The COVID pandemic has accelerated the shift to a remote work or hybrid work environment. According to recent research, it is estimated that by 2030 there will be a 30% increase in the number of remote workers. In the absence of an arduous daily commute, employees now contribute a decreased carbon footprint due to reduced auto and public transit; in some cases, this reduction can be up to 80 percent. With the flexibility of creating schedules to accommodate the most effective working hours, remote workers enjoy a boost in productivity. As we have seen during the last couple of years, the work-from-home model is moving toward a state of permanence.
While the benefits have been plentiful, the workforce transformation has introduced new challenges in enforcing security. The challenges stem from the following factors:
- Potential lack of transparency around where workers are actually working from
- Working outside of the traditional corporate infrastructure
- BYOD computing may introduce unprotected endpoints which may not comply with company security protocols. When combined with poor password hygiene the risk only increases significantly.
- Potentially, bad actors could gain access to these unsecured devices to perform an account take over and wield unlimited access to sensitive data.
These conditions necessitate a robust and fast method of authentication and authorization to enable remote workers to securely connect to applications, networks, and databases. OpenIAM provides a number of features that can help remote workers interact with corporate resources safely. As a first step, OpenIAM’s Identity Governance functionality can be leveraged to ensure that only the right level of access has been provided for each user at the right time. This foundational step will help manage what a user can gain access to.
RADIUS integration
For organizations that already have a VPN infrastructure in place, OpenIAM provides RADIUS-based authentication. VPNs such as Fortigate can be integrated with the RADIUS service in OpenIAM to allow VPN users to transparently authenticate against OpenIAM in the background. The benefits of this approach are that it allows organizations to take advantage of the following functionalities in OpenIAM:
- MFA and adaptive authentication
- Existing user stores for authentication
- Centralized auditing
Credential provider
The credential provider from OpenIAM replaces the default authentication interfaces on Windows desktop, server and MacOS. This functionality has been a part of OpenIAM for many years. Initially, it was largely used by admins to improve security while logging into Windows.
During the pandemic, we have seen customers take advantage of the credential provider to improve the security associated with remote workers. The credential provider is configured to authenticate against the OpenIAM IdP; in doing so, a variety of functionalities are introduced while authenticating into Windows or MacOS:
- MFA
- Adaptive authentication flows so that you can evaluate factors such as device registration, device serial number, geo-location, role, etc.
At one of our customers where users are issued corporate laptops, each user’s profile is updated with the laptop’s serial number in OpenIAM during the laptop build process. When users authenticate, the system validates that they are using the laptop that was issued to them. It also checks where the user is located. Evaluating these two factors along with using MFA (the OpenIAM mobile app with push notification) significantly improves the security surrounding authentication. Customers are not limited to the OpenIAM app — they can also leverage FIDO 2 authentication, OTP over SMS, e-mail or IVR in their desktop authentication.
In the event the user has forgotten their login credentials, the credential provider also exposes the self-service password reset functionality in OpenIAM allowing users to help themselves and improve productivity while reducing the number of help desk calls.
Summary
The shift to a distributed workforce has brought about a myriad of benefits while also introducing concerns. OpenIAM provides a credential provider and integration with RADIUS to address the precarious security challenges that accompany the work-from-home model and has a long-term commitment to further secure remote workers. The next release of OpenIAM will include machine learning during authentication, and subsequent releases will include a risk engine and account take over detection functionality.