In today's digital world, we are constantly creating and using new passwords. From our email accounts to our social media profiles, we have to remember a seemingly endless number of passwords. This can be a challenge, and it can also lead to security risks, especially at companies. We also provision new computers, need to monitor for our security posture on those, provision new accounts, need to monitor access and use of those, and have to react to a constantly changing threat landscape.
This means most organizations use a number of services to help keep them secure, while allowing users to actually get real work done. The pieces of this puzzle that involve identity, which includes authentication and authorization, include:
Password Managers: Tools like Secret Chest, 1Password, LastPass, and others (many of which are built into our operating systems or browsers for free) store passwords so users can have strong, unique passwords per service they access (e.g. wifi networks, websites, etc).
Federated Identity Management services: These federate access to sites where it’s possible to do so with a single account. An identity provider (IdP) is a service that provides a central place for users to store their login credentials. When you use an IdP, you only have to remember one set of credentials, which you use to log in to all of the IdP's member websites and applications.
Password managers and identity providers help us to create and manage our passwords more securely. In the world of information security, authentication and authorization are two essential concepts. Authentication is the process of verifying a user's identity, while authorization is the process of determining what resources a user has access to.
Verifying a user's identity can be done in a variety of ways, such as by requiring the user to provide a username and password, a fingerprint, or a facial recognition scan (or a combination of these as is common with two-factor authentication). The goal of authentication is to ensure that only authorized users are able to access a system or resource. If an unauthorized user is able to authenticate themselves, they could potentially gain access to sensitive data or systems, which could lead to data breaches or other security incidents.
Authorization is the process of determining what resources a user has access to. This is typically done based on the user's role or group membership. For example, a system administrator may have access to all of the system's resources, while a regular user may only have access to certain applications or files. The goal of authorization is to ensure that users only have access to the resources that they need to do their job. If a user has access to more resources than they need, they could potentially misuse those resources, which could lead to security incidents.
Authentication and authorization are two distinct processes, but they are closely related. Authentication is the first step in authorization. Once a user has been authenticated, the system can then determine what resources they have access to. That process is typically done on the site a user is visiting based on the authentication data. For example, when you log in to your computer, you are first authenticated by providing your username and password. Once you have been authenticated, the site can then determine what applications and files you have access to and render permissable options to a screen.
A password manager is a software application that helps you to store and manage your passwords securely. Password managers typically use a strong encryption algorithm to protect your passwords. They also offer a variety of features that make it easier to create and manage your passwords, such as password generation, password strength checking, and password sharing. IdPs typically use a variety of security measures to protect your credentials as well, such as multi-factor authentication and encryption. They also offer a variety of features that make it easier for the organization to manage your credentials and authorizations, often based on group membership in whatever system acts as the central authority for such metadata.
Password management is a good option for individuals who want to improve the security of their passwords. Password managers can help you to create strong, unique passwords for each of your online accounts. They can also help you to keep track of your passwords and to make sure that they are all up to date. Identity providers are a good option for organizations that want to improve the security of their users' passwords and gain powerful automation options that allow administrators to hook various, often disparate systems together so accounts are provisioned or gain new membership based on business rules.
Beyond the authentication and authorization we need telemetry into the state of a device or user account before we grant access to resources on that device or to that account. For this purpose a number of other types of software have emerged, with the top including:
Device Management: These are tools that allow us to individually or en masse make changes to devices. That might be setting up apps for services users have access to, locking devices if they’re lost, or wiping organizational content and settings if the device leaves the organization. These tools might also know a number of facts about a device that can be used to determine if the device meets the requirements set based on the security posture of an organization.
Malware Mitigation: These can include anti-virus software, anti-phishing/spam/ransomware software, threat hunting tools, and even SEIMs that receive a stream of events from devices.
Proxies and ZTNA: These tools filter traffic from a device and/or app through a service that scans each packet or call to a service and log or block events based on the security posture of the organization.
These three, along with password managers and IdPs offer a powerful, layered defense. Based on information from agents on devices, device management data, and events flowing through proxies, administrators can string together automations that grant or deny access to any resource at any given layer of that stack of solutions required to do a job. This means that if a device doesn’t meet the security posture, if there’s a threat on the device, if there’s anomalous behavior on a device, or any other issues, we can mitigate our risk and perhaps expand that mitigation to others. Provided of course, the tools we use have APIs and the ability to trigger scripts based on what’s happening in the environment. We can also do this at a very granular level by blocking authentication or helping other services to lessen the resources a user or device is authorized to access.
To see how Secret Chest does all of this and more, sign up for our private beta, and get to stringin’ up those workflows!
Comments