + Jamf Pro and an iOS-based device running version 14.0 or later. Because passwords themselves can create security holes, including those stemming from exposure due to data breaches, loss from phishing attacks or merely being too weak or easy to guess, a passwordless authentication workflow can bypass these security issues entirely. All while keeping your workforce secure and data protected while providing a seamless end-user experience.

Key Takeaways:

  • Identity and Access Management is a critical step to meet the needs of the modern “work anywhere” workplace
  • An integral component in an effective defense-in-depth strategy of layered security solutions that work together to mitigate threats
  • Enable zero-touch deployments and streamline account provisioning workflows leveraging cloud IdP
  • Policy-based IAM aligns account management with organizational policies, standardizing and extending them across all devices in the infrastructure
  • Enable simplified authentication workflows that leverage SSO and MFA to both enhance and secure the user experience
  • Expand capabilities by integrating with first- and third-party solutions to meet your needs today – while providing the foundation to meet future needs
  • Bypass password-based security issues entirely by seamlessly implementing a passwordless authentication workflow with Jamf Unlock

***

This post is one of a series on a holistic approach to security. See a roundup of all of the posts, or read one below:

Are you still relying on strong and complex yet easily forgotten or lost passwords to keep organizational resources safe?

Get out of the past! Live in the passwordless future with a modern identity and access management solution.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.