Managing digital identities is a crucial part of a security program and modern life since so much of our information and interactions are now digital. Digital identities are more than just the accounts we utilize daily: they include the collection of seldom-used work and personal accounts, each with their own login and password. This smattering of accounts that we all have leaves us vulnerable to cyber incidents as they are often poorly secured and may contain critical company or personal information.
This is where the practice of identity and access management (IAM) helps organizations. Beleaguered systems administrators and IT professionals can utilize IAM to manage the ever-more complex set of user identities and authentication information needed to prove their users are legitimate. This increased overhead begs the obvious question: how can we cut through the complexity and make IAM simpler for both users and administrators?
When you log in to an app or a website, you need to identify yourself, usually with a username, though an email address or phone number are also standard ID methods. But if the app or website gives access to any sensitive information, it needs to be 100% certain that the person requesting access is genuine, so you’re required to provide some authentication to prove that you are who you claim to be. Authentication factors include things you know (like a password), things you have (like a trusted device), or a measurement of biological characteristics like a thumbprint or face scan (biometrics).
Depending on the sensitivity of the system you’re logging in to, multiple authentication factors may be required to prove your identity. This is known as multi-factor authentication (MFA), and it provides an extra level of assurance that the user logging in is genuine — common examples include a password + a code generated by a smartphone authenticator app. MFA is becoming widespread and is part of current IAM best practices, though the extra steps required to log in can be something of a burden to end-users.
Cyber criminals are opportunistic, particularly when it comes to small businesses, and the technology and processes that organizations use are far more indicative of their risk than their industry. – Claims Report
Unfortunately, users bear the brunt of many IAM requirements because they have to follow all the steps for creating and using passwords. Current guidance for creating strong passwords includes using a unique password for every system and application, ideally using a randomly generated string. That’s tough for a computer or bad guy to guess, but unfortunately, also difficult for users to remember. Given the number of accounts most users have to maintain, it’s not uncommon to find poor password hygiene practices like reusing passwords or creating weak variations like MyStrongPassword1 and MyStrongPassword2.
One solution that can make life easier for users is a single sign-on (SSO) deployment. SSO is like putting the ticket counter at the entrance to a theme park rather than forcing people to line up to buy tickets at each ride. In technology terms, users log in once to an SSO portal or service, then use that existing login to gain access to other systems. If you’ve ever logged in to a website using your Gmail, LinkedIn, or Apple ID, you’ve used SSO — and saved yourself the added trouble of having to create and remember another password.
Basic controls to secure email, enable multi-factor authentication, and frequently patch software will remain the most effective controls for the foreseeable future. – Claims Report
Integrating MFA in an SSO environment also makes life easier for users, despite the alphabet soup of acronyms. MFA is one of the single best security controls that organizations can put in place to safeguard against a variety of attacks, but setting up and entering the authentication details for each individual system can be time-consuming. Implementing MFA in an SSO portal means the organization benefits from the added protection of MFA, while users benefit by only having to enter the additional authentication credentials once. To continue the theme park analogy, it’s easier to measure guests’ height once they purchase a ticket, rather than repeating it for each ride. This helps ensure both the safety of the riders and cuts down on their wait time.
SSO isn’t only a benefit for end-users. IAM administrators also benefit from SSO since it can help make their jobs easier and make the organization more secure and efficient. For example, creating new accounts is easier in an SSO environment since only one account must be created and managed, and the same is true if a user leaves or changes roles.
Organizations with a well-architected SSO deployment also gain a security advantage when it comes to compromised accounts. If a user has accidentally given out their password, like in a phishing scheme, locking attackers out only requires one password change, speeding up the incident response process. SSO can also offer some less obvious benefits like reduced reset or assistance requests for login credentials.
Cybersecurity incidents will happen, but they don’t have to transform into breaches or claims. Access controls are fundamental to managing cyber risk; MFA can help keep all your accounts safer, while an SSO provider is useful for reducing both user and administrative password management headaches. Coalition’s partner Okta supports organizations through an extensive product suite that includes single-sign-on (SSO), universal directory, and multi-factor authentication (MFA). With SSO, Okta allows users to access multiple applications more securely by tying all credentials into a single login experience.
Coalition policyholders can log in to their policyholder dashboard and take advantage of discounted pricing for new customers of Okta’s identity and access management tools. Additionally, implementing an MFA solution makes policyholders eligible for our Multi-Factor Authentication Retention Reduction Endorsement. This means that if a policyholder implements MFA and still experiences a claim, we will reduce their retention by 50% up to $10,000.
Coalition’s cybersecurity guide outlines the basic tenets of a cybersecurity program — a critical factor in reducing your organization’s cyber risk. You can also download the full H1 2021 Cyber Insurance Claims Report to learn more about the cyber trends impacting all organizations and our predictions for the remainder of 2021.