Category: Identity and Access Management

A Customized Device-Based Access Control Solution for an Automotive Ancillary Major using Akku

Data security is a critical business priority today – this is especially true for businesses in industries such as manufacturing, where intellectual property as well as customer data are involved. 

This was the case for our client too – a leading player in the automotive ancillary manufacturing space. In this blog, we explore their specific challenge in safeguarding their digital assets, and how Akku was able to deliver a customized solution to address the client’s needs.

The Challenge

The client runs regular audits to assess their security posture, and to identify areas where their existing Google Workspace could itself provide adequate security measures in terms of access control. 

In one such audit, they identified a critical gap. Employees at the company were increasingly needing to work remotely, but the existing endpoint security solution was only capable of restricting access to the company’s network and disabling all remote access.

Additionally, it was necessary to permit access for any user from any approved company laptop or desktop – a challenge given that the conventional device-based restriction approach generally maps one user to one device.

Akku’s Innovative Approach

Our team at Akku addressed this challenge with a customized device-based restriction strategy. 

To allow any user to access applications and data from any of the company’s laptops or desktops, we decided to implement a many-to-many mapping system. This unique solution involved the development of a custom application, the Akku Agent, installed on every whitelisted device.

The Implementation

Through the client’s inventory system, all machine serial numbers were captured and uploaded to Akku. The login process was then revamped to require all users to authenticate via Akku only. 

When a user logs in, the Akku Agent now verifies the device’s serial number against the whitelisted devices in Akku, and allows access from any location, including outside the client’s network, as long as the request is made from an approved device.

This solution seamlessly addressed the core challenge of permitting remote user access from approved devices.

Tackling Mobile Access

The next hurdle was controlling mobile access. Based on the Google Workspace plans assigned to the company’s users, the Google Workspace Advanced MDM functionality addressed mobile access control for only a subset of the company’s users. 

For all other users, access from any mobile device remained unchecked. Additionally, inventorying all personal devices of employees was impractical.

Akku’s solution was to restrict user mobile access to a controlled number of manually approved devices per user. By default, users were not permitted mobile access. Upon necessity, they could contact the admin to get a device approved, ensuring secure and controlled mobile access. And in case of a change of device, such as on purchase of a new phone, the admin would be able to deactivate access to the old device and enable access to the new device.

The Outcome

By integrating Akku, the client not only overcame the limitations of their existing security system, but also enabled secure remote access for their employees with seamless device-based access control measures.

The solution addressed the unique challenges faced by our client through Akku’s flexibility and our team’s custom development and deployment solution.

Akku’s flexible and innovative IAM solutions can transform your organization’s security landscape too. Talk to us to know more today.

Here’s why your apps built with no-code platforms need an external IAM

Have you heard of no-code application builders? They are ideal for minor applications without heavy technological requirements. These no-code apps can be taken to market much faster, are cheaper to develop and can deliver a great experience in many cases.

However, while they are easy to build and use, securing apps made with a no-code app builder requires an external IAM.

Access management for internal applications

Consider a desktop-based application such as MS Access, which is used for combining, processing and editing large groups of data from different sources. It’s largely being replaced by web-based equivalents. This kind of small internal application has a clear function, and is therefore easy to build using a no-code development tool.

Internal applications such as data management tools, onboarding tools and other HR applications are often considered lower priority as they are purely internal in use. Therefore, low-budget no-code app builder tools are used in these cases.

However, these applications process a great deal of valuable internal data, and it’s important to take their security seriously and guard access to them. That’s why it’s important to implement a strong IAM tool for all your internal-facing applications.

The risk of web-based applications

With web-based apps, whether or not it’s developed with a no-code tool, you have the freedom to deploy the application on cloud servers on flexible pricing models, and access them from anywhere. Since such apps are hosted on the cloud, it can be risky to access them directly without a VPN.

Tiny no-code app builders don’t invest the necessary time and effort into security and privacy, which is why it’s difficult to set up good protection for such apps. Additionally, the user working on a no-code app builder typically doesn’t have the necessary time and knowledge to do so.

Syncing your IAM

While some well-known no-code app builders offer plugins to integrate with external IAM through SAML and OAuth2, others do not. In cases where such plugins exist, you can use any external IAM system.

When the plugins do not exist, however, and especially in cases where you would rather reduce the coding footprint of your project, consider an IAM product like Akku. Since Akku is a customizable solution, you can use it as a gateway for any major or minor internal or external application, even when the app being used does not support SAML, OAuth2 or OIDC. 

Your minor internal applications often contain or process the most valuable data at your organization. Protect them with an external IAM that’s easy to set up, integrates with any setup, and restricts access to these key internal corporate resources. Protect them with Akku, the customizable IAM.



The simpler way to manage Remote Employee Onboarding

When onboarding new employees, it’s important to keep the process as simple as possible. When all new user activity occurs in a single system, onboarding, especially remote onboarding, becomes seamless and effortless.

If your onboarding system is integrated with Akku, or if you use Akku itself as the onboarding system, this system becomes the first point of engagement for the user with the organization. Every step of the onboarding process is guided by this tool. Since it collects all the user data requested at the very beginning of the interaction with the new employee, Akku becomes the single source of truth for the entire career journey of the employee.

The onboarding process

Once the employee has been recruited, they are instructed to create an Akku account using their personal email address. A website link is then sent to the employee’s personal email id. Upon clicking on this link, the employee is led to a portal where they can begin onboarding by requesting their new corporate credentials.

Once they receive their new credentials, users log on to the same system using their corporate email address and password. On the same landing page, they see the list of guidelines to be followed, documents to be submitted with deadlines, date and location of reporting, how and what to do upon joining the organization, and more. All details are shared in a single window, often including a downloadable offer letter.

A single source of truth

Since the onboarding process for all employees is undertaken through a common digitized system, Akku becomes a ‘single source of truth’ for all information related to each employee. 

This makes onboarding seamless from the documentation perspective, as the new employee has to upload documents to a single location, and all departments involved can access them directly, as and when needed.

Similarly, since provisioning happens through Akku, access to all relevant software and other digital assets is also granted effortlessly through a single application. Not only is provisioning seamless, but authorized managers across departments can also view details pertaining to the new employee via Akku’s dashboards, as it is the single source of information about the new team member.

Remote onboarding 

This kind of single-window onboarding is extremely valuable to employees working remote or hybrid, as most of their interaction with the organization will be virtual. An efficient onboarding process makes a great first impression. It shows that as an employer, you consider employee support to be a tech priority.

Much of the Know Your Employee (KYE) documentation can (or sometimes, should) be completed before the employee actually joins the organization. Since the portal is open at any time and can be accessed from anywhere, remote document collection (in the form of soft copies) is seamless. This is especially important and useful for employees working remotely, as they may not be located in the same area as your office and could need to travel to visit the office to submit hard copies.

Similarly, since employees are also offered virtual orientation, knowledge transfer and access provisioning, remote onboarding becomes easier.

Benefits to remote employees

  1. Seamless documentation: As discussed earlier, since Akku is a single source of truth, all documentation takes place virtually through the portal itself.
  2. Seamless provisioning: As an Akku-based onboarding system of this kind is a single source of truth in the organization, employees do not have to go outside the system to upload data and documentation about themselves, nor to access relevant information, knowledge, or relevant assets.
  3. Seamless knowledge transfer and training: Akku is integrated with a communication system to push messages and communiques to users. Using this tool, orientation, knowledge transfer and initial training can take place through the system itself.
  4. Seamless reporting: The same tool provides user activity monitoring as well, for the duration of onboarding and orientation, since it tracks the progress of the new employee through the predefined process. Akku can directly intimate HR, reporting manager and head of department regarding the progress of the employee through the KYE process via the system dashboards.
  5. Seamless identity management: Since Akku is a full-fledged IAM, the new employee can directly be provisioned with access to all required software and other assets through Akku itself. At the same time, account credentials for single sign-on (SSO) can also be directly generated.

Automated, single-window onboarding for remote employees makes the process significantly more efficient, especially for large enterprises with a huge number of employees joining per day. Single-window reporting is also a feature that smaller businesses find extremely useful, as it makes user management much more efficient for small HR teams. 

Wondering how to make your onboarding process more efficient? Take it digital with Akku. Contact our team today to discuss how to get started.

Identifying Training Opportunities and Boosting Productivity with a User Activity Monitoring (UAM) tool

User Activity Monitoring tools (UAMs) have a bad rep, with many employees believing that they are used by employers for the sole purpose of spying on them. While this may actually be true in some cases, there are so many ways that a UAM can be of real value to an organization – for both the management and the employees. 

Helping you to identify training opportunities for your employees is among the most important benefits that using a UAM can provide. Gallup found that “hope for career growth opportunities is the number one reason people change jobs today”. By offering training to your top talent, you can upskill them and prepare them for new roles and responsibilities.

Do your employees have the skills they need?

Gartner found that “58% of the workforce will need new skill sets to do their jobs successfully”. However, do you know which employees are up-to-date in their skills, and which ones need upskilling or reskilling?

Similarly, you recruit candidates with the skills and expertise that you require for the organization, but you may request your employee to take on slightly different tasks from time to time.

As a manager, you would ask the employee if they have the skills to take on the task. However, new employees or those being considered for promotion may not be comfortable with replying honestly in the negative.

In such a situation, what does the employee do?

What usually happens in such a situation is that the employee accepts the new responsibility and agrees to deliver within the defined turnaround time. They then log on to Google to find out how to perform the task!

The worst part is that as management, all you know is that your team member is not meeting their commitments. You may think they’re lazy or inefficient. There’s a tendency to put more pressure on them, resulting in unnecessary stress and employee burnout.

Even if you have product management tools where the team logs time spent on different sub-tasks, they’re not likely to log research time. After all, they are trying to hide from management the fact that they lack the required knowledge or skills!

How can you solve this problem?

Use a User Activity Monitoring (UAM) tool to understand how the employees are performing. For instance, Akku’s UAM proxy reads users’ app activity, including which websites they are visiting and how long they’re spending time on sites like Google, Stack Overflow or Stack Exchange.

Akku then shares reports on the relevant data. By studying these reports, you can see which employees are spending an unusual amount of time on Google and other work-oriented research. You then understand that they need more training on specific subjects, and can plan reskilling accordingly.

Using a UAM right 

UAMs are often used by managers to snoop on their employees and penalize them for slacking or for time away from their device. As a result, employees try to work around the system to maintain their privacy.

A UAM is not about policing employees’ time – it’s about productivity. User activity monitoring, when it’s done right, is of great benefit to both employee and employer. Prioritize productivity by identifying skilling opportunities and delivering appropriate training content to your employees who need it, when they need it.

Work with Akku to implement UAM and improve organization productivity. Schedule a consultation with us for more information.

When should you implement an IAM solution?

In which stage of the user or employee lifecycle should an IAM solution ideally be implemented? The answer is: Right at the beginning, during onboarding. When the IAM is implemented early, it becomes part of the organization’s culture and ethos.

Provisioning and onboarding

Access to necessary applications and data needs to be provisioned as soon as the employee is onboarded. When an IAM is not used, access may be provisioned improperly with the intent to keep track manually and perform proper provisioning later.

For enterprise-level organizations with a huge number of employees, this causes issues at a later stage, as you may not have a proper record of the rights provided to each individual. When access provisioning is done properly with an IAM, access privileges will be tracked automatically to keep track of what access is and is not given to each employee.

Redundant data capture is also a real problem as the same data is entered by the new employee in the HRMS and then in the IAM for provisioning. By using a single platform, the redundancy is eliminated.

Single-platform onboarding

Instead of onboarding through multiple tools such as an HRMS or ERP, you can complete onboarding through a single platform – an IAM, such as Akku. You can also integrate your HRMS with Akku’s REST API, if you prefer. When using Akku for onboarding, your employees can upload all required induction documents through the IAM dashboard itself. This could include proof of identity documents, experience certificates, etc. Akku also allows you to set deadlines and schedule reminders for each employee. 

Why choose Akku?

Many businesses choose to work with Active Directory to simplify onboarding. However, there are certain issues with AD, including non-seamless remote working and of course, the enterprise-level costing.

Additionally, in as much as 50-70 percent of cases, in our experience, employees are brought in via a different tool and then asked to provide details on IAM as well. Instead, you can streamline the process with Akku, a tool that allows single-point data capture for onboarding.

How does a true PAM work?

A Privileged Access Management (PAM) solution helps to secure and control privileged access to critical software and assets. Credentials and specific levels of access to various applications are provided through the PAM.

Usually, organizations implement PAM only for authorization and de-authorization of access to the apps. For instance, let’s say a new employee needs access to Gmail, Jira, and your CRM. Typically, organizations only provide access when the employee joins, and revoke it when he or she leaves. This can be done by a simple Identity and Access Management (IAM) solution – however, a PAM can do much more. (Quick side note: Akku serves both PAM and IAM needs.)

Here are some of the key functions that a PAM solution generally serves.

1. Assigning specific rights and access privileges

On each SaaS platform, what rights does each employee have? For example, take the CRM. Can they add and delete workflows? Is an individual user to be a super-administrator? Do they need to be allowed only to create contacts, but disallowed from editing or deleting?

Access may also be changed for the employee as they grow within the organization. When the employee is promoted, they may get additional responsibilities. For instance, a sales executive may not be allowed to edit contacts, but once promoted as a sales manager, this permission may become necessary. 

You need not go to the CRM to make these changes – you can do so directly from your PAM platform. An IAM and PAM tool (like Akku) will allow you to manage changes to access permissions such as these from a single dashboard, with a single click.

2. Deprovisioning access

The day an employee leaves an organization, the IT team usually uses their generic IAM to revoke access to all SaaS apps (Gmail and Freshdesk, for example). 

However, by doing this, only the IAM gateway to the app is deactivated: the license on the application itself remains. That means that the subscription charges continue on, as well, unless you go to the SaaS platform and delete the license there.

A true PAM directly deletes the license on Gmail or Freshdesk as well. It also follows the same exit procedure as that of the app itself. For instance, Gmail allows you to back-up email data to an email account of your choice before deleting the account. A professional IAM and PAM tool like Akku does the same, following the same laid-down process of the application.

By directly deleting the license on the application platform itself, you can be sure that you won’t waste money on subscription charges due to human error. This kind of automation is essential for enterprise-level customers. As they have a huge number of licenses, it is impossible to manually track the licenses in use and those no longer required. As a result, enterprises may realize that such a costly error has occurred only after subscription fees have built up! 

The PAM also prompts you when you’re not using a license, upon which you can delete the license through the PAM.

Akku is a customizable IAM and PAM solution with user-friendly features that can be configured based on your specific requirements. Our team is well equipped to help you implement PAM at your organization and get the most out of it. Let’s talk.

Think beyond Active Directory for hybrid working

In 2020, the pandemic had a major impact on security and cyberattacks. The year saw the highest number of data breaches and cyberattacks in decades. In India alone, more than 1.1 million cyberattacks were reported in 2020, almost three times the number reported in 2019.

The new norm of work-from-home, paired with the Great Resignation, made cybersecurity even more challenging for enterprises. There was a steep increase in staff turnover and that came with access and privilege requests – all to be administered remotely.

On-prem IAM solution

The traditional, on-premises model for cybersecurity was to implement a solution like Active Directory (AD). This identity and access management solution helped to regulate device and user authorization through password policies and account privilege policies.

Many organizations (approximately 90% of the Global Fortune 1000 companies, says Frost & Sullivan) for identity and access management. Active Directory works on the enterprise network to manage the organization’s devices based on company policies for software and content access, password creation and maintenance, and other security requirements.

It pushes these enterprise policies securely to all network devices. It offers several advantages, primarily control and fast access to information. However, implementation of AD infrastructure in an organization requires proper planning and investment, and that can prove expensive depending on how many systems are being managed. AD depends on the office network and is located in the server room on the office premises.

Working remotely with AD

When using an on-prem IAM solution like Active Directory (AD), users sign on to the single AD portal to access their data and applications. The only way to sign on to AD is via the organization network.

During the pandemic, enterprises suddenly moved to remote working – rendering the on-prem solution useless. Suddenly, users needed to log on to their network from a remote location, through a VPN. The investment in multiple VPN licenses would result in a huge expense, while free or open-source VPNs could lead to security vulnerabilities themselves! This also created an additional step in the log-in/access process.

In addition, since the AD infrastructure depends on the office network and is entirely located in the company’s server rooms, it requires on-premises monitoring and maintenance by at least two trained technicians.

Azure AD

Microsoft understood that these problems could be faced by pandemic-stricken users of AD, and recommends that in such cases, Azure AD (the cloud version of Active Directory) may be used. However, Azure AD is associated with high initial CAPEX and ongoing maintenance costs and requires training for the technicians to be able to manage it.

These expenses are hard to justify, for businesses that had already invested in AD – typically, AD costs a significant amount of time and money. Some small and medium businesses simply could not afford the fresh costs, and instead looked for workarounds that potentially resulted in new vulnerabilities.

So are your only options expense, operational difficulties, or potentially vulnerable workarounds?

Opt for customized IDaaS

With a custom IDaaS (Identity as a service) solution, you gain the flexibility and usability of Azure AD, at a cost that suits your needs. Service providers like Akku offer complete automation of the identity and access management function, on any device accessing enterprise assets, from anywhere.

On-prem is old-school; the future is the cloud. Consider a cloud-native IAM solution like Akku, that’s completely customizable to your requirements. It’s more cost-effective and hassle-free. Contact our team to learn more.

 

Data Logging and Audit: The IAM advantage

One of the key functions of an effective Identity and Access Management (IAM) solution is data logging, to capture and store information about which users access what applications, and when. These logs can help to drive effective decision-making through auditing in three key areas – financial, security, and compliance. Here’s how.

Financial audits

Optimization of software licensing is an area where your IAM can play a role in financial auditing. 

Through the logs maintained by your IAM, it is possible to extract actionable insights on the actual usage of software licenses that your organization owns, and therefore the number of users actively using each application, and whether there is very low usage of certain applications.

This makes optimization possible by reducing the number of licenses for specific applications if they are in excess, and by dropping or retiring applications that are not being used.

It is important to note that most IAMs will only capture the base data that would feed such audits and analysis, and generally would not provide these insights within the platform. However, if you are working with a highly flexible IAM, such customizations should be possible to implement.

Security audits

Logging user actions can help companies improve security as it is a way for administrators to detect breaches early, and also analyze and provide verifiable evidence of the source of breaches.

An effective IAM solution would maintain detailed logs monitoring all access and activity on the organization’s apps, ensuring that there is no unaccounted access. This provides complete visibility into which users have accessed which applications, and when.

Security auditing verifies whether all documented protocols are being followed and assists in preventing and tracking down malicious activity. To maximize the security benefits of audit logging, logs should be reviewed regularly and often enough to detect security incidents.

Compliance audits

Compliance audits help to ensure the efficiency of compliance programs, to ensure that your organization achieves and maintains certifications and recognized standards, in turn leading to improved customer loyalty and satisfaction.

Your IAM can help to provide verifiable evidence of compliance with security, data protection, and privacy standards and laws. This is achieved through features such as multi-factor authentication and enforcement of strong password policies. Similarly, prompt deprovisioning of user accounts through a single sign-on (SSO) functionality, and dissemination of mandatory employee communications through the common platform of the IAM go a long way towards complying with statutory standards.

Compliance logs are also useful when it comes to following General Data Protection Regulation such as respecting employees’ right to be forgotten.

Are you making the most of the logs captured by your IAM to manage financial, security, and compliance audits at your organization? Unlock the value of your data, and take it even further with customized reporting and dashboards with a highly flexible IAM solution like Akku.

Flexible Identity: IAM solutions need to bend… a little at least!

In the world of Identity and Access Management (IAM), flexibility is the key to stability. While IAMs are not new, the threats that they are helping to protect against and the environment in which they are operating are constantly evolving. Adaptability is more critical than ever.

Negotiating this ever-transforming environment, enterprises need both flexibility and fit in terms of their identity and access management strategy. This means finding an ideal IAM solution that adapts and grows with your business, customers, workforce, tools, processes, and market trends. Your IAM needs to balance user-friendliness and security, or users tend to get frustrated and search for workarounds that can open up security vulnerabilities.

Rushing into a decision about your IAM without a fully-formed strategy can result in a solution that is so rigid it doesn’t solve your problems! An inflexible IAM that does not support your identity and access management needs, can negatively impact user experience and decrease productivity. Technology should enhance security goals, not compromise them. Opt for a flexible IAM solution.

What do we mean by flexibility? It is the ability to use the IAM in the way that you want, without being constrained by its own features.

Flexibility in authentication methods

A flexible IAM offers a wide range of strong and centralized authentication mechanisms that cover cloud and mobile assets, permitting you to set password policies with multiple multifactor authentication (MFA) options. Modern MFA solutions provide users with multiple options depending on the circumstances (for instance, a hard OTP token may be used when working offline). This ensures that while security is the priority, productivity is not compromised.

Flexibility in integration

Your identity provider (IdP) must integrate with your IAM. Identity providers, such as Azure AD, are third-party service providers that store and manage digital identities. Choose the IAM that integrates seamlessly with your IdP, and which integrates with and provides access to a large list of cloud, on-prem, SaaS, licensed, and custom apps. This gives you the flexibility to use any IdP and app, based on the merits, without being tied down by your IAM.

Flexibility in access management

A flexible IAM allows you to define proper access privileges and set custom device restriction rules, in order to balance security with usability. A central directory, for instance, can help to manage access rights by automatically matching employee job titles to locations and relevant privilege levels. Further, a flexible IAM system can be used to establish groups with privileges for specific roles thereby uniformly and securely assigning access rights. By making it easy to define access privileges, your IAM becomes more flexible and user-friendly.

Customization

With IAM solutions, one size does not fit all. Look for a solution that allows you to customize everything from number of users to MFA options to report customization and content restriction. The more you customize the IAM to suit your needs, the better the digital experience your company can provide to its workforce – and the greater the impact on the business and the bottom-line.

Akku is a cloud-based powerful identity and access management solution that is designed with SME/MMEs in mind and their ever-changing needs. Contact us today for a consultation.

Authentication, Authorization, Auditing: the Three Pillars of IAM

In an earlier article, we explored the 3 pillars of a Cloud Access Security Broker (CASB), with Identity and Access Management (IAM) being one of these pillars. In this blog, we dive deeper into IAM, and the key concepts on which it is built.

2021 saw the average cost of a data breach rising from US$3.86 million to US$4.24 million on an annual basis, according to the IBM Cost of a Data Breach Report 2021.

Data breaches are increasing. And your Identity and Access Management solution, or IAM, is your first line of defense. IAM secures, measures, monitors, and improves the security of access through a standardized process.

How does an IAM improve security? It offers three pillars of support: Authentication, Authorization, and Auditing.

Authentication

How do you map the correct users to gain access to the correct content, at the correct times? 

Authentication takes place whenever a user attempts to access the organization’s network or assets. Verified credentials serve as a passport that allows users to access data, systems, applications, and resources.

With data breaches becoming more common, user authentication is vital to security. Organizations are prioritizing advanced security through sophisticated additional authentication methods. For instance, your IAM would secure your access management with two-factor or multi-factor authentication by pairing a username and password with a key card or OTP token, a fingerprint, or facial recognition. Every user has unique credentials, and IAM authenticates the user data to confirm that the user is a member of the organization.

Using a strong password policy can also improve authentication security. Verifying whether your IAM allows you to configure and customize your password policy is essential in providing a comprehensive authentication process. 

Authorization

While authentication verifies the users’ identity, the authorization aspect of IAM is what grants the user access to data based on their identity and defined access rules. While the two are related, they are not interchangeable.

In a sense, authorization is the second step to authentication – think of a night club, where the bouncer allows you entry after checking your ticket stamp (authentication), following which another staffer inside decides if your stamp allows you access to every area of the club or restricts you to select areas (authorization).

In organizations, users are granted authorizations according to their roles. Proper authorization is important to prevent data breaches.

For secure authorization, follow the zero trust principle and provide minimum possible access to each active user and immediately deprovision ex-employees. These two steps ensure that the risk of data breaches caused by improper authorization or disgruntled employees is reduced.

Auditing

Auditing security configurations helps weed out redundancies within the IAM system, such as IAM users, roles, and policies that are not required, and make sure that all users are authorized and authenticated. It also helps secure the system by regularly monitoring who has access to critical enterprise assets.

Audits ensure that compliance requirements are met, incidents are responded to and taken care of within a defined period of time, procedures are streamlined, responsibilities are segregated, transparency and documentation are maintained. 

Audits can also help to understand employee or user contributions on a particular app or data sheet. This can also be used in version control. Knowing who last logged on to the document gives usable information in cases where data has been breached. 

Chinks in authentication, authorization, or auditing can result in a compromised system. Opt for a trusted IAM solution such as Akku, a major emerging player in the APAC region. Akku offers a plethora of customizable options to improve data security, standards compliance, efficiency, and productivity.