Thinking Beyond the Borders of the "Office"
Organizations exploring potential Identity Access and Management (IAM) solutions often begin by determining how best to control the login and other activities of users who are on their own internal networks and/or connected by Virtual Private Network (VPN). This is a great first step but poses several challenges to the modern enterprise that should not be overlooked. The sooner additional factors are considered, the better overall security the organization can deploy.
Even for those companies that only operate from physical offices, overlooking Identity Protection from the outside world is a mistake. More and more basic business services are now provided via Software as a Service (SaaS) that can be accessed from many locations (Office 365; Salesforce; Box; AWS; Concur; Slack to name a few). Additionally, even companies which have not traditionally permitted employees to work remotely or telecommute are beginning to take advantage and are allowing cloud-based applications - or soon will be.
Your identity and access control system should take into account that SaaS solutions exist entirely or in part outside of the organization. End-users who are physically sitting inside a corporate office will, therefore, be signing onto these systems outside the firewall and overall company network security shields. Telecommuting employees may request that the VPN only transfer network traffic bound for internal resources (split-tunneling, etc.) to avoid latency issues with SaaS tools caused by dramatically increasing the round-trip requests one would have to take through corporate networks just to reach something that isn’t on the corporate network, to begin with.
There are many methods to allow safe access to employees who aren’t physically or logically on your internal network. Leveraging the power of cloud solutions, employees can authenticate to internal identity datastores (like Active Directory), but then Single Sign-On (SSO) to external sites as authenticated users. This allows the employee to gain the flexibility they desire without risking corporate security lapses to make it happen. Important to note that password-only authentication is not advised, and at a minimum multi-factor authentication should be deployed. SecureAuth recommends a combination of multi-factor and adaptive/risk-based authentication for comprehensive identity protection.
Looking at identity protection methodologies that can address both on-site and remote employees now can allow you to adapt to changes that are happening now or will happen soon within your organization. You can safely let users work where they need to while shielding the company from fraudulent use of credentials at the same time.