Security in the cloud why organisations need identity and access management.

Transcription

1 Security in the cloud why organisations need identity and access management.

2 Providing security for the application economy. People use a far wider range of applications to complete tasks and collaborate with colleagues than ever before. The days of supplying one suite of software to entire departments (or even a whole office) are over. In this application economy, businesses have to rethink the way they manage security taking into account the some of the following factors: Users now access applications in different ways. Organisations are steadily becoming more reliant on cloud-based services, mobile apps and the Internet of Things (IoT). This means they have more employees using different devices to access applications that sit outside their security perimeter. Many organisations also have extended supply chains and need to share data and provide access to systems across organisational boundaries. Hackers have begun to target individuals within organisations. Cyber attacks on organisations used to be unfocused and speculative. But today s attempts to breach security are well-organised and highly-targeted. Hackers often focus on specific individuals within businesses, using attacks like spear phishing (where cyber criminals research their target commonly through social media before sending them a personalised containing links to malware) to gain access to networks through these people. Regulations are changing to keep up with new technology. New or updated regulations can also add to the workload and cause additional financial pain when it comes to a breach. For instance, with new EU Data Protection regulations on their way, companies will have to stay on top of their security requirements to avoid steep fines for lack of compliance. Legacy systems can t fend off new cyber threats. Companies are still working (and will do so for a while to come) with many older systems designed before cyber security became the hugely prevalent issue it is today. For instance, they have programs and functions that work on the assumption of safety behind a firewall. This makes legacy systems particularly vulnerable to new threats. 2

3 What is identity and access management and how does it work? Identity and access management (IAM) does exactly what it says it will. It allows organisations to decide who can access which applications on their networks. This means providing speedy, secure access to the applications their users need, while keeping unauthorised people out. Identity and access management builds on four key elements to keep networks safe. 1. Identity management. This means collecting a directory of all the authorised users in an organisation (and the level of access they have). IT and HR teams can add and remove users to their lists as people join, change roles and leave the company. 2. Access control. Organisations then set the access restrictions they want on resources, so they can control who sees what. 3. Authentication. When people come to use different applications, authentication checks that the user is who they say they are. Once authenticated, their privileges can then be checked against the user directory to see whether their network should permit or deny access. IT departments and users feel the pain. Managing IAM processes on-premises requires significant ongoing investment in time and resources to make sure people have the access and performance they need. IT departments have to take on the responsibility of maintenance patching, upgrading, monitoring and testing security. It can be difficult to stay on top of ongoing demands (especially with new requirements like mergers and acquisitions or product launches, making it near impossible for organisations to adapt quickly to changes in technology and business needs. Poor processes around IAM can lead to a backlog of new users to add to directories, and old accounts remaining online for weeks after employees have left an organisation. As well as creating vulnerabilities in cyber defences, this could leave businesses open to failed compliance audits. From a user perspective, if single sign-on is not deployed, users can find themselves burdened with time-intensive administration, such as managing multiple IDs and passwords. And as the number of applications people use increases, these issues can only get worse. 4. Audit The IAM system can keep audit logs of a particular users activity. The organisation can therefore see information such as when the user logged on, records of any failed log-ons and what was accessed. 3

4 How to create opportunities with IAM. Organisations often see security as a challenge to overcome. But with IAM, they can turn that thinking on its head by using their security to create new opportunities for their businesses. It also allows better, more efficient interaction with customers and business partners. Be flexible. Organisations need security to work across all of their systems old and new. They might be well on their way to moving from an on-premises infrastructure to cloud-based services. But there s every chance they will still need to support a selection of legacy systems. That s why companies need IAM tools that protect, and give users access to, every application they have (especially when it comes to the ones that appear through shadow IT). Be scalable. In the past, organisations might have only needed IAM to look after relatively few applications or users for instance, when giving remote workers access over a virtual private network (VPN). However, they now need IAM tools that manage identities across different devices. Identities for cloud and on-premises applications. With more people using an ever-wider range of applications, businesses have to give users secure access, whether programs sit on their networks or third-party vendors host them in the cloud. Multiple device types. IAM processes have to support various devices from smartphones to desktops as well as the different operating systems people will use on these devices. And if organisations deal with consumers online, they could face the prospect of managing tens of millions of identities (with users appearing and disappearing all the time). Be compliant. As companies use more applications, they ll find they work within a complex network of third-party vendors and partners. And this means having workloads (and data) moving back and forth across different environments and services. This gives people the chance to work productively, but organisations also need to make sure they can trust their external providers. With IAM, organisations can put strong security measures in place, such as two-factor authentication (where users provide two sets of credentials whether physical or digital), to meet compliance requirements. 4

5 Be user-friendly. Organisations have to lock their networks down as much as they can to prevent security breaches, but they also have to think about the user experience. People still need to gain speedy access to the applications they need otherwise there s no real need for the security in the first place. For both customers and staff, IT teams need to make sure their IAM processes protect systems in a way that gives users easy access whenever they need it. Simplicity. IAM controls have to create an easy (and consistent) way for users to access all of their applications. If they have to use multiple logins, people will quickly become frustrated while IT teams will have to deal with a deluge of password resets and other requests. Availability. IAM infrastructure has to be available to users at all times. Even brief outages or performance issues could have a dramatic impact on productivity and revenue as well as company reputation. For example, an online banking portal with recurring outages will make national press headlines. Be cost-effective. While organisations might have a seemingly infinite number of applications and systems to secure, the resources to secure those programs will be far from limitless. To protect their networks, businesses need IAM tools that don t require a massive up-front investment, or completely change the way their IT runs. Be competitive. Rather than restricting what companies can do, IAM gives them the opportunity to improve their organisations through better security. Expand and enhance services. Speedy, secure access to new applications allows people to deliver products and services more efficiently. It also allows organisations to make more use of social media channels, giving customers a better user experience. Differentiate the business. Every organisation has its competitors who are struggling with the same security issues. And the businesses that overcome these issues with IAM, will put themselves head and shoulders above the rest of the crowd. Meet market demand. A company s partners and enterprise customers also face security issues, and they re looking for a solution too. By establishing strong IAM credentials, organisations can meet market demand and show that they re a business people can trust. 5

6 Considering the cloud? Cloud-based IAM tools offer a simpler way to protect organisations and their users as they access different applications. This means secure access to applications and services across their on-premises networks, their private cloud environments and their third-party cloud services. Manage users and their access. Cloud IAM takes care of identity management, with an easy way to create, manage and remove users and access. Give users a single sign-on for all applications. Cloud IAM makes the user experience better for people by giving them one set of secure login details for all of the applications they use. Strengthen the authentication of users. Cloud IAM offers two-factor authentication across all applications, making sure only the right people can access data and processes. Reduce the time spent managing users. Cloud IAM prevents IT teams from getting bogged down in the day-to-day management of users and access freeing them up to focus on other projects. IAM should be seen as an enabler rather than a barrier. Scale to suit the number of users. Cloud IAM supports as many users as required, at any given time. This means organisations can make sure their people always have secure access to the applications they need. Processes and people. Cloud-based IAM tools can improve an organisation s security, but technology is only one part of the solution. Organisations still have to use their people and processes to make sure their security is robust. Stay on top of the latest threats. As with any security solution, the fight s not won simply by introducing new technology and sitting back to watch it in action. Companies still have to watch out for new (and ever-more targeted) threats. Keep an eye on what users access, and how. To make sure they re complying with regulations, businesses have to monitor which users have access to which applications and how they re gaining that access. This also helps to identify where people need more or less access than they currently have based on their role in the business. Make sure users know how to work with their security policy. Security is reliant on individuals. So organisations absolutely have to educate their people about their security policies making sure users don t inadvertently cause a breach or become an insider threat. Manage IAM tools and prevent a security breach. Single sign-on makes security simple for, but it also makes organisations vulnerable if they don t put the tools in place properly with cyber criminals able to reach every application accessed by any user they hack. 6

7 Create new opportunities in the cloud. The number of applications organisations use will only increase, as people find new and easy ways to get their job done. And this means that the demand for better security will increase along with it. The need to secure a varied collection of on-premises systems and third-party applications means that organisations no longer have a working perimeter. They have to find a new approach to building cyber defences one that improves the security of their organisations and the productivity of their people. About BT BT is one of the world s leading providers of communications solutions and services operating in 170 countries. With over 2,500 security experts, BT Security protects both BT and its corporate and government customers. To help these customers manage and maintain resilient networked IT infrastructures round the clock, 365 days a year, BT offers a full portfolio of managed security, identity and security consulting services. Giving everyone in an organisation a unique identity to manage their access to applications, cloud-based IAM tools are a better way to secure organisations, giving them the ability to tackle the latest cyber threats. And more than that, they allow IT departments to see security differently turning it from an obstacle to be overcome into a new opportunity. Discover more about how you can improve your security and drive productivity with identity access management in the cloud head to 7

8 Offices worldwide The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc s respective standard conditions of contract. Nothing in this publication forms any part of any contract. British Telecommunications plc Registered office: 81 Newgate Street, London EC1A 7AJ. Registered in England No: Find out more at: Contact your BT account manager directly February 2016