Strategies for secure identity management in hybrid environments

In this Help Net Security interview, Charlotte Wylie, SVP and Deputy CSO at Okta, discusses the challenges of managing user identities across hybrid IT environments.

She emphasizes balancing and adopting comprehensive security controls, including cloud SSO and MFA technologies, to unify security policies. Wylie also highlights strategies for combating password fatigue, integrating IAM solutions, securing operational technology, and establishing identity security policies.

How do organizations balance security with user convenience in hybrid IT environments, particularly when managing user identities across cloud and on-premise systems?

The hybrid IT environment has become the standard for organizations today with employees, contractors, partners and more all collaborating across a vast network of devices and workplaces. Companies are also using more apps than ever – with large enterprises deploying an average of 231 apps. When you factor in all the companies engaging with their apps or services from around the globe, the responsibility of managing all those users and watching for security anomalies can be a daunting task.

User experience does not have to be compromised for security. Striking the balance of granting the right stakeholders, the right access, at the right time, and continuously revisiting their needs takes thoughtfulness, enablement and collective agreement that security features at the center of all of these actions.

Closing the gap between cloud and on-prem systems requires the extension of cloud single sign-on (SSO) and multi-factor authentication (MFA) technologies to on-prem apps, empowering organizations to unify and centrally manage their security policies across hybrid environments. Adopting comprehensive security controls that can support both cloud and on-prem systems is the key for modern IT management. Deploying continuous user authentication and authorization helps organizations mitigate the identity-based attacks that threaten their security.

With the rise of multiple digital identities, what strategies can be employed to combat password fatigue and reduce the risks associated with password management?

A passwordless strategy offers the best relief for reducing password fatigue. The challenges presented by passwords – including poor account security and user experience, lost productivity and increased cost – are eliminated when companies go passwordless. Email magic links, one-time passcodes (OTPs), social logins, and passkeys provide users with multiple alternatives to traditional username-and-password logins.

Companies across the globe have adopted passwordless technology and are seeing the security and productivity benefits. However, many companies are still using passwords, and essentially 100% of users still use a password for at least one of their accounts. An effective password management strategy allows companies at any stage of their cloud journey to evaluate their current password processes and identify how to safeguard passwords in the future.

It’s also important that companies instill a culture of healthy password management. That starts with setting policies for users’ password strength and expiration, as well as increasing automation and self-service functions. For example, syncing password updates across directories ensures that downstream apps can use the updated credentials. Self-serve password resets and changes can reduce the burden on IT and improve the user experience.

What are the best practices for integrating new IAM solutions with existing IT infrastructures, especially for organizations that use legacy systems and modern applications?

There are several considerations for IT leaders to keep in mind as they integrate new IAM solutions into their existing hybrid environments, including these four key ones:

• Organizations should start by inventorying their existing systems, the volume of accounts, and the authorization and authentication tools used by their legacy systems.
• In addition, leaders should verify the provisioning and deprovisioning processes used to manage access to the systems. Understanding the current state is essential in planning a strategy to modernize the IAM stack across the environment, prioritizing systems based on criticality and usage.
• It’s also important to assess this inventory of systems with their respective roadmaps. If systems are to be replaced, retired, deprecated, or kept running, these game plans will help organizations predict and prevent unnecessary investment that won’t be needed further down the road.
• From a security standpoint, it’s also essential for organizations to prioritize the enforcement of security controls and policies equally on both legacy systems and modern applications to support modern use cases, like modern remote, mobile access, and MFA.

How do organizations manage the unique challenges of identity and access management in operational technology (OT) and critical infrastructure environments?

Ensuring proper cyber hygiene encapsulates a large swath of practices, especially when it comes to securing operational technology and critical infrastructure environments. The challenges in these environments are unique and the consequences of security lapses can have massive ramifications, as evidenced by the Colonial Pipeline ransomware attack.

The common denominator among attacks on this sector is access, which is why identity must be a top priority for these organizations. Attackers can do more damage with more privileged access, so organizations need a robust IAM strategy that sets and deploys policies across the network to ensure least privilege for all human and machine accounts. To secure critical infrastructure, organizations can deploy a different level of management, called privileged access management (PAM), which applies elevated protection to especially powerful accounts that would be more dangerous if compromised.

With the rise of business-led SaaS and remote work, how can organizations establish identity security policies and governance structures?

Hybrid work has become the new norm for businesses. With employees working both remotely and in an office environment, security teams are being challenged to enable secure access for all their employees, contractors, and partners from wherever they’re working.

Organizations can establish more granular access policies once they’ve deployed SSO and MFA to their employees. These policies consider the user, device, network, and location context of a login attempt to minimize account risks. Companies can also use identity governance tools to ensure the right people have the right access to the right resources from wherever they are working.

Network blocklists are a great example of this kind of policy in action. If an organization needs to restrict access from bad networks, tor browsers, or specific geolocations, they can implement a policy that would either deny access or prompt for MFA when a user attempts a login from one of the listed networks.