Key IAM Automation Policies and Controls for Stronger Governance

  September 15th, 2020
Written by:

One of the most unique challenges of identity and access management in higher education is the complicated life cycles and overlapping roles of users. The roles of students, professors, and other staff within higher education are constantly evolving and require varied levels of access. 

To keep users secure and systems compliant with governance requirements, colleges and universities need an IAM solution that keeps up with these flexible structures. Still, many schools stick with manual homegrown, legacy systems because of the belief it’s the only way to ensure both flexibility and security. But there is a simpler solution. 

By introducing the right policies and IAM automation controls (i.e. features that reduce inappropriate access rights), colleges and universities can not only better regulate appropriate role-based access across networks but also strengthen governance and cybersecurity. 

Enforce Authentication and Password Security

Every time a user logs in, they access confidential information. Whether they are searching the library’s database or entering their home address and billing information for tuition payments, each login involves valuable details, which attracts hackers.  

The first step to protect this data is to ensure that each user is verified when logging into the system. While there are methods in place to ask the user to self-identify (such as answer a security question), a multi-factor authentication (MFA) control is the most secure way to verify a user. By replacing passwords and security questions with tokens or PINs sent to separate devices (e.g., a smartphone), MFA enables a secure, seamless process across systems. 

MFA also plays an important role when users forget their passwords because they can be automatically authenticated without the need for IT support to manually step in. Last spring when schools went virtual as a result of Covid-19, students began logging into university and college systems from all over the world. This posed the threat of not recognizing hackers based on obscure locations. Multi-factor authentication provides additional security to meet governance requirements, even with new remote and hybrid environments.

Streamline Complex System Access Requirements

In addition to managing complex roles, most universities and colleges require that information be shared between schools and departments and even third-parties (i.e. research partners at other universities and institutes). With all of these access levels to consider it can be challenging to ensure everyone has the access they need and nothing more. This is why Segregation of Duties (SoD) is crucial and especially helpful in keeping systems secure and compliant with any governance requirements. 

Put simply, SoD defines the set of entitlements that should not be assigned at the same time to any one user. Ultimately, SoD prevents conflicts of interest within overlapping roles as well as failures in the system that could expose it to a security breach. 

Automate Account Deactivation

The typical four-year structure of colleges and universities means that these institutions are turning over thousands of graduates each spring. Imagine manually terminating and migrating all of those accounts each spring. Undoubtedly, it would be a time-consuming task that’s incredibly susceptible to human error. 

By automating the deactivation of these accounts via IAM controls, schools are able to expedite the process and enforce governance and cybersecurity requirements by preventing the system from filling with orphaned or dormant accounts.

Securing IAM solutions while prioritizing security and governance has always been a complicated task for colleges and universities. Now, with the added challenge of remote and hybrid learning environments, the need for a simpler solution is even more apparent. Homegrown legacy systems are not sufficient. By incorporating these fundamental policies and automated IAM controls, schools can take tedious tasks off their to-do list while achieving governance and cybersecurity success.

Learn more about how Hitachi-ID IAM automation solutions can help you conquer your higher education governance and cybersecurity challenges by joining for our webinar on Why Automation First Should Be the #1 Approach on October 22, co-hosted by the Tambellini Group.

Protection Upfront: Privileged Access Management to Prevent a Ransomware Attack

  September 10th, 2020
Written by:

$144.2 million: The amount that victims of the 11 most significant ransomware attacks in 2020 (so far) have spent recovering from these cyber assaults. The staggering sum shouldn’t be entirely unexpected because, in reaction to a ransomware attack, an organization must invest in costs ranging from investigating the issue, rebuilding networks, and restoring backups to paying the hackers and putting preventative measures in place to avoid future breaches. 

Reportedly, several of these organizations not only paid the ransom (in the amount of several hundred thousand dollars each) but also for the resultant security, drastically increasing their overall costs. If they had a more proactive approach that included a bold solution such as Privileged Access Management (PAM), much of this expense could have been considerably reduced.

Today, organizations of all sizes remain susceptible to ransomware attacks. Most recently, the Hartford, Conn., school district was hit with ransomware that caused the first day of school to be postponed. To properly recover from these attacks, an institution needs costly repair and respondent implementations to overhaul network exposures. Examining the difference between a reactive and a proactive approach demonstrates the worth of investing in a preventative solution such as PAM.

A reactive approach leaves unprepared organizations vulnerable

  1. Access: As organizations evolve and scale, the number of passwords increases exponentially, raising complexity and security issues. These mission-critical passwords are often written down and accessible to anyone who knows where to look, including hackers.
  2. Accountability: In a network unsecured by a PAM solution, shared credentials compromise liability. Moreover, they render audit trails incomplete and nonexistent should an organization need to find the root of their network vulnerabilities.
  3. Exposure: As passwords age, exposure also increases. Static passwords pose a growing risk from former employees, bad actors, and ransomware attackers looking for exploits.
  4. Scalability: As they upgrade infrastructure and grow, organizations are perpetually deploying new servers, workstations, and virtual machines. These new point-to-point connections increase vulnerability to hackers and managing, protecting them at scale is challenging.

Instead of choosing responsive triage, organizations should be armed and adaptable with a ready PAM solution so they are dynamic, evolving, and equipped. 

A proactive approach with an implemented PAM solution has organizations prepared

  1. Access: If these same organizations were to utilize a PAM implementation, they would store and vault passwords across complex and changing networks. Also, they could control access to accounts with password checkout and concurrency rules. 
  2. Accountability: PAM-empowered operations can personally identify users with a login and strong multi-factor authentication. Responsibility is cultivated through access request authorization, logged access, and record sessions to track down user error and susceptibility.
  3. Exposure: With a PAM solution, an organization can randomize passwords after use, set expiration on checkouts, and keep passwords under wraps unless necessary. This virtually eliminates an access and exposure point for would-be hackers.
  4. Scalability: Even when following best practices, ransomware attackers often exploit weaknesses in complex systems where access vulnerabilities are exposed when the systems scale. A PAM solution monitors inventory systems and a wide range of connectors and automatically discovers and imports privileged accounts as the organization changes and grows.

You likely haven’t experienced an attack yet, but you want to be prepared in the event it does happen. The proactive approach of a PAM solution will help your technology react accordingly should you get hacked — ensuring security, dynamism, and adaptability. Moreover, engaging in a proactive vs. reactive approach to ransomware attacks could save you money and lost time in the long run.

Schedule your demo today to see how Hitachi IAM solutions can be a preventative, cost-effective implementation that keeps your organization and network out of the hands of would-be hackers.
Learn more about how Hitachi-ID IAM automation solutions can help you conquer your higher education governance and cybersecurity challenges by joining for our webinar on Why Automation First Should Be the #1 Approach on October 22, co-hosted by the Tambellini Group.

IAM Automation: The Secret to Governance and Cybersecurity Success in Higher Ed

  September 8th, 2020
Written by:

For colleges and universities, governance and cybersecurity can get quite complicated. These institutions of higher learning are entrusted with an enormous amount of personal data (emails, transcripts, test scores, salaries, etc.), from students, teachers, alumni, and more. The safety and security of it is of the utmost importance, but due to the complexity of higher ed organizational structures, many schools are still operating with manual legacy and homegrown solutions for identity and access management (IAM).

When the Covid-19 pandemic forced schools to shift to remote and hybrid learning, the importance of strong policies and protocols for cybersecurity and governance only increased, as did the degree of difficulty. With increased remote access, universities have to contend with a slew of unknowns as students and staff who once primarily accessed systems via internal networks are now signing in from countless external sources.

The solution? Automation. It’s a core value of IAM solutions and can help schools meet and maintain governance and cybersecurity goals by simplifying critical IAM processes:

Better Define and Manage Roles

Lifecycle management, particularly properly assigning user roles, is a critical piece of higher ed IAM and governance. It’s complicated because of the unique organizational structure of colleges and universities — roles can overlap (professors who are also students, for example), change frequently (active students become alums), and new users are a near-constant (welcome, freshmen!). Because of these complexities, a manual approach is both time-consuming and prone to human error. 

To assign roles effectively and efficiently, higher ed IAM requires flexibility and customization. By automating and integrating the IAM solution, the system is able to both discover and define roles based on the parameters provided, saving time and avoiding costly, potentially disastrous mistakes.

Improve Data Cleaning Capabilities

Given the sheer volume of data processed in higher education, it’s inevitable some bad data will exist in the system. Unfortunately, there’s a persistent myth that this data needs to be cleaned before any automation can be implemented. That simply isn’t true. 

Automation supports data cleanup, not the inverse. Automated processes and workflows can be used to quickly flag inappropriate access and deal with orphan and dormant accounts and profiles, eliminating potential cybersecurity risks before they begin.

Strengthen Controls

Preventing inappropriate access either by internal users or outside threats is a core piece of cybersecurity and governance for colleges and universities. It’s important that schools not only have the right controls in place but that they’re able to quickly react to any potential threats to the system.

From automatic access deactivation to risk scores to password security, controls are key to tighten access procedures (a crucial part of cybersecurity). Automation exponentially improves these processes to quickly spot and solve any potential breaches before they happen.

Institutions of higher learning are dealing with an exponential amount of personal data at any given moment, and manual solutions simply won’t cut it anymore. The transition to IAM automation is by no means a challenge that’s unique to the higher ed world, but when it comes to governance and data privacy, the stakes are high and complicated. Getting it right is critical not only for governance and cybersecurity success, it benefits the whole IT ecosystem from admin to end-user.

Join us for a free webinar on October 22 to learn more about how Hitachi ID solutions can help you overcome your identity management challenges.

The Biggest Cybersecurity Vulnerabilities Hiding Within Your Higher Ed Walls

  September 3rd, 2020
Written by:

With their multitudes of access points and extensive amounts of valuable information, universities and colleges are one of the most attractive organizations for cybercriminals to infiltrate. Today, hackers can buy attack kits on the black market or scale their invasion by using higher education’s predictable email addresses. 

As the threat landscape grows more complex, higher education is facing unique challenges when managing individual access permissions, collaborations with other organizations, and protecting the personal information of students, faculty, and staff. Understanding the most common vulnerabilities within your identity and access management (IAM) is the first step in preventing security breaches from happening.

  1. Ever-Changing Populations 

Unlike a typical organization, a university or college onboards a new class of members (thousands of new users) every fall and offboards the graduating class (thousands more) each spring. Not to mention the professors, administration, and other staff members that are added and/or removed throughout the year. The sheer volume of identities being created and deleted on a regular basis provides hackers with plenty of opportunities to mount attacks and break into these accounts. 

  1. Overlapping Roles

The unique structure of colleges and universities require complex systems, which can create opportunities for hackers when the right precautions are not taken. For example, it’s not uncommon for someone in a higher education institution to take on two different roles simultaneously (e.g., a student who is also a teacher’s assistant, a staff member who is also enrolled in classes, or an alum who eventually returns as a professor to teach). Privileged access systems that aren’t robust enough to support these multi-role requirements have the potential to expose confidential information and threaten the institution’s cybersecurity. 

  1. Dynamic and Collaborative Partnerships

The higher education system inherently values collaboration and ease of use to achieve intellectual breakthroughs — whether through partnering with colleagues, other educational institutions, or those in the private sector. This connection to third parties often includes a massive volume of research findings and subscriptions to costly journals and services — information that hackers are particularly interested in because of its value in countries with limited access to data. 

  1. Non-hierarchical Structures and Homegrown Solutions

Each department within a college or university may have its own unique structure and self-determined budget, which can create obstacles when aligning individual departments with the overarching system. Identities may not match up, or appropriate access can be incorrectly granted or completely blocked. Schools often use identity systems that were built by a group who may no longer be there. Because of the autonomous structures within higher education, individual departments have built solutions to secure their users’ identity and access, but these homegrown solutions can quickly become outdated and inefficient. An unorganized system leaves hackers with a plethora of weak spots where they can break in. 

  1. Lax Login Credentials

In higher education, a user’s identity is often a single login that works across different systems the university or college uses. For example, a user’s login information for a billing system might be the same as their class information system. If institutions do not employ strict multi-factor authentication (MFA) practices, they may be at great risk of attack. Without MFA, bad actors can gain access to all of the user’s accounts and information with just one login. 

The Solution

With all of the unique challenges that can be found in higher education, it is critical to find an IAM solution that provides the features colleges and universities need to  organize and automate the roles and access privilege of individual users. Paired with cybersecurity best practices, schools will have the tools they need to protect against common vulnerabilities and stop hacks before they happen.

Hitachi’s identity fabric contains the industry’s only single platform solution for Identity and Privileged Access Management. Hitachi ID leverages decades of experience resulting in rock-solid reliability, performance and scalability. These solutions can help universities and colleges manage their users’ identities and access privilege in a faster, more affordable, and customizable way.  

Protect your institution’s information and resources by requesting a demo of our Identity Manager today.
Learn more about how Hitachi-ID IAM automation solutions can help you conquer your higher education governance and cybersecurity challenges by joining for our webinar on Why Automation First Should Be the #1 Approach on October 22, co-hosted by the Tambellini Group.

A Balancing Act: How Privileged Access Management Provides Security and Convenience in a Remote Learning World

  September 1st, 2020
Written by:

As digital classrooms increasingly become the norm and learning difficulties arise in the transition to virtual, higher education must evolve the student experience and educational outcomes, but they are held back by poorly integrated IT portfolios. This is further complicated by complex university-specific roadblocks such as ever-changing populations, overlapping roles and identity sources, non-hierarchical organizational structures, dynamic and collaborative partnerships, and legacy and homegrown solutions (that often offer substandard IT infrastructure). Therefore, the number of point to point connections, passwords, and accounts and levels of access between systems increases exponentially, raising complexity and security issues. 

Moreover, Covid-19 has exacerbated outlying remote learning factors such as diverse student expectations, perceived value under pressure, competing consumer IT realities, and online education competition. 

These obstacles, both internal and external, make change difficult and many higher educational institutions face these intimidating elements without a roadmap. Instead, universities navigating these realities should wrap their new remote learning portfolios with the convenience and versatility of privileged access management (PAM), the security of single sign-on, and the control of access governance.

The Solution: Privileged Access Management for Convenience and Security at Scale 

PAM secures access to elevated privileges and eliminates the need for shared and static passwords to privileged accounts. Furthermore, it enforces strong authentication and authorization to applications before granting access. All of these features wrap into the security and convenience of single sign on and access governance control. 

Some high-level features that secure university IT infrastructure without sacrificing convenience include:

Credential, team vaults

  • Credential vaults maintain data and access to privileged passwords across a variety of systems. Team vaults allow for the creation of easily scalable groups and different types of credential access across more extensive networks. 
  • Even in an entirely remote learning-enabled campus, access to this vault is imperative to maintain campus-wide network and service capabilities in the event of a server-side disaster (such as a fire, flood, or power outage). Privileged accounts are necessary to make that recovery possible. 
  • Since servers occasionally break down, Privileged Access Manager supports load balancing and data replication between multiple application servers and numerous credential vaults. 
  • When everything is dependent on virtual classroom connectivity, convenience, and accessibility, built-in replication ensures your institution will maintain minimal network downtime and uninterrupted privileged account access in times of need. This capability provides resilience across complex and ever-changing populations and overlapping schedules and roles in an all or nothing distance learning network.  

Authorization

  • Privileged Access Manager can fingerprint applications before granting access to passwords. It utilizes an included web services API to onboard and removes systems and applications to interact with workflow requests and retrieves passwords if authorized on-the-fly.
  • Architectures will change at a rapid pace with the addition of new components and subtraction of older modules. This flexibility will provide authorization and authentication at a versatile speed and allow for higher ed remote learning scale. 

Single sign-on, access governance control

  • A secured, singular point of access grants entry to unified communication and the network platform, which grants appropriate levels and privileges to each user across thousands of accounts. Additionally, by rendering SSH and RDP sessions in a browser, PAM empowers users who are offsite or work for third parties to launch on their PC or smartphone regardless of platform.
  • The consolidated system provides administrators with dynamic and adaptable access governance control over non-hierarchical organizational structures and dynamic and collaborative partnerships that so often happen in distance learning network scenarios and across other higher education initiatives.

Student, faculty, staff, and data security remain a paramount concern as Covid-19 pressures push higher educational institutions towards remote or hybrid learning environments.  Universities must evolve dynamically to meet the demands of a distance learning world. Privileged access management provides that needed versatility, security, control, and scale at value.

Schedule your demo today to see how Hitachi ID IAM solutions can help solve your remote learning and privileged access management challenges.
Learn more about how Hitachi-ID IAM automation solutions can help you conquer your higher education governance and cybersecurity challenges by joining for our webinar on Why Automation First Should Be the #1 Approach on October 22, co-hosted by the Tambellini Group.

The Ultimate Checklist for Higher Ed Identity Management in Remote and Hybrid-Learning Environments

  August 24th, 2020
Written by:

Last spring, as universities and colleges closed in response to Covid-19, higher ed institutions were faced with a cascade of Herculean tasks: quickly and safely empty campus, translate course work for online learning, and adapt already complex identity and access management (IAM) processes. 

For many schools, identity management was already a complicated system plagued by challenges specific to higher education’s unique structure (.e. ever-changing populations, overlapping roles and identity sources, and dynamic, collaborative partnerships). The addition of new remote considerations only further tangled this web with new priorities and requirements — specifically the need for secure, unified communications and more remote support options.

Because of unique academic structures (either broken down by college or department), identity management systems for higher education are often incredibly segmented. Attaining and maintaining a scalable, reliable system requires that those silos come down. The same standards, rules, and safeguards need to be in place for every student and faculty member whether they are matriculating or employed as an instructor in the school of communication, arts and sciences, or business, for example. 

By working with one, centralized system, schools are able to organize multiple data sources into one system to automate provisioning, synchronize systems of record, and streamline appropriate access through the identity lifecycle with a highly secure yet publicly accessible identity solution. 

As universities begin their fall semesters with remote and hybrid classrooms (largely unchartered territory), it’s essential that their identity and access management systems are as robust as their curricula. This list of imperative IAM structures and features will be key to their success:

Strong, Easy-to-Use Password Management

Whether remote, on campus, or a blend of the two, strong password management must be an identity management priority for colleges and universities. With the constant cycle of new users and changing roles (most of whom will now be onboarding remotely), higher ed requires a password management solution that provides fast and reliable password reset and synchronization across all systems. Self-service and assisted password reset will help minimize remote support needs as well.

Reliable Connectors 

Even in enterprise applications, IAM systems do not exist in a vacuum. Connectors allow admins to easily integrate the tools required to effectively and efficiently manage their systems. The increase in remote access — often from a wide array of personal devices — adds another layer of difficulty for IAM solutions. In the complex world of higher ed, connectors bring email, student directories, HR, file systems, and more together for a more integrated, streamlined, but still secure, experience. An IAM solution that allows you the bandwidth to integrate the connectors you need will help avoid scaling headaches later on.

Flexible Group Management 

Higher ed’s unique, fluid identity lifecycles can make group and list management challenging. A group management tool that allows admins to easily create, delete, and manage attributes and memberships of user groups with similar use cases will ensure your system has the flexibility it needs to adapt to whatever new requirements and environments may arise.

The security of students and staff and their personal data has always been a top priority for institutions of higher learning. As the system continues to evolve — both in response to Covid-19 and technological and societal changes ahead — reliable, flexible, and scalable identity management that can grow with your institution is a prerequisite.

Schedule your demo today to see how Hitachi-ID IAM solutions can help solve your identity management challenges. Want to receive more Higher Education identity and access resources? Sign up for our emails.
Learn more about how Hitachi-ID IAM automation solutions can help you conquer your higher education governance and cybersecurity challenges by joining for our webinar on Why Automation First Should Be the #1 Approach on October 22, co-hosted by the Tambellini Group.

Why CIOs are Prioritizing and Investing in Identity and Access Management

  August 13th, 2020
Written by:

CIOs and IT leaders have two major priorities right now. The first is dealing with new cybersecurity challenges created by remote work. The second is how to make sure working from home is efficient, secure, and productive.

That’s what a recent survey, conducted by Pulse on behalf of Hitachi ID, found. When asked about their priorities for the rest of 2020, 89% of IT leaders said cybersecurity, while 82% said enabling a remote workforce.

When it comes to their cybersecurity goals, 43% of respondents said they were investing in identity and access management — the most of any of the tools listed. Some 34% are investing in endpoint security, and 17% pursuing security awareness training.

Why are so many companies prioritizing IAM and how will these trends play out in the years ahead?

I recently talked to TechRepublic reporter Karen Roby about the survey results, the drivers behind IT leaders’ priorities, and what companies everywhere are realizing about remote work.

Watch here:

Lessons Learned from Remote Work during Covid-19

  June 5th, 2020
Written by:

For the first time, due to Covid-19, many companies experienced what it’s like to have a fully remote workforce. The experience has had both highs and lows, with some companies questioning whether they need as much office space as they used before, while others struggled to keep up with the pace of change to ensure every employee remained productive without becoming a security risk. 

Now, many companies continue to work remotely while others are heading back to the office. It’s a moment to take stock of how you handled the switch to fully remote work and what you need in place both now and in the future. Use this time to take what you learned and empower those working from home by preparing for any disruptions in the future, whether it’s a second wave of the virus, a natural disaster, or even a power outage. 

Here are some of the challenges companies faced while working from home, and what they can put into place to improve their work from home capabilities. 

Challenges companies have faced while fully remote

Before the pandemic, some companies were already fully remote, others had a handful of telecommuters, and some had never had any employee work from home. While there was a wide range of experiences, there were some common challenges: 

1. Breakdown of processes for legacy remote workers. Employees who worked remotely before Covid-19 were better prepared than most for the pandemic. But because they could no longer visit the office, some processes, especially around passwords, started to break down. For example, if they’re not using a VPN, they might not be warned of an expiring password. If they change their password remotely and then forget it, under some circumstances, they might be locked out until their device is back on the network, where the help desk can address the issue. 

2. Processing mass numbers of access requests. As most or all of your employees switched to remote work, processing access requests to remote work services, from VDI logins to MFA applications quickly became overwhelming. 

3. Rapid migration to SaaS applications. Whether for security, convenience, or any number of other reasons, you may have needed to quickly migrate some services to the cloud. By switching from on-premises Exchange to Office 365, for example, you could give users access to the services they need while still maintaining security, even if users didn’t have a corporate-issued laptop or VPN connection. But these decisions were likely made in a scramble.  

4. Quickly establishing VPNs or VDI. If users had to access certain on-premise applications, you might have had to quickly acquire more VPN licenses and bandwidth, or establish VDI, depending on whether employees are using corporate devices or personal laptops. 

5. Opening new security risks. An uptick in SaaS applications and VDI use also means you have more public-facing logins, and thus a larger attack surface for hackers who might try to guess or socially engineer their way into your system.

How to support remote work, both now and for future disruptions

Organizations have handled these challenges as best they could given the circumstances. But now that you have time to step back and reassess what you have and what you might need, you can procure new technology that both fits user needs and gives your workforce more flexibility in where they conduct business. 

Here’s a list of technologies to consider:

1. VOIP or softphones. If you don’t already use these for your telephone service, it’s worth a look so that users can simply take their desk phones home from work, plug them into the wall, and get the same call quality with the same phone number as they have in the office. This also frees employees from having to use their personal mobile or home phone for work calls. 

2. Videoconferencing. Everyone got a crash course in Zoom and other video conferencing software, but what you chose as a quick fix might not be the best platform for your organization. There are a number of options to choose from, including Google Meet, Microsoft Teams, WebEx, and others, all with different features and options. Take some time to determine if you have the best software for your employees’ needs. 

3. Expanded VPN resources. If you saw an uptick in requests for VPN connections, you’re going to need more VPN licenses, and you might also need more bandwidth and CPU capacity to handle more concurrent connections. Assess your current and future needs. 

5. Expanded VDI server farms. If users can’t take their corporate device home, they often use their personal device for work, which can introduce any number of security risks. If this is the boat your company is in, VDI is the way to go. The more users that need this, the more capacity you’ll have to set up to serve them. 

6. Procure mobile devices. There are certainly use cases for desktops, but in many cases, a laptop will allow the vast majority of your employees to do their jobs effectively no matter where they’re working from. Make it a point to supply them with corporate-owned laptops, tablets, or other mobile devices so they don’t have to use their home computer when telecommuting. It’ll keep workers productive and your systems more secure. If your company decides to do this, then consider deploying some full disk encryption such as Bitlocker, Checkpoint, or McAfee.

7. License MFA and other access management technology. MFA, preferably via smartphone apps, reduces the risk of intrusion through publicly accessible logins that only ask for a password. In addition, identity access and privileged access management tools can help you more easily manage passwords and identities, add MFA and federated access, strengthen authentication, and avoid many of the security risks of remote work. 

Whether your organization plans to keep employees remote for the rest of the year or you’ve already started to bring workers back to the office, the work from home situation we all experienced gives you a lot to think about. 

Take time to revisit the challenges you experienced and how you could avoid them next time. The lessons you take away and the solutions you identify will make your company and your employees more flexible, productive, and secure.

Hitachi ID and Pulse surveyed 100 North American C-suite executives at enterprise, mid-sized, and small companies in May 2020. The survey uncovered other remote work issues during the pandemic lockdown with 95% of North American CIOs reporting remote work issues during the pandemic lockdown. Employee password lockouts and inability to access on-premise applications were among the top challenges. Get a full copy of the report.

Secure Remote Access for Vendors

  May 29th, 2020
Written by:

IT work doesn’t wait for a virus, and with some of your vendors working remotely both now and for the foreseeable future, reviewing how they access your systems is critical to ensuring timely IT work without opening yourself to any security risks. Now is a good time to check up on your vendor security. 

These guidelines should sound familiar, since they’re basic features of a modern privileged access management (PAM) system. But they bear repeating: 

DO: 

  • Use multifactor authentication
  • Implement robust authorization models
  • Perform detailed forensic audits

DON’T:

  • Use static passwords
  • Lose track of shared passwords

Beyond these points, there are seven steps to securing vendor access, especially when they’re working remotely:

1. Delegate

Choose a trusted individual at each vendor to manage the users from their organization. For example, if you work with Dell, Hitachi Vantara, Oracle, and Microsoft, you should have four people—one from each—managing the access for their organization. 

Make sure the list of users with access remains small at each organization, but otherwise delegate the responsibility for who deserves a place on that list. 

2. Authenticate  

Don’t just use passwords. Make sure vendor logins are securely authenticated using multiple factors. Your preference should be for app-based multi-factor authentication (MFA). That way, any turnover at the vendor is less disruptive than if users have a physical token they need to return or hand off to another user. 

3. Confirm

Another option to authenticate users is to make sure a given user still works for your vendor when they sign in. Send a PIN to the user’s work email, and if they no longer work for the vendor, they won’t be able to access the email, the PIN, or your systems. 

4. Request and approve

Vendor users should connect only when you request specific work to be done. Set up a request and approval workflow before allowing vendors to sign in to your systems to ensure you’re aware of every login. 

5. Do Not Disclose

Best practice is not to disclose the password unless necessary. Instead, launch the vendor user directly into SSH, RDP, SQL Studio, etc.

6. Monitor

Record all vendor activity in your systems, and if you think it’s necessary, watch in real time. This way you not only have a record of the work completed, you also discourage—or quickly catch—any unauthorized activity.   

7. Protect

Don’t let vendors connect their devices to your VPN. Use a proxy, like virtual desktop infrastructure (VDI) or a web browser login. That way you don’t have to vet every device for security because those devices stay outside your network perimeter. 

All of these steps are best practices for granting elevated access to third parties and should be in place for all of your vendors. Of course, managing privileged access, especially across potentially dozens of vendors, can be time consuming and difficult. This is where a PAM system can help you simplify the process and ensure security while giving your vendors access to the systems they need to deliver quick and effective service.

Learn more about how PAM systems can support your business.

Infographic

Solve the Four Biggest Remote Work Login Problems

  May 15th, 2020
Written by:

Remote work has achieved a new peak so far in 2020. Some 62% of employed Americans said they have worked from home during the COVID-19 crisis. This large-scale experiment will have a lasting impact, as 74% of CFOs surveyed by Gartner expect at least some of the workers pushed remote by the virus will continue to work from home even after offices reopen. 

Not surprisingly the sudden transition to remote work hasn’t been all smooth. Companies are still dealing with a number of issues, from security to maintaining productivity. Others (us included!), are facing new challenges such as setting up employees on operating systems outside the company norm. Access to applications and data employees need to do their work can be particularly fraught. Here’s how to get a handle on four of the most common login issues companies are experiencing right now. 

1. Secure logins from attackers

Many companies have adopted or expanded use of SaaS applications, or are using virtual desktop infrastructure (VDI) to get everyone working from home but these options often have public-facing login pages that could put your organization at risk. Increased access increases risk and opportunity for external attackers who may try to guess passwords or attain them through social engineering. 

There’s a few ways to ensure your credentials remain secure despite public login pages: 

  • Externalize login screens. Rather than having a public-facing login page for every SaaS application, you can consolidate them on a single platform so users have one login page for a single sign on that’s more secure.  
  • Add multi-factor authentication (MFA). This should be standard practice, but many organizations and users still haven’t adopted it. Only 57% of organizations were using MFA at the end of 2019, and while that’s up 12% over 2018, it’s still low. Implement an MFA technology, preferably via a smartphone app, to add an extra layer of protection. 
  • Don’t ask for passwords first. The same goes for PINs and answers to security questions. These factors can be easy to guess. Require employees to use a hardware token, enter a PIN sent to their phone, or use a smartphone app to confirm they’re authorized before you ask for a password.
  • Consider using CAPTCHAs. By making this the first step in authentication, you can ensure it’s a human attempting to sign in, not a bot programmed to attack the page.  

2. Enable remote password assistance

There’s several issues that companies can run into specifically around passwords. If you haven’t experienced them already, look for: 

  • Expiring or expired passwords. Off-site users may not receive notification that their passwords are expiring if they’re not using a VPN. The passwords will still expire even if the user doesn’t know it’s happening. Consider other ways to notify users of expiring passwords and give them the opportunity to update their credentials remotely. Another option is to temporarily delay the expiration until the office reopens. 
  • Forgotten passwords. This is usually an easy problem to solve when a user can visit a help desk and their computer is connected to the corporate network. But with employees remote, forgotten passwords can become a bigger issue and even leave users with inoperable devices. Make sure you have some kind of remote mechanism to reset forgotten passwords. 

3. Tighten access after layoffs and furloughs

If you’re one of the many organizations that has had to furlough or lay off workers in the uncertain economic climate, you’ll have to close off their access either temporarily or permanently. There are a couple ways to do this. You can create a request and approval workflow that has you deactivate login IDs and set a status for each user. For permanent layoffs, you’ll need to take additional steps to move and archive that user’s content. 

The other option is to automate the process based on certain data and criteria, which can be set up in an identity and access management tool. When furloughed workers return, it’s just a matter of reversing the process to get them back up and running.  

4. Follow best practices for vendors access

Just like you, your vendors are probably working from home. When you need IT work done, you’ll need to grant them remote access.  

Make sure you’re following best practices for granting elevated access to third-party users: 

  • Designate a point person. One trusted user from every vendor should be in charge. Appoint that person to manage the short list of users from their company who need access to your systems. 
  • Keep vendors off your VPN. Don’t allow your vendors to connect their devices to your VPN. Use another method so you can keep the vendor’s device outside the network perimeter and reduce your attack surface. For example, use a proxy server for vendor devices to safely communicate with your servers without directly connecting to your network.
  • Double check they’re still employed. Any time a vendor logs in, double check they still work for that company. One way to do this is sending a PIN to their work email that they must enter to log in. If they no longer work for that vendor, they won’t have access. 

Secure access while working from home

Many organizations have quickly adapted to working from home, but there are a number of challenges you’re likely facing right now. With your users scattered, it’s even more important to consider security, who has access to what, and how to quickly resolve problems like forgotten passwords to keep employees productive no matter where they’re working. With increased distance and risk, now is the time to get serious about bolstering security as your workforce transitions to a new normal.