User access management is a recurring topic of discussion with customers and partners. Two major trends transforming industries today – mobile and cloud – are acting as catalysts for a renewed focus on this critical area of security.
As mobile devices proliferate at a staggering pace, enterprises see a rich new channel through which to reach customers. Enterprises are also realising that a much larger set of employees want to use mobile devices – which can enhance individual productivity as well as generate business value.
We’re in the BYOD era, where secure access to enterprise resources is key for all mobile deployments. Secure mobile access has some unique requirements:
1. Since mobile devices are shared more often it’s important to authenticate both the user and the device before granting access.
2. To mitigate the threat of man-in-the-middle attacks, emphasis must be placed on strong session management capabilities.
3. The risk of granting access to the user based on their context (time, network, location, device characteristics, role etc) needs to be determined so appropriate counter measures can be taken. This risk calculation can help select the appropriate authentication scheme(s), identify corresponding authorisation policies to enforce, and provide the user with information on security best practices. Additionally, threat protection from access requests needs to identified and countered to protect against mobile-borne attacks.
In the past few years, organisations have had growing economic incentives to source their technology services from cloud based providers – from software, to platforms, to infrastructure.
Cloud deployments help organisations improve time to value for delivering new services or content, while also avoiding capital expenses. As an organisation employs cloud-based solutions, or launches its own cloud offerings, secure access needs to be a top security consideration.
To improve user experience, a robust single sign-on solution that enables secure federation of identities across domains becomes critical. Some organisations are beginning to employ third-party identity providers (i.e. Google, Facebook, LinkedIn) to authenticate the user. However, first consider if the identity provider has been compromised.
A cloud access management solution needs be able to assess the risk of a specific access attempt based on security events related to the user. In cloud environments a flexible policy management and enforcement infrastructure (for authorising access) grows in significance in order to adapt to dynamic interactions with cloud services for cost management and compliance.
Over a year ago, IBM leadership began a concentrated effort to address these new requirements in the IBM Security Access Manager (ISAM) solution for cloud and mobile, which now enables context-aware access control to help organisations assess the risk of each interaction and adapt accordingly.
The risk of an interaction may motivate the use of different forms of authentication schemes or provide the user with differentiated authorisation to data or services. To compute the risk the user’s device and the application can be taken into consideration.
Jason Burn is the business unit executive of IBM Security Systems Australia and New Zealand.