A Customized Device-Based Access Control Solution for an Automotive Ancillary Major using Akku

Data security is a critical business priority today – this is especially true for businesses in industries such as manufacturing, where intellectual property as well as customer data are involved. 

This was the case for our client too – a leading player in the automotive ancillary manufacturing space. In this blog, we explore their specific challenge in safeguarding their digital assets, and how Akku was able to deliver a customized solution to address the client’s needs.

The Challenge

The client runs regular audits to assess their security posture, and to identify areas where their existing Google Workspace could itself provide adequate security measures in terms of access control. 

In one such audit, they identified a critical gap. Employees at the company were increasingly needing to work remotely, but the existing endpoint security solution was only capable of restricting access to the company’s network and disabling all remote access.

Additionally, it was necessary to permit access for any user from any approved company laptop or desktop – a challenge given that the conventional device-based restriction approach generally maps one user to one device.

Akku’s Innovative Approach

Our team at Akku addressed this challenge with a customized device-based restriction strategy. 

To allow any user to access applications and data from any of the company’s laptops or desktops, we decided to implement a many-to-many mapping system. This unique solution involved the development of a custom application, the Akku Agent, installed on every whitelisted device.

The Implementation

Through the client’s inventory system, all machine serial numbers were captured and uploaded to Akku. The login process was then revamped to require all users to authenticate via Akku only. 

When a user logs in, the Akku Agent now verifies the device’s serial number against the whitelisted devices in Akku, and allows access from any location, including outside the client’s network, as long as the request is made from an approved device.

This solution seamlessly addressed the core challenge of permitting remote user access from approved devices.

Tackling Mobile Access

The next hurdle was controlling mobile access. Based on the Google Workspace plans assigned to the company’s users, the Google Workspace Advanced MDM functionality addressed mobile access control for only a subset of the company’s users. 

For all other users, access from any mobile device remained unchecked. Additionally, inventorying all personal devices of employees was impractical.

Akku’s solution was to restrict user mobile access to a controlled number of manually approved devices per user. By default, users were not permitted mobile access. Upon necessity, they could contact the admin to get a device approved, ensuring secure and controlled mobile access. And in case of a change of device, such as on purchase of a new phone, the admin would be able to deactivate access to the old device and enable access to the new device.

The Outcome

By integrating Akku, the client not only overcame the limitations of their existing security system, but also enabled secure remote access for their employees with seamless device-based access control measures.

The solution addressed the unique challenges faced by our client through Akku’s flexibility and our team’s custom development and deployment solution.

Akku’s flexible and innovative IAM solutions can transform your organization’s security landscape too. Talk to us to know more today.

Blockchain Technology: A new chapter in Identity & Access Management

Author: Baskar
Reading time: 3 mins

Why do you need an IAM? These tools help businesses manage their corporate identities and each employee’s access to different resources. Typically, these IAMs work based on a centralized database of user names and passwords. Single sign-on (SSO) works with this database to confirm identity and access permissions.

However, this database also becomes a centralized target for malicious actors. Whichever platform you’re using – your IAM solution, Active Directory, or any other identity provider – such a database is a tempting ‘honey pot’, a target for hackers.

Enter the Blockchain IAM

Blockchain-based IAM solutions will be able to authenticate identity without the use of passwords. Based on your organization’s DID (decentralized identifier), blockchain credentials will be recorded and tracked on the distributed, shared, immutable blockchain ledger. The public key will be stored on the blockchain servers, while the private key will be pushed to user.

In the case of Akku’s upcoming blockchain version, employees will need to enter their DID on an Akku app on their smartphone. A private key will then be pushed to their device, activating access to the app on that device, which can be used to enable login and access to all corporate assets.

Managing digital identities without a single point of vulnerability

Using the Self-Sovereign Identity (SSI) model, digital identities can be managed in a distributed ledger system. This ensures that there’s no single point of vulnerability for hackers to attack. Your user credentials are secured with the tamper-proof distributed ledger.

Since blockchain-recorded credentials are recorded in a distributed ledger, they cannot be altered or impersonated. This guarantees integrity of identity during authentication, and you can be sure that your authenticated users are really who they say they are.

An additional layer of security is guaranteed through passwordless authentication.

Prevention of user impersonation through passwordless authentication

Since there are no passwords involved in the user authentication process, there is no risk of passwords being compromised or hacked. Our QR code-based passwordless authentication process is seamless, immediate and extremely secure. In addition, the authentication process also offers a seamless user experience.

As we move beyond passwords for authentication, you gain a number of benefits:

  • Security from easy-to-hack passwords, poor password policy compliance, common passwords, etc
  • Streamlined login process as they avoid password resets and other requests to IT support team
  • No risk of compromised passwords and user impersonation

The blockchain is the next big thing in cybersecurity, and Akku is excited to be at the forefront of this revolution. The private decentralized, immutable ledger feature of blockchain technology changes the IAM landscape considerably.

Talk to our team of experts about how to get started on your blockchain journey. Get in touch with us today.

Passwordless Authentication: Why you need it, how it works, and how Akku takes it further

 

How do you strengthen your identity verification processes? Most organizations go the route of stronger password policies and tight password management. However, did you know that passwords are inherently among the most vulnerable components of your organization’s cybersecurity environment?

The risks of password-based login

When you use passwords as the primary key to your secure assets and data, you open up your systems to certain risks: weak password policies, improperly shared access, database hacks, credential stuffing and social engineering.

Weak passwords due to improper policies

Poor policies could permit the use of very weak passwords. On the other hand, very stringent rules result in employees hunting for workarounds. If you’re using password-based authentication, prioritize a password policy management module in your IAM.

Database breaches

Since user credentials are stored in a single centralized database, the database is naturally under some risk of hacking. Passwordless authentication does away with this risk, since there’s no centralized database of passwords to be breached.

Credential stuffing attacks

It’s common for employees to use the same password on multiple websites, from the local movie theater’s online booking system to your business applications. If the movie theater happens to get hacked, your business-critical assets are suddenly vulnerable.

Social engineering attacks

When creating a password, users gravitate towards names and dates of personal importance. These details aren’t public, but they can be discovered! Malicious actors can learn such data from in-person social interactions or from social media, and crack the user’s login.

Enter passwordless authentication

How do you avoid passwords in your identity verification process? Passwordless authentication is a zero-trust login method that works well with modern applications and systems. It entirely does away with credentials based on the username-password dynamic. Instead, passwordless authentication is typically device-centric, where a previously approved action needs to be taken on a verified device (smartphone, personal computer or hard token) to authenticate a user.

 

The credentials are non-shareable and are not stored centrally. No passwords are shared with users, and they cannot be inappropriately shared or compromised, meaning unauthorized individuals cannot access your business-critical assets even if they were to obtain a user’s credentials. Credential stuffing, social engineering and hacking attacks are not just unlikely; they’re impossible. As a system administrator, you don’t need to worry about the strength of your users’ passwords or the frequency with which they’re updating them. 

The benefits of passwordless authentication

  1. As discussed above, it strengthens the security of identity credentials
  2. It improves user experience for administrators, business management and users too
  3. It simplifies the login experience for the user
  4. It reduces long-term IT costs, as fewer support tickets are raised

How does passwordless authentication work?

You could use a number of techniques to enable passwordless authentication. These include hard tokens, OTPs, private keys, magic links, push notifications and QR codes.

 

Passwordless authentication is based entirely on a device or object that the user already possesses. 

  1. QR codes can be scanned by a specific application downloaded on the user’s mobile phone.
  2. Hard tokens are physical devices that provide users with direct access to specific software.
  3. OTPs, push notifications and magic links could be connected to mobile devices, a phone number or an email address.
  4. Private keys are stored on the user’s approved devices; these alphanumeric strings are used in association with a public key to verify the user’s identity.

Akku and blockchain-based identity management

Akku’s upcoming blockchain-based identity management method has added a new layer of security to the customizable IAM solution. Using a private distributed ledger, the Akku blockchain-based IAM is virtually unhackable and extremely secure. At the same time, this revolutionary technology is user-friendly and accessible.

 

Using the new system, your administrator would provision new users exactly as they did earlier on the original Akku system. Each user would be provided with credentials consisting of a public key stored on the blockchain servers, and a private key pushed to the user. Blockchain credentials are created based on the decentralized identifier that your organization chooses. This could be an email ID, employee ID, or any other unique identifier.

 

Once their access has been provisioned, employees download the Akku app and enter their decentralized credentials. On the Akku login page, they will see a QR code which needs to be scanned through the Akku application. They will then receive a private key, and their access is activated.

 

This QR code based passwordless authentication method is enabled by the use of blockchain credentials with each user’s public key being stored on the blockchain, and their private key being stored in a blockchain wallet on their approved device – in this case the wallet being the Akku app.

 

The use of the QR code based passwordless authentication method eliminates some of the risks associated with other forms of passwordless authentication. This includes as SIM swapping or cloning in the case of OTP based methods, and biometric hacks in the case of fingerprint or retina scan methods.

 

Do reach out to our team to learn more about the blockchain and its use in identity and access management. Get in touch with us today.

What is Open Policy Agent and how do you use it in cloud-native environments?

Open Policy Agent (OPA) helps you to increase application security and to reduce the risk of unauthorized access to sensitive data even in case of a breach of the application. 

It achieves this by simplifying access authentication and authorization within the application architecture, which in turn secures internal communication and access.

Many multinational corporations are using Open Policy Agent in their IT operations to establish, validate and enforce access control and security policies across the architecture of the application, thus allowing them to customize and strengthen security strategies for the application.

Why should Open Policy Agent matter to your business?

Take, for instance, edge security, which is used to protect corporate resources, users, and apps at the “edge” of your company’s network, where sensitive data is highly vulnerable to security threats. The edge security model trusts all internal communication and checks a user identity only at an ingress API-Gateway.

With Open Policy Agent it is possible to plug this gap by building a distributed authorization as close to a data source as possible without having to build the authorization logic directly into services. That increases security at every level of your application.

Here’s how major enterprises are using OPA

  • Goldman Sachs uses Open Policy Agent to enforce admission control policies in their Kubernetes clusters as well as for provisioning Role-based access control and Quota resources central to their security.

  • Google Cloud uses Open Policy Agent to validate configurations in several products and tools including Anthos Config Management and GKE Policy Automation.

  • Netflix uses Open Policy Agent to enforce access control in microservices across languages and frameworks in their cloud infrastructure and to bring in contextual data from remote resources to evaluate policies.

But what is OPA, exactly?

Open Policy Agent (OPA) is a tool that helps you write and test policy-as-code for Kubernetes to improve operational efficiency and promote scalability and repeatability. OPA decouples policies from application configurations and provides policy-as-a-service. Since this engine unifies policy enforcement across the stack, it allows security, risk, and compliance teams to adopt a DevOps methodology to express desired policy outcomes as code as well as offload policy decision-making from software. Created by Styra, and now part of the Cloud Native Computing Foundation (CNCF) alongside other CNCF technologies like Kubernetes and Prometheus, OPA is an open source, general-purpose policy engine. 

When and How can OPA be used to improve your IT Ops?

Infrastructure Authorization

You can use make all elements of your application infrastructure more secure using OPA.

OPA enforces and monitors security policies across all relevant components. For instance, you can centralize compliance across Kubernetes and application programming interface (API) gateways. 

With Open Policy Agent, you can add authorization policies directly into the service mesh, thereby limiting lateral movement across a microservice architecture. That way, since authorization is required at entry to every microservice, improper access to one microservice does not necessarily compromise others.

(You can learn more about Service Mesh and how it can help you with cluster security here and here.)

Admission Controller

You can control admission to your resources by working with an OPA-powered Gatekeeper.

Azure Gatekeeper and other Kubernetes policy controllers work with OPA to allow you to define policy to enforce which fields and values are permitted in Kubernetes resources. They can mutate resources. 

A common example of a mutation policy would be changing privileged Pods to be unprivileged, or setting imagePullPolicy to Always for all Pods. When you’re able to mutate resources server-side, it’s a really easy way to enforce best practices, apply standard labeling, or simply apply a baseline security policy to all resources.

Azure Gatekeeper for example is a Kubernetes policy controller that allows you to define policy to enforce which fields and values are permitted in Kubernetes resources. It operates as a Kubernetes admission controller and utilizes Open Policy Agent as its policy engine to ensure resources are compliant with policy before they can be successfully created.

Application Authorization

With the level of automation OPA provides, your team can make changes with the confidence that access authorization will remain accurate. 

Since Open Policy Agent uses a declarative policy language that lets you write and enforce rules, it comes with tools that can help integrate policies into applications as well as grant end users permissions to contribute policies for tenants. This enforces policies across organizations for end-user authorization with the OPA deciding level of user access in the application.

Open Policy Agent is also used to resolve problems around service-level authorization to control who can do what at different parts of the stack. 

What are the advantages of using OPA?

The OPA policy improves operational efficiency, allows for virtually unlimited scalability, eases interpretation, offers version control, and ensures repeatability. It essentially provides a uniform, systematic means of managing policies as well as auditing and validating them to avoid the risk of introducing critical errors into production environments. That’s because in Kubernetes, policies are best defined in code and OPA allows you to write and validate policy-as-code. 

By leveraging code-based automation instead of relying on manual processes to manage policies, your team can move more quickly and reduce the potential for mistakes due to human error. At the same time, your application architecture remains absolutely secure. Want to know more about how OPA can make your business more efficient? Contact us at Akku.

Here’s why your apps built with no-code platforms need an external IAM

Have you heard of no-code application builders? They are ideal for minor applications without heavy technological requirements. These no-code apps can be taken to market much faster, are cheaper to develop and can deliver a great experience in many cases.

However, while they are easy to build and use, securing apps made with a no-code app builder requires an external IAM.

Access management for internal applications

Consider a desktop-based application such as MS Access, which is used for combining, processing and editing large groups of data from different sources. It’s largely being replaced by web-based equivalents. This kind of small internal application has a clear function, and is therefore easy to build using a no-code development tool.

Internal applications such as data management tools, onboarding tools and other HR applications are often considered lower priority as they are purely internal in use. Therefore, low-budget no-code app builder tools are used in these cases.

However, these applications process a great deal of valuable internal data, and it’s important to take their security seriously and guard access to them. That’s why it’s important to implement a strong IAM tool for all your internal-facing applications.

The risk of web-based applications

With web-based apps, whether or not it’s developed with a no-code tool, you have the freedom to deploy the application on cloud servers on flexible pricing models, and access them from anywhere. Since such apps are hosted on the cloud, it can be risky to access them directly without a VPN.

Tiny no-code app builders don’t invest the necessary time and effort into security and privacy, which is why it’s difficult to set up good protection for such apps. Additionally, the user working on a no-code app builder typically doesn’t have the necessary time and knowledge to do so.

Syncing your IAM

While some well-known no-code app builders offer plugins to integrate with external IAM through SAML and OAuth2, others do not. In cases where such plugins exist, you can use any external IAM system.

When the plugins do not exist, however, and especially in cases where you would rather reduce the coding footprint of your project, consider an IAM product like Akku. Since Akku is a customizable solution, you can use it as a gateway for any major or minor internal or external application, even when the app being used does not support SAML, OAuth2 or OIDC. 

Your minor internal applications often contain or process the most valuable data at your organization. Protect them with an external IAM that’s easy to set up, integrates with any setup, and restricts access to these key internal corporate resources. Protect them with Akku, the customizable IAM.



Maintaining in-house control of your digital access gateways

Unless you have the right kind of access control, you don’t have ownership of your assets. For digital assets, you also need a proper access gateway, which should not be under third-party control for storage and management. That’s because losing access keys means losing control of assets. With digital gateways, one can access the assets without needing to know where the keys are. It is very important to always keep these gateways running, disaster-free and tamper-free, and free of vendor lock. 

Digital vaults

In a smart society and business set-up, every person has the right to their own digital vault to store their digital keys, with a common gateway to access all their assets. This digital gateway should be tamper-free, immutable and self-sovereign. You need a reliable, dependable single gateway for all digital assets wherever they are, with distributed and decentralized systems.

Multi-cloud data storage

Cloud computing makes this possible, as it works with distributed and elastic principles itself. Data can be distributed into multi-cloud platforms. One can build need-based custom IAMs for digital gateways by spanning its infrastructure into a multi-cloud environment with distributed storage like Hadoop and distributed databases with hash sharding, as distributed technology has self-balancing and auto-scaling features.

In-house or third-party?

It is extremely complex to build such a system manually. Instead, you can achieve the same result with the Google Anthos multi-cloud platform. As it can work on other cloud platforms as well as on on-prem platforms, it is vendor-lock-free.

Google Anthos

Since Anthos is a multi-cloud platform, you are not forced to depend on specific highly integrated tools specific to that cloud service provider. Rather than siloize each cloud environment, you can use Anthos to deploy and manage workloads to multiple cloud platforms. Google Anthos allows the creation of Kubernetes clusters in both AWS and Azure environments.

Source: https://cloud.google.com/anthos/clusters/docs/multi-cloud

For any organization to keep its digital world alive and healthy, this kind of multi-cloud environment with hybrid cloud architecture is required. It might be the foundation of the smart world.

At CloudNow – creators of the Akku Identity and Access Management solution – we understand the importance of maintaining the sustainability and privacy of digital gateways, the real holder of all digital assets. Contact our team to learn more about how to implement a cloud-based access control system that works for your organization.

When should you implement an IAM solution?

In which stage of the user or employee lifecycle should an IAM solution ideally be implemented? The answer is: Right at the beginning, during onboarding. When the IAM is implemented early, it becomes part of the organization’s culture and ethos.

Provisioning and onboarding

Access to necessary applications and data needs to be provisioned as soon as the employee is onboarded. When an IAM is not used, access may be provisioned improperly with the intent to keep track manually and perform proper provisioning later.

For enterprise-level organizations with a huge number of employees, this causes issues at a later stage, as you may not have a proper record of the rights provided to each individual. When access provisioning is done properly with an IAM, access privileges will be tracked automatically to keep track of what access is and is not given to each employee.

Redundant data capture is also a real problem as the same data is entered by the new employee in the HRMS and then in the IAM for provisioning. By using a single platform, the redundancy is eliminated.

Single-platform onboarding

Instead of onboarding through multiple tools such as an HRMS or ERP, you can complete onboarding through a single platform – an IAM, such as Akku. You can also integrate your HRMS with Akku’s REST API, if you prefer. When using Akku for onboarding, your employees can upload all required induction documents through the IAM dashboard itself. This could include proof of identity documents, experience certificates, etc. Akku also allows you to set deadlines and schedule reminders for each employee. 

Why choose Akku?

Many businesses choose to work with Active Directory to simplify onboarding. However, there are certain issues with AD, including non-seamless remote working and of course, the enterprise-level costing.

Additionally, in as much as 50-70 percent of cases, in our experience, employees are brought in via a different tool and then asked to provide details on IAM as well. Instead, you can streamline the process with Akku, a tool that allows single-point data capture for onboarding.

Customer IAM for GDPR Compliance

In order to protect the digital privacy of European citizens, the European Union created the General Data Protection Regulation to ensure that organizations which collect any personal data from their users make the users aware of how and why their personal data is being used. Essentially, installing an Identity and Access Management solution across your organization for your employees as well as customers can help you stay compliant with this complex regulation. 

The EU’s GDPR took effect more than a year ago, but that doesn’t make it any easier to comply with. So if your organization is still finding compliance a difficulty, we are here to help.  Continue reading Customer IAM for GDPR Compliance

What is ADFS and why do you need it?

ADFS (Active Directory Federation Services) is an SSO solution created by Microsoft to authenticate users logging into applications which are incompatible with Integrated Windows Authentication (IWA) and Active Directory (AD).

ADFS provides organizations with the flexibility needed to simplify the user experience while improving the control that admins have over user accounts across owned as well as third-party applications. Since ADFS implements SSO, your employees are required to remember only one set of credentials for all the applications. Continue reading What is ADFS and why do you need it?