Security isn’t a one-time investment: 3 key areas where most organizations fail

Your management team says that the time has come to invest in your organization’s cybersecurity. Your operations team agrees and says they are committed to security. Your IT team says that an IAM would help to secure your data and application, and identifies customizable IAM solutions, such as Akku, for investment.

So far, so good. But does that complete the job from your team’s end?

Even if your organization’s management and users believe that they are totally committed to improving cybersecurity, many of our recent IAM implementations have brought up some interesting issues of organization productivity.

Low priority on training

Many corporates believe that their employees – young, apparently tech-savvy, living in metropolitan areas – are sufficiently aware of all necessary cybersecurity measures. They believe that their teams are equipped to set up strong passwords, manage their own multi-factor authentication, avoid phishing attacks and browse through only secure web pages.

Some businesses, especially very large enterprises, do understand that cybersecurity training is necessary. However, others (regardless of size) often don’t feel it’s important for workers to take time out from their regular routines to focus on security. This is a prioritization issue, not one of budgets or resources. It can result in a number of security issues, including in terms of secure access to applications and data. No matter how technologically aware your team is, no one knows everything. It’s important to keep your learners up-to-date with regular cybersecurity training.

Fear of adoption

For a simple example, consider single sign-on (SSO). Single sign-on is an efficient way to log on to multiple applications. Using 2FA or MFA (two-factor or multi-factor authentication), single sign-on is secure as well as easy. However, if your team has never used such tech before, it can be bewildering. In our experience, 75-80% of corporate users don’t know how to use SSO without training. Post implementation of Akku, our team has occasionally offered training on how to use SSO and multi-factor authentication in the past. 

When we speak to our customers, we find that in many cases, fear of adoption is a bigger hurdle than cost of implementation or features provided by the IAM. They believe that their workers simply don’t know how to use MFA, and that it’s too much effort to provide regular updates and training to fix this gap.

In our experience, fear of adoption prevents more investments in cybersecurity applications than budget or other concerns.

Prioritizing productivity over security

While Akku or other IAM solutions secure access to applications and data, there is a certain amount of involvement needed from your IT team. A classic example is the password change self-service functionality. This functionality allows your users to manage, update and change their own passwords. 

At Akku, our policy is against self-service for password management. This is an intentional choice as it risks allowing users to set weak security questions or repeat common passwords used in other personal accounts. This, further, risks hacking through social engineering or credential stuffing attacks. In addition, when users know that they can reset their passwords at any time, they feel that their responsibility to secure their account and credentials is not as urgent. When they have to disturb their IT administrator every time they forget their password, this feels like a much more serious problem!

However, centralization of password management is inefficient for IT admin teams. In our experience, around 0.2% of users forget their passwords, every day. For an enterprise of 5,000 users, that results in upto 10 password reset requests, every day. As a result, some organizations tend to prioritize team efficiency or productivity over cybersecurity, by allowing users to manage their own passwords.

This raises the question: are you prioritizing your cybersecurity or team productivity? At the end of the day, you are responsible for your own cybersecurity. Taking the decision to invest in Akku or any other security infrastructure is an important step, but you need to keep the focus on cybersecurity on an ongoing basis. 

Security is a long term commitment, not addressed by a single investment. Talk to our team today for a holistic consultation on the next steps towards a more secure organization.

How to select your IAM service provider

Given the increasing number of cyber-attacks, greater adoption of Cloud Services, and swelling mobile workforce, it’s little wonder that IAM has been gaining recognition as a key technology platform at the forefront of the digital world. 

At the same time, IAM is almost never one-size-fits-all, and so choosing the right solution provider is important. Your IAM needs to work at scale, efficiently, and seamlessly. It also needs to be cyber-attack-proof as well as future-proof.

There are several IAM providers in the market, with more continuing to enter the fray. And why not, considering the global identity and access management (IAM) market size is projected to reach USD 24.76 billion by 2026.

So, how do you know which identity and access management solution is right for your organization? Here are some important factors to consider…

Credentials

What you need is a proven solution, one that can scale and perform. At the same time, if you are not a large enterprise yourself, the large enterprise IAM platforms on the market may prove to be financially unviable.

There are IAM platforms that offer most of the same functionalities at SME-friendly costs. To evaluate these solutions, get information on the following factors to see if you are on the right track:

  • Customer references or testimonials
  • Age of the business. How long has your vendor been around?
  • Any data they may have on product testing, performance tests, security tests, and so on
  • Policy controls regarding data access governance, adaptive authentication, and so on
  • Number of similar projects done as well as case studies. You need to align with an IAM vendor that shares your direction

Identifying an established and well-regarded smaller service provider can be a great way to build the capabilities you need without breaking the bank.

Technical expertise

Deploying an IAM solution is rarely a simple plug and play process. Today, most organizations – whether large enterprises or SMEs – use a range of applications, both cloud-based and on-premise. Integration and deployment support therefore need to be key factors in your selection process. While you yourself may not be fully technically aware, here are some questions you need to ask:

  • Does the IAM’s SSO support all of your current and planned apps? Does it come with pre-built connectors for SaaS applications? Also ask about integration kits, token translation capabilities, and support for a range of industry standards.
  • How does your vendor plan to monitor, track, delegate, revoke, suspend or integrate access across applications?
  • Does your vendor have on-prem deployment options while offering flexibility to sync data from heterogeneous data?
  • What approach does your vendor use to handle the migration from a legacy system?
  • What multi-factor authentication options are supported and can they be accessed via APIs, SDKs, or both? Ask about the types of MFA supported — use of mobile devices, push notifications, SMS, and so on. The MFA options need to balance security and user experience.
  • What range of authorization and access policy controls does it provide?

And finally, are you and the vendor the right fit?

You must align with an IAM vendor that shares your direction. Particularly as a small or mid-sized business partnering with a small or niche vendor, you need to both share the same roadmap so that the journey together is smooth. 

Also, before you select a vendor, ask yourself how much technical help you require – do you possess enough internal technical capabilities to deploy an IAM solution on your own? What about post-deployment tech support?

Here are more questions to have answered so you are the right fit. 

  • How customizable is the solution? Can it meet your tech needs today and tomorrow?
  • Is the authentication policy adaptable? It needs to be because a one-size-fits-all authentication can hinder user productivity, experience, and so on. A customized solution is what you are looking for.
  • Are the authentication policies adaptive and scalable? (Do read our previous article on Alternatives to Okta for more)
  • What plans does your vendor have for large-scale deployments and product performance? How are they adapting to emerging standards considering the industry is evolving rapidly?
  • Most importantly, does the IAM vendor’s long-term strategy align with your objectives?

Akku specializes in creating solutions tailor-made for the needs of small and medium-sized businesses. Call us today if you want IAM solutions that best fit your enterprise needs.

What are some alternatives to Okta?

In this new world of remote working and cloud enterprises, Identity and Access Management (IAM) has been thrust to the fore. It’s almost as if the economy now relies on agile and automated IAM systems to enable rapid and seamless digital transformation.

Okta is the leading player in the area of IAM, and has made major strides forward in the field by harnessing artificial intelligence, and thus going beyond merely using the password and other multi-factor authentication options.

Okta has several advantages such as its security, scalability, and simplicity. But cost-wise, Okta works better for larger enterprises and can prove to be quite expensive for smaller organizations.

Though Okta is a popular choice, that doesn’t mean it is your only option. There are several other options out there for enterprises looking to go the IAM way, each with its own advantages. 

Some of these alternatives include Active Directory Federation Services (ADFS), OneLogin, and Akku for instance and we’re going to give you the lowdown on each of them.

1. Active Directory Federation Services (ADFS)

Developed by Microsoft, ADFS is a Single Sign-On (SSO) solution and is a component of Windows Server operating systems.

ADFS is preferred by many enterprises as it is perceived to be more stringent on privacy issues when compared to other tech majors; and more convenient as most enterprises use Windows Active Directory (AD) for user management already, meaning there is no environment change if you are adding on ADFS.

But like with Okta, initial costs are high, and there are hidden infrastructure and maintenance costs as well. For instance, commissioning ADFS requires a Windows Server license, which comes at a cost. 

Also, ADFS tends to be complex and needs substantial technical know-how to use properly. Commissioning, configuring, and maintaining an ADFS solution is time-consuming and customer support too, though free, is not very user-friendly. 

2. OneLogin

OneLogin, another market leader, brings to the table secure, one-click access, through all device types. Advantages are that OneLogin comes pre-integrated with over 4000 apps, offers multiple language options, and integrates with popular directories such as Active Directory (AD) and G Suite, thereby offering flexibility for growing businesses. 

But like with Okta and ADFS, here too, pricing can be steep for smaller enterprises. It is also complex to use and though it integrates with AD, it offers limited analytics on the admin console, user support time is not ideal, and adding new apps can be tricky.

3. Akku

Akku (yes, that’s us) is an emerging player in the Asia Pacific region. While it comes with all IAM features, it has been developed specifically keeping the needs of small and medium sized businesses in mind. It is therefore ideal for teams of 10-300 people and companies looking for high ROI and responsive support. 

So, if you are a smaller enterprise, a fast-growing start-up, or a business in any industry where value for money is an important consideration, Akku presents a sensible option. Another advantage here would be that it provides enterprises with complete control over data access and privacy on the cloud while staying compliant with statutory standards.

Akku isn’t a one size fits all option and because of the bespoke nature of the solution, it takes more time than Okta to purchase and set up. But once you are all set up, it is simple to use, and offers all the IAM functionalities you will need at a fraction of the cost of the other options listed here.

So, there are options out there for IAM beyond Okta. And while a strong IAM strategy is integral to productivity and security, you’ve got to choose one that fits your requirements and your budget. If you are a small or medium-sized business looking for an IAM solution, with an eye on customization, contact Akku today.

The twin benefits of IAM: Streamlining compliance processes and security

Process reliability, transparency, traceability, and flexibility – the four aspects of modern IT security. An Identity and Access Management solution (IAM) is the foundation for all four.

IAM plays an important role in regulatory compliance. To achieve certifications like ISO and meet standards such as the European General Data Protection Regulation (GDPR), an enterprise needs to ensure strong documentation and process standardization, provided for by a robust IAM program. With live data and analytics from the IAM, you can confirm you are standards-compliant, any time. You don’t need to scramble for documentation at audit time.

The right IAM provides availability of information and automated security measures result in faster processing, compliance with legal regulations, fewer violations, and reduced vulnerability. Here’s what to look for when selecting your IAM solution provider.

Are the access logs being maintained?

Maintaining logs ensures that no one accesses the server without being accounted for. With the right IAM, such as Akku, every entry to the data host server, and every server activity, is accounted for with timestamps. 

Akku ensures double security and accountability. If an Akku executive needs server access, your IT admin will receive an OTP for authentication; both need to be logged on simultaneously for access by either. It applies the principles of ‘zero trust’ or ‘least privilege’, wherein all traffic is authenticated, authorized, and continuously validated at all times.

Are you receiving instant alerts?

The GDPR requires that any information that can identify a person be protected – from their personal and contact details to their bank accounts and health records and even their political views. GDPR requires that all data breaches be reported within 72 hours. Your solution provider must enable you to do this. Akku, for instance, sends instant alerts upon encountering any suspicious activity.

Is your solutions provider enforcing password policies?

Passwords are integral to cybersecurity; they are an organization’s first line of defense. However, according to the 10th edition of the Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen and/or weak passwords. 

That’s why you need documented proof of strong passwords, and enforceable policies in place to make sure the passwords are indeed strong and secure. One solution is when the IAM’s default password policy is itself compliant with industry standards, as is the case with Akku. It can be further customized based on your organization’s compliance needs. If you need more information on this, do get in touch with the executives at Akku.

Are you “forgetting” employees the right way?

To comply with GDPR, you need to respect ex-employees’ “right to be forgotten”. Employee data can be stored only for a specific purpose. For instance, if you use an employee’s information for a seminar in April with their consent, you cannot use it again in December without their explicit consent. Also, there may be contractual or self-employed workers, and data protection regulation requires that you delete their data once they have left the organization. Since IAMs like Akku manage the entire user lifecycle, one-point deprovisioning and deletion of records makes this easy.

What about managing internal communication?

Certain employee training programs and surveys are mandatory for compliance with  the various norms and laws. While it isn’t a standard feature in all IAMs, some solutions like Akku offer an internal messaging feature. Using this, videos and other content can be rolled out seamlessly for continuous learning. 

Can you check app usage?

Does your IAM solution provider allow you to track all aspects of activity on your server environment? They ought to, as this gives you a better understanding of patterns of usage, actual utilization, and other useful information. Using this data, you can make decisions like whether you need to upgrade the server, increase or decrease the number of app licenses, and so on. Akku is one of the IAMs that provide this facility.

If you are looking at improving audit compliance and making standardization easier, it’s important to roll out an effective Identity and Access Management solution that works for your unique needs. Connect with Akku to learn more.