• United States




Here, there, everywhere: How pervasive identity and access management transforms secure access

May 15, 20185 mins
Access ControlData and Information SecurityIdentity Management Solutions

When users are as likely to be working on the go as at their desks, and applications are as likely to be in the cloud as on-premises, you need identity and access management everywhere.

facial recognition access identification biotech
Credit: Getty Images

We’ve been talking in this space about how transforming secure access requires making it pervasive, connected and continuous. Now I’d like to dive more deeply into the first of those three characteristics and explain specifically what “pervasive” means in this context—and, equally important, what it doesn’t mean.

Pervasive means secure access everywhere applications may be, from SaaS applications in the cloud to legacy applications on-premises, and throughout the infrastructure in between that connects users to those applications. It means secure access for virtual private networks (VPNs), managed workspaces and privileged access management (PAM) systems that protect privileged users’ credentials. And it means secure access everywhere users are accessing applications, whether they’re on personal devices or office desktops.

The more places applications live, and people work, the more important pervasiveness becomes

You need secure access everywhere because applications are everywhere—in more places than ever, in greater numbers than ever—and so are users. According to Enterprise Management Associates (EMA), 82 percent of organizations in a recent survey indicated they relied on public clouds, public app stores and software as a service (SaaS) platforms for user access to applications and data. EMA also reported that even though users access those resources from the office 64 percent of the time, they also access them from home or other remote locations more than a third (36 percent) of the time. And the users themselves are diverse: While the majority of companies (82 percent) reported that most of their users are employees (82 percent), many also said their users include managed service providers, customers, partners, outsourcers and patients.

Regardless of the category of user, where they’re working, or whether applications and data are on-premises or in the cloud, every user needs to be able to access them quickly and easily. Providing that ability isn’t so easy when there are multiple on-premises resources, SaaS applications and cloud service platforms, all with different security policies. When every application has its own unique credentials, it creates “islands of identity.” Disconnected from each other and lacking any common access process, they’re inherently challenging for users to access easily and for IT to secure effectively.

To bridge these islands, you must transform secure access to pervade every environment where resources live, and users work. This requires a single, standards-based authentication platform that spans all applications and access points, transcending their differences—a platform that’s compatible with multiple key authentication protocols, can be quickly deployed to legacy and custom applications without additional special coding, and provides administrators with a convenient single view for governance of all access activity.

Pervasive secure access provides assurance users are who they say they are beyond their initial interaction

While the description of pervasive secure access above may sound in some ways like single sign-on (SSO), it’s actually much more. SSO alone doesn’t do enough to help organizations successfully manage identity risk while delivering convenient access for users. It simply can’t reliably provide the assurance that those who seek access to resources really are who they say they are. That became alarmingly clear earlier this year with the widely reported discovery of a SAML library-related vulnerability that can fool SSO solutions into allowing someone who’s already logged into a network to illegitimately log in as another user on the system. According to the US Computer Emergency Response Team Coordination Center (CERT/CC), multiple SSO solutions and vendors were identified as vulnerable to such attacks.

A key point to keep in mind about that vulnerability is that it can only bypass the first level of authentication, which is why a multi-factor authentication solution is important to help protect against attacks based on the vulnerability. SSO relies on the old, familiar username-plus-password paradigm for authentication, and that spells trouble at a time when 81 percent of successful cyberattacks involve compromised passwords. Even when combined with some level of integrated (or even native) step-up authentication, SSO solutions are fundamentally designed to protect only the initial interaction with the SSO platform.

Pervasive secure access is about being able to identify risk at every interaction point, using a variety of means (detecting anomalies in user behavior, or considering contextual clues like location and device, for example)—and asking users for further authentication when the level of risk warrants it. This risk-based approach provides the opportunity to step up to multi-factor authentication when appropriate but doesn’t demand additional authentication when it’s not warranted. It ensures that access is both secure enough to protect the organization and convenient enough to minimize friction for users.

Next time, we’ll take a deep dive into the “connected” aspect of the pervasive, connected and continuous path to modern authentication and cybersecurity. All three characteristics are inextricably linked to each other as enablers of the secure access transformation that will prepare your organization to meet today’s modern security challenges.


Jim Ducharme is Vice President of Identity Products at RSA. He is responsible for product strategy and leads the associated product management and engineering teams. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA and Aveksa.

The opinions expressed in this blog are those of Jim Ducharme and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.