Article provided by Westcon
Many small businesses understand the importance of having anti-virus software and firewall solutions in place to help protect the network and their data. But with the cloud becoming a vital driver for growth, this is not enough. As such, identity and access management (IAM) have become essential tools to shore up organisational defences further.
These manage access to company resources and help keep systems and data secure. As the names suggest, IAM helps businesses verify the identity of users and grant them the right level of access to company systems and information. This access translates to the ability of an employee to perform a specific task based on that individual’s role inside the company.
“These solutions should consist of all the necessary controls and tools to capture and record user information, manage the database against those, and process access based on the relevant privileges. In laymen’s terms this translates to the fact that a receptionist cannot access salary files or strategic documents. At the same time, team leads might be restricted to sensitive documents relevant to their immediate objectives,” says Prebashini Reddy, Microsoft Cloud Solution Provider (CSP) Product Manager at Westcon-Comstor Sub-Saharan Africa.
Identity and access are the two sides of the same coin. For example, the first stage might be to identify an employee and the second stage is providing access dependant on who they are.
But more than merely recognising an individual, IAM also accounts for the different types of risks associated with accessing files, for example, sitting in a cubicle on the secure corporate network versus working remotely from a home connection. This means that each employee can have several ‘identities’ on the system that must be managed according to the associated risk levels.
But just as there are a myriad of options when it comes to standard cybersecurity solutions, so too are there a plethora of IAM offerings available in the market. The challenge comes in to identify the ones that make not only the most strategic sense for what the company requires but can also integrate effectively with existing cloud-based systems.
“While all this can be intimidating especially to small business owners, sophisticated technology such as Windows Hello and Azure Multi-Factor Authentication (MFA) make this a more user-friendly and intuitive experience. And because most businesses are Windows-based, these can easily be incorporated into current policies,” says Pete Hill, executive director at Greendata.
Understanding Windows Hello
Windows Hello provides Windows 10 users with an alternative way to log into their devices and applications. Instead of typing in a password, it can identify fingerprints, perform an iris scan, or even conduct facial recognition to grant access.
“Hello is a more personal and secure way to get instant access to devices. Of course, the choice is up to the user whether they decide to remain on a password system or opt for facial recognition. However, some companies might insist on the level of biometrics required to access the corporate network. Some might be concerned about what happens with their biometric data once this freely available tool is set up,” says Reddy.
But even though Microsoft collects diagnostic data on how people use Windows Hello, the data does not include any personal information of the user and is encrypted before it is transmitted to Microsoft. Even so, users can opt not to send this diagnostic data if they do not feel comfortable in doing so.
“A significant advantage of going the Windows Hello route is that employees no longer have to remember complex passwords. And with many companies requiring people to change their passwords every few weeks, it becomes an arduous process. As with many other automated cybersecurity solutions, Hello lets IT teams concentrate on other areas of maintaining the integrity of the corporate network,” says Reddy.
Multi-factor authentication (MFA)
Windows Hello can also be combined with local PINs to replace traditional passwords during the login process. This helps deliver multi-factor authentication that combines security with a more streamlined process.
“Systems that rely only on a username or password are prone to potentially devastating compromises. Hackers can use sophisticated tools to crack a password. However, biometrics are virtually impossible to fool as the person must be physically in front of the device to log in,” adds Hill.
So, while anti-virus solutions and firewalls are essential to the cybersecurity strategy of a business, embracing MFA ensures that the company takes a more proactive approach to security. This means that instead of waiting for hackers to attack the network, an organisation introduces a critical layer between traditional cybersecurity offerings and the threat – that of the individual employee.
Of course, MFA is not a new thing. South African banks have been using it for several years when it comes to online banking transactions. For example, if a person logs in to their account, they will be sent a verification code on a secondary device to authenticate the action. It revolves around presenting two pieces of ‘evidence’ when logging in to a system.
“Beyond protecting against hackers, it also safeguards businesses from employees who claim their usernames and passwords were stolen in the event of data being stolen. With MFA, the company can confirm that it is the individual themselves who logged in and accessed the files in question. Having these multiple levels of security can significantly improve the safety of data,” says Reddy.
In a cloud environment, this becomes even more critical as employees typically access files from any number of locations.
“Pairing MFA with access control empowers the business with the ability to limit certain files being used when the employee is known not to be on a secure network, such as the WiFi hotspot of a coffee shop. As with any cybersecurity approach, education remains key to ensure people understand the importance of IAM and act responsibly when it comes to where and how they access data,” continues Hill.
By making IAM part of the broader cybersecurity strategy, the company demonstrates how seriously it is taking the risk of data compromise and the steps it is willing to take to maintain control over its most valuable corporate asset.