Access Governance and the Remote Employee by Dean Wiech

access governance remote employee Dean Wiech
By Dean Wiech
The work-at-home phenomenon is no longer a trend, but a movement. An effort that took hold in earnest at the beginning of the 21st century as the web and internet connection allowed for remote capabilities, for nearly 20 years, working remotely is the reality of the day for organizations large and small. Likewise, the vast majority of desktop applications have moved to the cloud and workspaces are virtualized, meaning they are easily accessible for remote employees. This means the number of remote systems and applications to manage such conditions is growing rapidly.
The challenge here is that these cloud applications are not likely connected to the internal network, so default Windows credentials will not work. For most of the applications, employees will have different credentials. It should be as easy for IT and system administrators to grant and revoke access to cloud services, as it should be for end users to access them. As the management of the credentials and rights for these applications becomes more complex, the demand for single sign-on (SSO) portals increases.
Single Sign-On Portals
Single sign-on portals let users log in once. What follows is the obtainment of automatic access to multiple applications and all appropriate network resources. After confirming an employee’s identity, access policies can be established to allow or deny application access, policies that determine which systems and applications should be displayed within the user’s SSO portal.
Convenient for users, but this may create potential risks, making systems less secure than they otherwise could be. With these applications being accessible remotely, higher levels of authentication are required. This higher level of authentication, called strong authentication, can be achieved with the following:
·        Something that somebody knows: username or password
·        Something that somebody owns: cell phone or token
·        Something that somebody is: biometric, including fingerprints or facial recognition
If you combine two or more of these methods during the authentication process, an extra layer of security is added, known as two-factor authorization or multi-factor authentication.
Attribute Based Access Control
For even additional security is to include attribute-based access control (ABAC) or role-based access control (RBAC). Not only one’s identity itself and the employee’s role has within the company determines the access the individual receives within the portal. Additionally, such solutions like the type of device being utilized, the geo-location the portal is being accessed from and the time of day are added to the calculation. For example, the user could be prevented from accessing financial systems from their smartphone after 5 p.m. This kind of security can lock down remote applications even though the application itself does not support it.
Federated Identity
To ensure and secure the communication between the single sign-on portal and the application a federated identity can be used. With a federated identity, you’re able to share identity and account information between organizations and applications so that users only have to log in once to target applications. The Security Assertion Markup Language (SAML) can be used as authentication mechanism between the single sign-on portal and the application. This is a data format for exchanging authentication and authorization data between websites.
Reporting and Auditing
Everything that happens within a single sign-on portal should be logged and this information used for reporting and auditing purposes. Likewise, with such information, it’s possible to calculate when, how often, from where and by who certain applications are accessed.
Thus, while the expanding workplace brings with it a certain level of risk and complexity, single sign-on and two-factor authorization offers efficiency without compromising security.
Dean Wiech is managing director of Tools4ever.
Jeff Edwards
Follow Jeff