Identity and access management
Identity is often considered the perimeter in infosec, especially as traditional enterprise perimeters dissolve. Identity and access management is critical to maintain data security. From passwords to multifactor authentication, SSO to biometrics, get the latest advice on IAM here.
Top Stories
-
Tip
20 Nov 2024
4 types of access control
Access management is the gatekeeper, making sure a device or person can gain entry only to the systems or applications to which they have been granted permission. Continue Reading
-
Tip
20 Nov 2024
User provisioning and deprovisioning: Why it matters for IAM
Overprivileged and orphaned user identities pose risks. Cybersecurity teams should be sure user profiles grant only appropriate access -- and only for as long as necessary. Continue Reading
-
News
02 May 2017
Mozilla: Symantec certificate remediation plan not enough
Mozilla reviews the counterproposal from Symantec and urges the CA giant to opt for Google's recommendation to outsource its certificate activities. Continue Reading
-
News
28 Apr 2017
Symantec certificate authority offers counter-proposal to Google
Symantec certificate authority proposal takes the pain out of sanctions for misissued certs, offers more audits, greater transparency and promise of "continuous improvement." Continue Reading
-
E-Zine
19 Apr 2017
Is your IAM policy a roadmap to security or leading you off a cliff?
Identity and access management, or IAM, has long been a crucial consideration in the formulation of corporate security strategy. IAM policy today must contend with a variety of major changes sweeping the world of IT. One of the latest is the spread of cloud-based services, particularly the relativity new identity as a service. IDaaS and other products are having a significant impact on the market, as cloud-based IAM is now being released by both "establishment" players (i.e., Microsoft and Oracle) and next-gen companies like Ping Identity and Okta.
This Information Security magazine Insider Edition tackles these seismic changes in the "identity layer" and considers other factors affecting IAM policy now and how they have an impact. In addition, we look at multifactor authentication, which is an established identity security practice. But multifactor is not without its own challenges when to comes to implementation and maintenance. We also take a careful look at the specific risks to cloud-based IAM tools, from shadow IT, mobility and more.
Readers of the special edition of Information Security magazine on IAM policy and security concerns will come away better equipped to assess their current IAM policy and adapt it to the current and future world of IT.
Continue Reading -
Opinion
19 Apr 2017
Start redrawing your identity and access management roadmap
Securing enterprise systems and information requires an IAM roadmap that helps you identify effective policy, technology and tools. Continue Reading
-
Feature
19 Apr 2017
Identity and access management strategy: Time to modernize?
More likely than not, your company's identity and access management strategy needs an update. Learn how to decide if that's the case and, if so, what you should do now. Continue Reading
-
Podcast
19 Apr 2017
Risk & Repeat: Mozilla joins the Symantec certificate authority debate
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss mounting pressure on the Symantec certificate authority business to provide answers about its practices. Continue Reading
- 19 Apr 2017
- 19 Apr 2017
- 19 Apr 2017
-
Guide
11 Apr 2017
How to deal with Identity and access management systems
An identity and access management system is increasingly essential to corporate security, but technological advances have made managing an IAM more complex than ever. Continue Reading
-
Answer
05 Apr 2017
Insecure OAuth implementations: How are mobile app users at risk?
Mobile apps using insecure OAuth could lead to over one billion user accounts being attacked. Expert Michael Cobb explains how developers can implement OAuth securely. Continue Reading
-
News
04 Apr 2017
Symantec certificate authority issues listed by Mozilla developers
Mozilla developers respond to questionable Symantec certificate authority practices, as the security provider questions Google's proposed solutions. Continue Reading
-
Podcast
31 Mar 2017
Risk & Repeat: Google slams Symantec certificates
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Google's proposed plan to distrust Symantec certificates following more allegations of mis-issuance. Continue Reading
-
Answer
29 Mar 2017
How does a U2F security key keep Facebook users safe?
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F works. Continue Reading
-
Answer
27 Mar 2017
How do identity governance and access management systems differ?
Identity governance and access management systems overlap naturally, but they are still distinct. Expert Matthew Pascucci explains the difference between these two aspects of IAM. Continue Reading
-
Opinion
23 Mar 2017
The best SSO for enterprises must be cloud and mobile capable
The best SSO today can handle the apps mobile workers use, identity as a service and more. Learn to make single sign-on, and other identity management approaches, more effective. Continue Reading
-
Tip
23 Mar 2017
Enterprise SSO: The promise and the challenges ahead
It was inevitable that enterprise SSO would encounter the cloud. Learn how to adjust your company's approach to single sign-on so it keeps working well. Continue Reading
-
Answer
06 Mar 2017
SHA-1 certificates: How will Mozilla's deprecation affect enterprises?
Mozilla browser users will encounter 'untrusted connection' errors if they use SHA-1 signed certificates. Expert Michael Cobb explains why, and what enterprises can do. Continue Reading
-
News
23 Feb 2017
SHA-1 deprecation more important after hash officially broken
SHA-1 deprecation in browsers comes as researchers create hash collisions and Google offers website and developer tools to protect against malicious uses. Continue Reading
-
News
16 Feb 2017
Q&A: Yubico brings FIDO authentication protocol to the masses
Yubico founder and CEO Stina Ehrensvard spoke with SearchSecurity at RSAC 2017 about FIDO authentication and how Google uses it to secure logins and cut costs. Continue Reading
-
Answer
08 Feb 2017
HTTP public key pinning: Is the Firefox browser insecure without it?
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael Cobb explains how HPKP works. Continue Reading
-
News
03 Feb 2017
Google G Suite updates aim to improve phishing protection
News roundup: Google updates G Suite with stronger authentication. Plus, WordPress secretly patches vulnerabilities, malware is likely to infect entire OSes, and more. Continue Reading
-
Podcast
01 Feb 2017
Risk & Repeat: Bad Symantec certificates strike again
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the discovery of more bad Symantec certificates and what it means for the antivirus software maker. Continue Reading
- 30 Jan 2017
-
News
27 Jan 2017
Symantec CA report offers more clarity on certificate transparency catch
One week after certificate transparency revealed a Symantec CA improperly issued over 100 digital certificates, Symantec offers more details on the incident. Continue Reading
-
News
27 Jan 2017
Google creates its own root certificate authority
Google is expanding its certificate authority capabilities by creating its own root certificate authority, but experts are unsure of Google's plans moving forward. Continue Reading
-
News
24 Jan 2017
Certificate Transparency snags Symantec CA for improper certs
Symantec CA could be in for more trouble after a security researcher, using Certificate Transparency logs, discovered more than 100 improperly issued certificates. Continue Reading
-
Answer
18 Jan 2017
How do facial recognition systems get bypassed by attackers?
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what can be done to prevent them. Continue Reading
-
News
17 Jan 2017
Gmail phishing campaign uses real-time techniques to bypass 2FA
Researchers saw a Gmail phishing campaign in the wild using clever tricks to access accounts including a difficult 2FA bypass only possible in real time. Continue Reading
-
Answer
04 Jan 2017
How can two-factor authentication systems be used effectively?
Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and effectively implement 2FA. Continue Reading
-
Tip
03 Jan 2017
FIDO authentication standard could signal the passing of passwords
The FIDO authentication standard could eventually bypass passwords, or at least augment them, as government and industry turns to more effective authentication technologies. Continue Reading
-
Feature
03 Jan 2017
How to buy digital certificates for your enterprise
In the market to buy digital certificates? Learn exactly how digital certificates work, which features are key and how to evaluate the available options on the market. Continue Reading
-
Answer
02 Jan 2017
What new NIST password recommendations should enterprises adopt?
NIST is coming up with new password recommendations for the U.S. government. Expert Michael Cobb covers the most important changes that enterprises should note. Continue Reading
-
Tip
24 Oct 2016
Preventing privilege creep: How to keep access and roles aligned
Privilege creep can result in the abuse of user access and security incidents. Expert Michael Cobb explains how enterprises can keep user roles and privileges aligned. Continue Reading
-
Feature
01 Jun 2016
Strong authentication methods: Are you behind the curve?
Not sure who's really behind that username and password? Google, Facebook and others may finally give multifactor authentication technology the 'push' it needs. Continue Reading
-
Answer
06 May 2016
How can Kerberos protocol vulnerabilities be mitigated?
Microsoft's Kerberos protocol implementation has long-standing issues with its secret keys. Expert Michael Cobb explains how to mitigate the authentication vulnerabilities. Continue Reading
-
Answer
22 Mar 2016
What's the difference between two-step verification and 2FA?
The terms two-step verification and two-factor authentication are used interchangeably, but do they differ from one another? Expert Michael Cobb explains. Continue Reading
-
News
15 Dec 2015
Old Microsoft Kerberos vulnerability gets new spotlight
A new blog post detailed authentication vulnerabilities in Microsoft Kerberos that cannot be patched and could lead to attackers having free rein over systems. Continue Reading
-
Feature
03 Aug 2015
Is third-party access the next IAM frontier?
Identity and access management of employees is so complex that many companies have faltered when it comes to securing programs for trusted partners. Continue Reading
-
Answer
18 Jun 2015
Can simple photography beat biometric systems?
Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby. Continue Reading
-
Buyer's Guide
13 May 2015
Multifactor authentication: A buyer's guide to MFA products
In this SearchSecurity buyer's guide, learn how to evaluate and procure the right multifactor authentication product for your organization. Continue Reading
-
Feature
30 Jan 2015
The top multifactor authentication products
Multifactor authentication can be a critical component of an enterprise security strategy. Here's a look at the top MFA products in the industry. Continue Reading
-
News
22 Jan 2015
Report: Popularity of biometric authentication set to spike
Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems. Continue Reading
-
Definition
11 Dec 2014
four-factor authentication (4FA)
Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors. Continue Reading
-
Definition
03 Dec 2014
Duo Security
Duo Security is a vendor of cloud-based two-factor authentication products. Continue Reading
-
Answer
15 May 2014
When single sign-on fails, is a second SSO implementation worthwhile?
After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses. Continue Reading
-
Answer
28 Mar 2014
Authentication caching: How it reduces enterprise network congestion
Michael Cobb explores the pros and cons of authentication caching and whether the practice can truly calm network strain. Continue Reading
-
Answer
30 Jan 2014
Preventing plaintext password problems in Google Chrome
Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits. Continue Reading
-
Answer
07 Oct 2013
The value of 2,048-bit encryption: Why encryption key length matters
Leading browsers are required to use 2,048-bit length keys by the end of the year, but what effect does this have on security? Continue Reading
-
Feature
26 Nov 2012
Understanding IDaaS: The benefits and risks of Identity as a Service
Are identities safe in the cloud? Experts say enterprises must carefully weigh the risks vs. rewards of identity management as a service. Continue Reading
-
Answer
09 Nov 2011
OAuth 2.0: Pros and cons of using the federation protocol
Learn the advantages and disadvantages of using Open Authorization for Web application authentication. Continue Reading
-
Answer
06 Oct 2011
Insufficient authorization: Hardening Web application authorization
Insufficient authorization errors can lead to Web app compromises and data loss. Learn how to fix these authorization errors. Continue Reading
-
Tip
09 Nov 2010
User provisioning best practices: Access recertification
User access recertification is the process of continually auditing users' permissions to make sure they have access only to what they need. Implementing recertification, however, can be challenging. Get best practices on creating a recertification process in this tip from IAM expert Randall Gamby. Continue Reading
-
Definition
28 Oct 2010
user account provisioning
User account provisioning is a business process for creating and managing access to resources in an information technology (IT) system. To be effective, an account provisioning process should ensure that the creation of accounts and provisioning of access to software and data is is consistent and simple to administer. Continue Reading
-
Answer
14 Jan 2010
Is it possible to crack the public key encryption algorithm?
Is it possible to create a PKI encryption key that is unbreakable? IAM expert Randall Gamby weighs in. Continue Reading
-
Tip
07 Jul 2009
Making the case for enterprise IAM centralized access control
Central access to multiple applications and systems can raise the level of security while getting rid of lots of red tape, so how do you go about creating central access management? In this tip, IAM expert David Griffeth explains the steps. Continue Reading
-
Tip
02 Mar 2009
From the gateway to the application: Effective access control strategies
Organizations need to strike a balance between so-called front-door access control and more fine grained controls established within an application itself. This article discusses the difference between products designed to set access at the gateway and complementary application-level controls. You'll learn how gateway-based access control works, the value in managing authorization in a centralized manner and the access control functions left for the application to perform. You'll also learn the role each variety of control plays in moving an organization toward single sign-on. Continue Reading
-
Tip
11 Nov 2008
ID and password authentication: Keeping data safe with management and policies
Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements. Continue Reading
-
Tip
28 Aug 2008
How to lay the foundation for role entitlement management
Role entitlement management is a daunting task, however, there are steps you can take to lay the foundation for a successful management process. In this tip, expert Rick Lawhorn details these seven steps. Continue Reading
-
Definition
24 Jul 2008
LEAP (Lightweight Extensible Authentication Protocol)
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control. Continue Reading
-
Tip
24 Jul 2008
Key management challenges and best practices
Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them. Continue Reading
-
Answer
20 Mar 2008
What is the purpose of RFID identification?
RFID identification can be used to keep track of everything from credit cards to livestock. But what security risks are involved? Continue Reading
-
Answer
04 Mar 2008
What techniques are being used to hack smart cards?
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers. Continue Reading
-
Definition
03 Mar 2008
role mining
Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise... (Continued) Continue Reading
-
Answer
13 Jan 2008
What are the pros and cons of using stand-alone authentication that is not Active Directory-based?
Password managment tools other than Active Directory are available, though they may not be the best access control coordinators. Continue Reading
-
Answer
28 Nov 2007
How can root and administrator privileges of different systems be delegated on one account?
In this expert response, Joel Dubin discusses how corporations can manage "superuser" accounts by delegating root and administrator privileges. Continue Reading
-
Answer
01 Oct 2007
Choosing from the top PKI products and vendors
In this expert response, security pro Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI. Continue Reading
-
Answer
26 Jul 2007
How secure is the Windows registry?
In this SearchSecurity.com Q&A, platform security expert Michael Cobb explains the weaknesses of the Windows registry and explores other OS alternatives. Continue Reading
-
Answer
05 Jun 2007
What are the potential risks of giving remote access to a third-party service provider?
In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin discusses the potential risks involved with providing remote access to a third-party service provider. Continue Reading
-
Answer
04 Jun 2007
Is the use of digital certificates with passwords considered two-factor authentication?
In this SearchSecurity.com Q&A identity management and access control expert Joel Dubin identifies the factors that contribute to two-factor authentication, such as smart cards and digital certificates. Continue Reading
-
Answer
01 Jun 2007
How to test an enterprise single sign-on login
In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin examines the best ways to test an enterprise single sign-on (SSO) login. Continue Reading
-
Answer
08 Feb 2007
Will biometric authentication replace the password?
Some security observers say user IDs and passwords are obsolete and can be easily cracked, but that doesn't mean you should fire up biometric authentication projects just yet. In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin explains why enterprises are still holding back on biometrics. Continue Reading
-
Answer
07 Feb 2007
Can single sign-on (SSO) provide authentication for remote logons?
If you're accessing multiple applications through a remote Citrix server, you have two options. Identity management and access control expert Joel Dubin explains both in this SearchSecurity.com Q&A. Continue Reading
-
Answer
10 Oct 2006
How to safely issue passwords to new users
In this Ask the Expert Q&A, our identity management and access control expert Joel Dubin offers tips on safe password distribution, and reviews the common mistakes that help desks and system administrators make when issuing new passwords. Continue Reading