Five reasons to use Role Based Access Control (RBAC)

• Improve Security of Systems and Applications
Do you know exactly who has access to what at your company? Often when new employees need accounts a copy of another account is made, which is called a ‘template user’.  This creates a security risk since access to applications and systems are also copied and are often forgotten to be revoked. RBAC allows you to easily see the resources that employees have available to them based upon their role in the organization. This will allow you to ensure that nobody has access to secure systems and applications that are not supposed to, and make changes as necessary.

• Easily Make Security Changes
Employees frequently change roles and jobs within an organization and subsequently need different access privileges. With RBAC in place, it can handle changes that occur no matter how difficult. Complex changes such as a part time employee working to two different departments can also be handled without significant effort.

•  Easily Meet Audit Requirements
Using RBAC makes meeting strict audit requirement easy. Industries such as healthcare and financial, need to be able to show that their information is secure and have had more strict requirements put on them in recent years. With RBAC companies can easily ensure that secure information remains that way, and can easily access this information for audits.

• Increase Productivity of Employees
Assigning new employees their correct access rights can be time consuming and for both the IT employee and the end user. With RBAC, new employees do not have to wait for their privileges to be assigned and are able to begin working with the  necessary applications such as word processing, email and departmental shares, and then receive more specific privileges later on.

• Reduce costs
Since the IT staff can see which applications are being used and how often they can determine which are necessary for their business needs. Those that are not being accessed can be eliminated, or have licensing counts reduced, thus saving the organization money.

For more information on RBAC, please visit our website

Two Factor Authentication

According to Wikipedia, Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has") and an inherent factor ("something the user is").

As organizations of every type are more concerned with security of their networks, they are increasingly turning to enhancing the normal user name and password credentials with an additional strong authentication method.  Banking has used this concept for years with the ATM card – you must have the physical card and a PIN.  Laptop manufactures have been providing optional fingerprint readers for years as well.  The question is how can two factor authentication provide extra security to an organization while not requiring a large capital outlay.   Two options are becoming commonplace.

Password Resets
The concept of using challenge questions –what’s your mother maiden name, where you born, etc. - has been around for many years. Banking websites are the most common example of this concept. Forget your password and successfully answer the challenge questions to reset your password. With the advent of smart phones and text messaging, many companies have already added a second factor – a one-time use PIN code delivered via email or SMS must be provided in addition to the answers. Many vendors are producing products with identical functionality for the corporate network as well.  The first iterations of these solutions relied on the challenge questions exclusively to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions as well. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.

Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identity a caller. When an employee phones the helpdesk requesting access to a new applications or being added to a share or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to what color is your car could display as X_XX_ and the caller would be asked to provide the 2nd and 5th characters. If the correct characters are provided, it insures the caller’s identity.  By masking the answers, the helpdesk employees are never exposed to the condfintial answers.  A 2nd factor of authentication – delivering a PIN to an email or via SMS – can further enhance the security.  The number of questions /answer to be provided can be dictated by company policy.

SSO with Strong Authentication
Many technology leaders acknowledge the benefits associated with an SSO solution – productivity gains reducing the number of required credentials to from many to one and reducing calls to the helpdesk for forgotten password.  A common concern is that if the one set of credentials is hacked, access to all systems can be exposed. In this case, 2FA can eliminate this perceived risk. In this scenario, the end user present their ID page ("something the user has") to a reader attached to the machine, enters his or her credentials ("something the user has") and then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems.  It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.

Summary
Two Factor authentication has caught on rapidly in the Business to Consumer arena. Functionality such as self-password reset was originally implemented to reduce call volume and security of this functionality has been strengthened in response to identity theft and social engineering.  Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees.


For more information, please visit our website to learn more on password resets with 2FA and strong authentication.

Top Ways the Education Industry Could Benefit from Identity and Access Management Software

Free up time of IT employees
IT and helpdesk employees are often bogged down with the monotonous task of account creation. Though it is not difficult, it is extremely time consuming for staff who could be working on more technical projects. Minnetonka Public Schools IT department was dealing with this situation. They had developed their own in house solution for account management but still had to handle account creations manually, which was time consuming. The process consisted of data specialists retrieving information from students, employees and parents and then relaying it to the IT staff, who would manually manage the accounts. With this process, four to five employees were often involved in creating one account. Minnetonka decided to automate their account management process so that accounts are provisioned automatically for students, employees and teachers without much human intervention. By automating the process, they were able to easily free up the time of three full time employees. Now only one person has to touch account creation.

Reduce user pollution and keep systems up to date
With so much movement of students each semester, it is often difficult for the IT department to keep systems up to date with current student information and accounts. It is also time consuming to disable all accounts for students upon graduation and, as a result, many accounts were left active. This was the problem that Fitchburg State College was facing. They had over 40,000 accounts in Active Directory which did not accurately reflect their actual environment. Although they attempted to go through and delete inactive accounts, they realized this was not a good method since they were inadvertently deleting active users, such as students continuing on to graduate studies. By automating their account management, when a terminated or graduated flag is set in the SIS, the account is automatically disabled according to preset rules. The IT department can now easily ensure that there is not user pollution and their accounts are always up to date with the correct information and accounts.

Reduce helpdesk tickets
According to a survey conducted by Tools4ever, one of the most common helpdesk calls is for resetting a user password. This issue does not require much skill from the helpdesk employee but can be very time consuming when they are receiving many password reset calls a day. Not only do they have to deal with password calls, but, especially in the beginning of the school year, students and employees are calling due to their accounts being incorrect or not being able to access the systems and applications. Pinellas County School District was one such school facing these issues. The IT department was spending a lot of time correcting account problems, and was receiving a large amount of password reset calls especially after a summer break. To resolve these issues, Pinellas implemented a self service reset password solution so end users can easily and securely reset their own passwords by answering a series of challenge questions they had previously enrolled with. To deal with their many account issues, they also implemented an automated account management solution. Now when an account is created in Active Directory, it automatically populates the parent portal, student information system and any other systems as required, eliminating a tedious and potentially error prone manual process.

Always have correct access to accounts
Students and teachers often complete work for classes after administration school hours and need to access certain applications and systems. If they forget their password and are locked out of their account, they cannot access the resources they need since the helpdesk is not available after school hours. Harrison College has 13 campuses and also offers several online courses which can start as late as 10 PM. With the helpdesk only being available until 5 PM, users that had issues with passwords after closing time could not resolve them until the next day. By implementing a self service reset password solution, Harrison was able to provide users the option to safely and securely reset their own passwords without having to contact the helpdesk. This easily eliminated the issue of having password issues after the helpdesk closed and allowed users to quickly reset their passwords and continue with their studies.


Ensure proper access rights
In schools, students often need certain access rights depending on what grade they are in or if they have certain privileges. At North Hunterdon-Voorhees School District this was specifically the case concerning student access to the internet. In order for students to be allowed to access the internet they need to have a permission form filled out by their parent. The HR department would then have to add the student to the correct security group. This process was handled manually and was time consuming and often resulted in error. By implementing a user management solution, the registrar now simply checks a box on a student’s profile, and internet access is granted. This has saved the district an enormous amount of time and ensured that students have the correct access rights.


For more information, please visit our website