Effective application access management
- Published
- 4 min reading
Every organisation should implement appropriate identity and access management solutions. To minimise the number of mistakes and breaches, a company can use software to manage application and user access. What should organizations pay particular attention to when selecting tools aimed at increasing the security of the company on one hand and at streamlining IT administration on the other?
Application access management – theory vs. practice
Insurance companies, telecommunications companies, banks and financial institutions, government institutions or, last but not least, private companies – each of these entities collects and processes many types of data. This process needs to be implemented in accordance with the binding provisions of law, such as GDPR or PSD2 directive. Another factor affecting the issue of access authorisation is the organisational structure of the enterprise. In large organisations, there are departments the employees of which have access to only a part of the resources. This is both due to the qualifications of the users and the desire to protect the most important information – key data are usually only accessible to management employees.
In such an environment, resources are used not only by people but also by software. The identity of the application must be verified and the automatic access required by it (e.g. to a database server) must remain under control. When there are many users and applications requiring access to the IT infrastructure, the work of administrators can be supported by a dedicated Identity and Access Management (IAM) system. The users in such a system may be authorised by means of many methods, such as, among others: passwords, biometrics, software and hardware tokens (e.g. Comarch tPro Mobile or Comarch tPro ECC) or certificates. Authentication to individual systems can be done with the use of a strong authentication method based on two-factor authentication (2FA).
In an application access management system, software is treated similarly as users. There are however some exceptions form this rule. One of the limitations is that two-factor authentication is not possible. IT security teams make every effort to control user identity and access. At the same time, they often forget to apply the same measures to applications. This is accompanied, for example, by the practice of storing unencrypted authorisation data in source code of the software. Therefore, application access management software should take these specific circumstances into account and provide administrators with the appropriate tools to maintain an adequate level of security.
Application access authorisation methods
Although application access management in general is similar to user access management, due to the processes involved, the degree of complexity and the human factor, automated systems require a specific approach to authorisation. This is because is it often not possible to use for them authentication methods that are as strong as for humans (biometrics, multi-factor authentication).
The most common access authorisation methods used for applications are:
- password – a traditional means of authentication, the effectiveness of which depends on the complexity of the password and the steps taken to keep it in secret,
- API key – an application programming interface key that allows an application to use specific functions or resources,
- cryptographic token – for applications usually in the form of software,
- public and private key – authentication takes place by way of using a public key infrastructure (PKI).
All the authorisation data mentioned above should remain out of the reach of unauthorised people and, if possible, even out of reach of the development team responsible for the application. It is also important to strive for separation of authorisation data from the code. An example is password change that should not require an interruption to the software or manual changes implemented to many parts of the code. The fact that storing authorization data in source code is a bad practice was felt in 2016 by Uber that fell victim to the leakage of data of 57 million of its drivers and customers for this very reason.
Administrators responsible for managing application access (and – therefore – data security in the organisation) should apply the same rules to applications as they apply towards users. Applications, like people, should be authorized to do only those tasks imposed by virtue of their functions. The software must not have any rights (for example to modify a database or to access other applications) beyond those necessary for it to perform its tasks. This excludes situations where a faulty application or malware could compromise the security or integrity of the whole IT infrastructure.
Effective software for application access management
Effective application access management software is the answer to the security requirements for data accessed by applications running within the IT infrastructure. Such a system, designed to meet the needs of enterprises and organisations of all sizes, is Comarch Identity & Access Management (CIAM). This solution makes effective and efficient identity and access management possible not only for users, but also for devices or applications. Due to its modular infrastructure, Comarch IAM allows the application access management system to be adapted to the company’s needs and easily integrated with the already used solutions, regardless of the complexity of the IT systems. This is made possible, among others, by the many services and protocols supported by CIAM.
Comarch Identity & Access Management software reduces IT administration costs thanks to the centralised management of application rights. By basing the IAM architecture on a central server responsible for authentication and authorisation, the implementation of access policy for users and applications can be concentrated in one place remaining under the control of the administrator. Role-based access control (RBAC) simplifies application and user management, at the same time allowing greater flexibility. All these factors improve the security of IT infrastructure, the convenience and efficiency of managing application access to data and resources.