Access Management for Remote Employees

Over the last few years, it has become more common to work remotely. The vast majority of desktop applications have moved to the cloud and workspaces are virtualized, becoming easily accessible for remote employees. Because of this, the number of remote systems and applications is growing rapidly.

These cloud applications are often not connected to the company’s internal network, so the default Windows credentials will not work; therefore, for most of the applications, the employee will have different credentials. It should be as easy for IT and system administrators to grant and revoke access to cloud services, as it should be for end users to access them. As the management of the credentials and rights for these applications becomes more complex, the demand for Single Sign-On (SSO) portals increases.

Single Sign-On Portals

SSO portals allow users to logon once and automatically obtain access to multiple applications and network resources. After confirming the person’s identity, access policies can be used to allow or deny application access. These access policies determine which systems and applications should be displayed within the SSO portal. When the user clicks on the tile that represents the desired application to logon to, the SSO portal will open a new window or tab within the browser and automatically logon to the selected application.

Two or Multi Factor Authentication

This SSO functionality is very convenient for the end-user, but could expose potential risks therefor making it less secure. Due to the fact that these applications are accessible remotely, a higher level of authentication is required. This higher level of authentication, called strong authentication, can be achieved with the following:

  • Something that somebody knows: User name, Password, Pin code
  • Something that somebody owns: Cell phone, Token
  • Something that somebody is: biometrics such as fingerprints or facial recognition

If you combine two or more of these methods during the authentication process, an extra layer of security is added. This is called multi factor authentication (2FA or MFA).

Attribute Based Access Control

An option to make the portal even more secure is to include Attribute Based Access Control (ABAC). Not only the identity itself and the role it has within the company determines the access it will get within the portal, but also other attributes like the device being utilized, the geo-location the portal is being accessed from and the time of day will be added to this calculation. For example, the user could be prevented from accessing financial systems from their smartphone after 5pm. This kind of security can lock down remote applications even though the application itself does not support it.

Federated Identity

To ensure and secure the communication between the SSO portal and the target application a federated identity can be used. With a federated identity, it is possible to share identity and account information between organizations and applications so that identities only have to log in once to target applications. The Security Assertion Markup Language (SAML) could be used as authentication mechanism between the SSO portal and the target applications. This is a data format for exchanging authentication and authorization data between websites.

Reporting and Auditing

Everything that happens within a SSO portal should be logged into a database. This information can be used for reporting and auditing purposes. With this information, it is possible to calculate when, how often, from where and by who certain applications are accessed.

In summary, the expanding workplace brings with it a certain level of risk and complexity. SSO offers efficiency without compromising security.