by Timm Lotter, Senior Persales Consultant, APIIDA AG
With digitization and the cloud age, companies are facing the challenge of protecting themselves against new attack surfaces. There is a lot to keep in mind to secure IT systems in the right way.
The basic steps can be explained with a pyramid where the layers build on each other. Thus, security holes can already be prevented during planning.
Why this makes sense is shown by the following example: A company has introduced a solution for Multi-Factor Authentication (MFA). This is a good way to secure the application logon. But what if the underlying identities are not managed correctly? What if an employee has been terminated, but his identity has not been deactivated? He can still sign in and MFA will not help! In the picture below, we see that MFA is at the top of the pyramid. To prevent this vulnerability, correct identity management at the lowest level is necessary.
1st Layer: Identity Management
A company is made up of several IT systems, that are shown below the first layer. As an example, these are AD, LDAP directories, SAP and cloud services like Office365 and Salesforce. For the login of an employee, their digital identity must be known and they need authorization. This task is handled by the identity management of the 1st layer. There are different technologies for the technical integration of applications. Widely used for on-premise applications is the LDAP protocol and for cloud services SCIM. But there are also systems that use proprietary protocols or have an internal user management, that requires special connectors of identity management solutions.
Why is proper identity management important? An application can be totally secure without any vulnerabilities, but if an attacker gets an identity with sufficient rights under his control, he can cause significant damage.
2nd Layer: Access Management (Web Access Management / Privileged Access Management)
After the identities are managed correctly, employees need to access the applications. To make this as easy as possible, the layer of access management has some advantages:
Companies are usually using two different solutions:
3rd Layer: Multi-Factor Authentication (MFA)
Once the identities are properly managed and an interface to access the applications exists, it makes sense to introduce multi-factor authentication. An MFA solution is either offered by the access management of the second layer or is integrated with it. A standard protocol for the integration of VPN is RADIUS. For the selection of MFA solutions is a large number of second factors recommended, to be prepared for all requirements. Adaptive authentication is advisable to improve the user experience, such that only an additional factor must be provided, when it makes sense.
For cloud services, however, it makes sense to implement an MFA solution as soon as possible. They can be used from anywhere and everyone, also by potential attackers!
In summary, the security pyramid is an easy and clear way to explain and plan the steps for the introduction of IT security solutions. The basis is the correct management of the identities on which access management and multi-factor authentication are based.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.