Case for Identity and Access Management


Tony Kirkby
Contributor

In April and May this year, when home working was at unprecedented levels as a result of COVID-19, the identity and access management (IAM) provider LastPass by LogMeIn surveyed 750 tech and security professionals from Australia and several other countries on how they control and manage user access to online resources.

The survey found IAM left much to be desired in many organisations. Only 18 per cent of respondents said their organisation’s IAM solutions were fully secure and did not require improvement.

On average, five hours every week was spent just managing user passwords, a 25 per cent increase from the results gathered in a similar survey in 2019.

Not surprisingly many respondents (45 per cent) expressed frustration at the time spent managing passwords. Of greater concern, however, was users forgetting their passwords and using the same password across multiple applications.

Tim Blumentals
Tim Blumentals: Identity and access management is fundamental

A considerable number of respondents also expressed concerns about users sharing their access credentials, and the potential for user access credentials to be lost or stolen.

There concerns are well justified says LastPass/LogMeIn federal and state government manager Tim Blumentals. Compromised credentials are by far the biggest avenue by which cyber criminals gain access to organisations’ IT resources.

“People get focused on hacking, but criminals are no longer hacking in, they’re logging in with credentials, they’ve lifted off the dark web, because people have handed them over in a phishing attack,” he says.

“If you look at any of the data breach reports they all say about 80 per cent of data breaches are credential related.”

Identity and access management products like LastPass by LogMeIn can solve many of these problems. Think of it as a password vault on steroids — and in fact there is a free version of LastPass for individuals that is exactly that.

Beyond providing users with access to sign-on credentials for multiple online resources, via a single username and password, LastPass incorporates multiple features to enhance security, including multifactor authentication to make life simpler yet more secure for users and IT administrators alike, and the ability to selectively restrict access to specific resources.

Such features are essential for any organisation if it is to come close to achieving the requirements of Australian Cyber Security Centre’s (ACSC) set of strategies to mitigate cyber security incidents, known as the Essential Eight Maturity Model.

The basic, maturity level one, requires multifactor authentication be used to authenticate all users of remote access solutions.

The top level, level three, also requires multifactor authentication be used to authenticate all users when accessing important data repositories.

Many businesses use Microsoft Active Directory (AD) to manage their users. It is the single source of truth about who works at a company, the things they need to access and their permission levels.

LastPass integrated with Active Directory enables automated account creation, user termination, group management and more.

LastPass also provides audit and reporting functions, enabling IT staff to see when a particular set of access credentials was used, who used them and what they were used to access, and to control what resources a particular set of credentials can access.

LastPass can also add layers of security beyond the password, by identifying the device being used to gain access and limiting access accordingly: for example user connecting from a home PC might be given access to only a subset of the resources available from their in-house terminal.

“We’ve got about 100 policies that allow you to really lock down the usage,” says Mr Blumentals.

Many people use the same password for multiple online services. If one of these is compromised the hackers gain access to, potentially, millions of email address and password combinations that they can use try and gain access to other services, including corporate resources.

“For any email address, the website https://haveibeenpwned.com will return a list of known data breaches in which a user’s email address/user name has been compromised. A useful new feature of LastPass is that it automatically interrogates a similar dark web database and raises an alert when any users’ email address is found to be among those compromised, prompting them to change passwords”

You can learn more about LastPass and how it addresses today’s password and access management control challenges in this webinar Password Management: Addressing the common threat to government, presented in conjunction with InSync Solutions on Tuesday November 17 from 10:30am to 11:30am AEST.

This article was produced in partnership with LogMeIn.

Do you know more? Contact James Riley via Email.

Leave a Comment