Directory Services & Multi-Factor Authentication

Believe it or not, we get this question all the time when working with business owners and executives on how to secure their IT environment and resources. A great analogy that makes this concept easier to understand is a simple security badge at your offices.

Read More

When Alice goes to work each morning, she takes out her security badge and waves it in front of a sensor at the front door to unlock it automatically. That act of waving your badge “tells” the security system not only that it is Alice at the front door, but also what she has access to within the building. The system responds by verifying her in the system, unlocking the door, and creating an entry in the security log to keep for future use.

After walking through the front door, Alice enters the accounting offices because she’s the head of Accounting after all!  She waves her badge in front of the sensor leading through the door to the Accounting department and the system now verifies whether or not she has access to this restricted area.

Since she’s not only an employee of the company but also a member of the Accounting department the system once again unlocks the door and creates an entry in the security log. If she were a member of the Sales or Operations team her badge would fail to unlock the door as her company decided that access to the Accounting offices is restricted due to certain compliance restrictions.

Directory Services are the exact same process but instead of granting you access to your office building or space, it grants you access to your computer network. Let’s use the example of Alice once again.

Alice sits down at her computer in the morning and logs into the network at her computer using her standard username and password. The network checks Alice’s credentials, verifies she is authorized to log in, grants her access, and logs the security event for future reference. Sound familiar?

Going a step further, Alice then attempts to access the accounting folder on the network to review quarterly financials before her staff meeting. After all, she is the head of the Accounting department! She clicks on the Accounting folder to open it and it opens. Why does it open? Because in the directory service on the network (the vast majority of the time this is Microsoft Active Directory) Alice is listed under the Accounting department and the system knows what level of access she should have (read, edit, delete) to all of the files in this folder. Just like her access to the building outlined above.

That is the basic concept of Directory Services and hopefully, it shows you why this is a critical function of your IT security program.

Cloud migration and digital transformation are extending businesses’ digital perimeter - and the scope of Identity and Access Management (IAM) programs. IT professionals are now responsible for managing user access across on-premises applications and a growing number of SaaS apps. A typical small enterprise’s Identity and Access Management program will span 1 million people, 10 million things, and billions of relationships.

Traditional Access Management technologies miss the mark, focusing either on on-premises apps exclusively, forcing companies to manage on-prem and SaaS apps separately. This year, over 50% of businesses plan to deploy as many SaaS apps as on-premises apps, but 72% of businesses have legacy Access Management technologies.  More and more businesses operate in a hybrid mode (on-prem and cloud) but only have an Access Management solution for half of the equation - or separate tools for each.

As a result, most Access Management programs are fragmented and plagued with complexity, inefficiency, security risk, and high cost. In fact, half of IT executives claim legacy Access Management solutions are a direct barrier to digital transformation, with the biggest pain points being the 1) maintenance, 2) cost, and 3) complexity of these tools.