In general, a certificate is a means of creating evidence. In the domain of identity and access management, a certificate creates evidence in the form of a digital signature to verify the identity of an individual, a company, or other entity, and associates that identity with a public key.
Like a driver’s license or passport, a certificate provides a generally recognized proof of a person’s identity. Certificates have one main purpose: to establish trust.
Authentication is the process that verifies that a user is who they say they are. So a certificate makes authentication more efficient because the identity cannot be changed.
By enabling the certificate-based authentication, it is possible to reliably evaluate the user’s right to access the requested resource.
How does it work?
First, the user enters their private password.
The client receives the private key, and creates an evidence – in this case, in the form of a certificate or digital signature.
Now, the client sends the evidence through a secured connection across the network.
The server uses the evidence to authenticate the user identity.
Finally, the server authorizes the evidence and allows access.
This brings us to the question of how to implement a certificate-based authentication in your organization.
Akku by CloudNow is a powerful and secure identity and access management solution that uses certificate-based authentication to control user identity and secure access to your environment. Learn more at www.akku.work
The European Union enforced the General Data Protection Regulation (GDPR) in May 2018 with three main aims: to harmonize data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy. As you can see “data privacy” is the keyword in all three of the above mentioned aims. With multiple data breaches coming to light in the recent years, even from several of the world’s biggest corporates, the European Union has enforced stringent measures to regulate the use and prevent the misuse of citizens’ data through the GDPR.
Compliance and Consequences
As stated specifically in the GDPR, all enterprises (whether businesses or organizations) must take a “high level of protection of personal data” as one of their top priorities so that the “abuse or unlawful access or transfer” of such data may be prevented. If data is breached, or if GDPR procedures are compromised, the enterprise will face serious penalties. The fine for the non-compliance to GDPR for breach of data could be up to €20 million or 4% of annual global turnover, whichever is higher, depending on the type and extent of the breach.
This applies not only to enterprises within the EU, but also to those that may be located outside and offer goods or services of any type to the EU. The GDPR rules also apply to cloud controllers and processors.
The Emphasis on Passwords
Interestingly, the GDPR does not place any direct regulations on the way passwords are created or used. However, when it comes to the protection of online data, it’s hard to argue against securing passwords being the logical first step. On the one side, businesses that provide access to customers through an online portal typically ensure that they are creating secure passwords to sign in to by enforcing password policies that define their length and other parameters.
However, the slip often occurs when the employees of these enterprises are allowed to create weak passwords for accessing in-house applications. What is often forgotten is that these applications also carry sensitive data that belong to both the enterprise and its customers. A compromise here can cost the enterprise more than just the data; it will cost its credibility as well.
By enforcing a strong password policy, administrators can ensure that users of an enterprise’s applications set up and use only passwords that are secure and, therefore, much less susceptible to brute force attacks and other hacking attempts.
A password policy defines and enforces a set of rules that include the minimum length, acceptable combination of small and upper case letters, use of numbers and special characters, expiration period of passwords and so on.
Without a password policy, the administrators of an enterprise would have no control over the type of passwords their users set, and would have their hands tied when it comes to situations that lead to a data breach, making it hard to demonstrate the GDPR’s requirement of a “high level of protection of personal data”.
This makes a strong password policy a critical requirement for every on-premise as well as cloud-based application, both for data security and to work towards complying with this aspect of the GDPR.
The Hybrid and Multi Cloud Conundrum
Unfortunately, setting in place a password policy across all of an enterprise’s applications is much easier said than done.
Most enterprises use a wide range of applications across different platforms – both cloud-based and on-premise – with each application operating on different technologies and each with its own identity management and password policy, controlling how users set up passwords in each application can often be an expensive and time consuming process.
Implementing a common bridge layer across of the applications used by the enterprise in the form of an Identity and Access Management (IAM) solution to act as the identity provider (IdP) across all applications is the best way to overcome this challenge.
The Akku Solution
Akku is an identity and access management solution that integrates all of the on-premise and cloud-based applications of an enterprise, providing a single platform for administrators to control employee access, permissions, and levels of control within its different applications.
With Akku playing the role of the identity provider (IdP), it enables administrators to set up a single password policy that will instantly be applied to all of the applications that are accessed by a user at the workplace. This password policy holds good, irrespective of whether the application is on-premise or cloud-based, or across different platforms. Akku also allows for the secure resetting of passwords, as specified by GDPR standards. Besides password policy enforcement, Akku also utilizes a custom salted-hash function, users’ credentials are also encrypted to ensure a high level of security.
Want to explore a quick and hassle-free password policy implementation across your enterprise applications? Get in touch with us today at firstname.lastname@example.org
Allowing your users to access your official data from anywhere and at any time sounds like a great idea! They can complete their work even when they are on the move by accessing your company’s cloud-based applications. So, why should we restrict access when it has all these pros?
When you permit unshackled access to your company’s applications from any location and device then you also expose your company’s sensitive data and apps to the risk of security or privacy breaches. The possibility of unauthorized access to your sensitive data is a major concern for any company using cloud-based applications.
Why do you need IP restriction?
IP-based access restriction is a great way to secure and protect your mission-critical business data outside your LAN by preventing access to your apps from any IP addresses other than your trusted whitelisted IP ranges.
How does IP-based restriction work?
An IAM solution offering IP-based restriction uses a customized SAML API and integrates with your cloud-based applications. That way, identity management is brought into a common platform across all service providers, with the IAM solution acting as the identity provider. With the identity provider enabling one point control, it is possible to restrict access to your applications only from permitted locations, regulations and IP addresses.
Why restrict based on device?
Device-based access restriction allows you to allow access for specific users only from authorized devices, to prevent misuse or loss of data – that way, users cannot access applications from devices that have not been approved for their use, and unauthorized people cannot access data from devices that may have been approved for other users.
How does device-based restriction work?
With many IAM solutions, device-based restriction is applied through the use of plugins – however more advanced solutions make use of a certificate-based authentication method which has the major advantage of being tamper proof.
A secure certificate-based authentication is completely platform and browser independent and enables cloud administrators to provide or revoke access to SaaS based applications only from specific devices, even when they are outside the office network. Restricting access based on device helps to minimize data breaches and provides the right access to the right people.