Online identity theft, simply put, is impersonation on an online platform. If someone else pretends to be you — either by stealing your credentials and logging into your account or by creating a fake account that others believe is yours – then your identity has been stolen.
There are a number of ways – data breaches, phishing, mishandled passwords, and more – through which personal data collected by an organization can be compromised, giving rise to the risk of identity theft. There are also a number of ways in which Akku, the Identity and Access Management (IAM) solution by CloudNow, can help you prevent it.Continue reading Prevent Online Identity Theft with Akku
Apart from data security, data privacy represents a major area of concern in IT security today. When it comes to data privacy, all organizations are very particular about where and how their company data is being saved, and who has access to it.
This is also related to one of the major reasons why organizations still hesitate to move their data to the cloud – “who else has access to my data if I move to cloud?” Even though almost every IaaS and PaaS provider tries to build confidence in their clients through certifications by authorized agencies, many enterprises are still not convinced. The reason is that there are still areas that lack transparency, where details on their data privacy are not clearly explained and conveyed to them.
To make things more complicated, in many cases, “backdoors” are being legalized by governments!
An effective identity and access management (IAM) solution plays a major role in data privacy and security and could go a long way in addressing the concerns that many businesses have. However, when it comes to IAM, most of the tools do not provide a dedicated server for each of their clients. While it is a fact that a dedicated server tends to cost more when it comes to pricing to the service provider, it is definitely the best way to provide 100% visibility to the client on their company data.
When a dedicated server is assigned to a client, it is possible to share server access between the client and service provider – the service provider cannot login without the client’s knowledge, and the client cannot login without the service provider’s knowledge. This may present some practical difficulties, but it is the only way to give a client 100% confidence that their data is truly under their control.
While it is true that all models have their own advantages and disadvantages, the use of a dedicated server for each client is clearly the best solution in terms of visibility and transparency, with minimal practical difficulty.
Google Cloud Platform (GCP) IAM comes as a free service that is available by default to all users of the Google Cloud Platform. GCP IAM is Google’s identity management console, enabling administrators of organizations to manage access and permissions provided to employees across the range of applications and resources that come as part of the Google Cloud Platform. The main function of the IAM is to grant specific users/roles with access to specific GCP resources and prevent unwanted access to other resources. The fundamental building block of GCP IAM is an IAM Policy which answers the question of who (identity) has what access (role) to which data or applications (resource). This IAM Policy is made up of permissions, bundled into roles and matched by identities.
Let’s take a closer look at the concepts of identity, role, and resource as defined by GCP IAM, which make it a useful IAM solution.
A user’s identity can be accounted for through their Google account (assigned to an individual), Service account (assigned to a service related to the user’s role), a Google group (which can contain more than one Google/Service account), or a G Suite domain name (consisting of all G Suite accounts under a particular domain) or Cloud Identity domain (consisting of all G suite accounts under a particular organization) name.
A role is a combination of permissions assigned to an identity. Traditionally, Google had what are now known as Primitive Roles – which were a standard set of 3 – namely, ‘Owner’, ‘Editor’ and or ‘Viewer’. However, in GCP IAM, Google has gone not one but two steps further – with Predefined Roles and Custom Roles – in allowing administrators a wider range of options when it comes to assigning roles (and therefore, access to do less or more) to the organization’s resources. With what are known as Predefined Roles, granular separation of duties, such as Instance Admin and Network Admin to name a few, is made possible. Custom Roles, as the name suggests, are roles which administrators can customize based on the organization’s needs.
As defined by Google, “resources are the fundamental components that make up all GCP services”, and include Cloud Pub/Sub topics, Compute Engine Virtual Machines, Cloud Storage Buckets, and App Engine Instances. These resources can then be grouped into projects. Administrators can assign permissions based on different roles to identities in their organization in order to provide them with access to specific resources. On the other hand, they can also provide access to projects, which will then provide users with access to all resources under the project. In the GCP hierarchy, a group of projects can also be placed under a team, teams can be placed under a department and departments can be placed under the organization. Administrators can decide the level of access they wish to give each user based on this hierarchy.
GCP IAM is great, but….
Despite the extensive control it provides to administrators, and the numerous possibilities in authorizing user access, GCP IAM has one downside.
Organizations today utilize a wide range of applications, not all of them being GCP resources. They may use a combination of resources from Amazon Web Services, IBM or Azure, to name a few, and GCP IAM does not support identity and access management on these resources. Its lack of capability to connect with on-prem identity providers such as Microsoft Active Directory and OpenLDAP is another major roadblock.
In general, a certificate is a means of creating evidence. In the domain of identity and access management, a certificate creates evidence in the form of a digital signature to verify the identity of an individual, a company, or other entity, and associates that identity with a public key.
Like a driver’s license or passport, a certificate provides a generally recognized proof of a person’s identity. Certificates have one main purpose: to establish trust.
Authentication is the process that verifies that a user is who they say they are. So a certificate makes authentication more efficient because the identity cannot be changed.
By enabling the certificate-based authentication, it is possible to reliably evaluate the user’s right to access the requested resource.
How does it work?
First, the user enters their private password.
The client receives the private key, and creates an evidence – in this case, in the form of a certificate or digital signature.
Now, the client sends the evidence through a secured connection across the network.
The server uses the evidence to authenticate the user identity.
Finally, the server authorizes the evidence and allows access.
This brings us to the question of how to implement a certificate-based authentication in your organization.
Akku by CloudNow is a powerful and secure identity and access management solution that uses certificate-based authentication to control user identity and secure access to your environment. Learn more at www.akku.work
Logging on to different applications using different user credentials every single time is frustrating, isn’t it? The use of a Single Sign On (SSO) application makes it easy to access all your applications with just a single set of login credentials. The SSO acts as the identity provider – a common platform to handle user identity and access across all your applications – and also provides authentication, authorization and access control.
Gartner’s research says that about 50% of all calls made to help desks are requests for resetting passwords. In this scenario, deploying a Single Sign On application reduces the time, effort and cost spent by your help desk, resulting in savings for your organization.
Through automated login using Single Sign On, users can switch between applications without having to login to each applications each time. This saves employee time and increases productivity.
Reduce Password Fatigue
Users don’t need to remember and manage multiple passwords – SSO reduces the number of passwords to one and makes it much simpler to remember and manage.
Easier Accounts Management
SSO gives clear visibility on what access is permitted for whom. It also helps in improving the speed of adding and disabling the accounts of outgoing employees.
Right Access To The Right People
Admin users can provide or deny access to specific users. For instance, if a particular user in a department wants an application to work on the admin can give access only to that person instead of giving it to the team which could result in confusion.
How does it work?
An SSO acts as an identity provider, acting as a common platform to manage identity and access rules across all of an organization’s cloud apps. When a user connects to the service provider to authenticate their identity, it transfers authentication to the identity provider. The identity provider validates the user’s credentials, and then sends a SAML token to the service provider for accessing the application.
Akku packs a powerful Single Sign On function whose customized SAML enables you to integrate a highly secure Single Sign On (SSO) with any cloud or in-house application, developed on any platform, including support for your intranet.
So, why continue to be frustrated with multiple passwords and multiple user accounts to access multiple applications? Make access easier for users and control easier for administrators with Akku.