For more than two decades, IT admins have relied on Active Directory (AD) or LDAP to broker network access to users, to control user access privileges for various sensitive company assets, and to apply security policies across the organization. But with cloud-based business applications now an integral part of the enterprise IT application landscape, Active Directory (AD) integration becomes a stumbling block for many. But make no mistake, AD/LDAP is still widely regarded as the central source of enforcing security policies on users and entities within an organization. AD is not getting displaced to accommodate cloud applications, but there is a need to have better and transparent integration between them. This is achieved by single sign-on (SSO) through an Identity and Access Management (IAM) solution such as Kaseya AuthAnvil. However, IT applications are just one piece in the IT security puzzle.
If you’re an MSP or an IT service provider, then you’re involved in a business model that’s always looking to improve its offerings and increase its bottom line. With the global IAM (Identity and Access Management) market increasing at an explosive rate, being able to offer authentication and password management isn’t just a smart move, it’s also a safe move!
A mixed metaphor never hurt anyone, but when you mix your passwords into everything it’s not going to go well.
Password mixing (reusing passwords) is what many believe was the cause of the recent Dropbox account “breach.” Using the same passwords for everything is a huge problem. A chain is only as strong as its weakest link, and with passwords the same applies. The more websites you use a password on, the more likely it is to be leaked in a breach, and unfortunately, the reach and potential for damages from that breach also becomes greater.
It’s not a difficult concept if you consider it for long. If one password is used on five websites, then that password is five times as likely to be leaked, as there are five times as many locations where that password is being stored. At the same time, that password provides access to five times as many websites, which means that there’s potentially greater than five times the amount of information available to the person accessing it than one account would have on its own. The more information they have, the easier it becomes to gain access to other accounts. This appears to be what happened with Dropbox.
Think of it this way, if I gain access to your email, then I can reset the passwords of almost every account tied to that email. What are the chances that your email contains information about your choice of banking institution, online shopping account, or PayPal perhaps?
This wasn’t a breach of Dropbox’s systems; it was a failure of their end-users’ password management skills. When users reuse their passwords across so many websites, they sow the seeds of their own ruin.
For system administrators, the source of this problem is painfully apparent. Quite often, a system administrator will have to remember ten or more passwords just for their day-to-day tasks. Add onto that the 20 or so personal accounts that need passwords and the 30 passwords needed for various lesser-used accounts and systems, and you wind up with an obscene amount of passwords to remember. Now consider every end-user that the system administrator manages. How many passwords do you think those end-users each have?
This is why password reuse is such a problem. There are just too many passwords for anyone to handle!
That’s why you need some sort of solution to the password problem. Now, there’s no need to hire some developer to build you a password management system, you just need a password management solution. Let’s throw one more factor into the mix. If you’re reading this blog, there’s a good chance that you’re already a Kaseya customer. If so, then make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.
Only Kaseya AuthAnvil solves that problem, allowing organizations to secure their most valuable asset – their data – by minimizing the risk of password-related security breaches. Learn more about AuthAnvil.
Author Harrison Depner
State laws have always been a tricky subject when the internet gets involved. Unless your business is large enough to hire a squadron of legal representatives, you just have to accommodate for them. In this article, I’m going to outline three of these state laws which may apply to your business. Fair warning: This article should in no way be construed as legal advice. I’m not a lawyer and I don’t even play one on TV.
Law: CalOPPA (California Online Privacy Protection Act)
Who it applies to: Any commercial website or online service that collects personal information about “individual consumers residing in California who use or visit its commercial Web site or online service.”
If you decide instead to respond to “Do Not Track” messages, you will need to disclose how you respond, and while CalOPPA doesn’t specifically define how detailed your disclosure must be, it’s safe to assume that such disclosure should be accurate.
Fortunately most websites already have privacy policies, and adding a few lines that state you don’t respond to those messages, or alternately do and your practices around that, isn’t too difficult a task.
Law: NRS 603A (Security of Personal information)
Who it applies to: This law applies to “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information” of Nevada residents.
What the law requires: This security law sets forth a number of legal obligations for those to whom the law applies. In a nutshell, these obligations include:
- Protocols surrounding the destruction of records containing personal information. (603A.200)
- The maintenance of “reasonable security measures to protect” those records. (603A.210)
- The disclosure of breaches which affected the stored personal information of NV residents. (603A.220)
- Mandatory PCI Compliance for organizations that accept payment cards. (603A.227)
- The encryption of Nevada residents PI in transmission, and during the movement of storage devices. (603A.227)
What does this mean in a general sense? Well, if this law applies to you or your clients’ businesses, then you have a lot of work to do. Fortunately, these compliance requirements are fairly typical and you may not have to make any changes at all if you’re already PCI compliant. If you do business with residents of Nevada and you’re not following these practices… well, I highly recommend you start working to follow these practices immediately. Some sources point out that this law technically has a national and international reach for any group handling the personal information of Nevada residents.
Law: 201 CMR 17.00
Who it applies to: Every person or organization that owns or licenses personal information about a resident of Massachusetts and electronically stores or transmits such information.
What the law requires: Fortunately this law is written in a fairly comprehensive way, so it is quite easy to explain. For those to whom this law applies, it is required that a comprehensive information security program exist, and that said program cover all computers and networks to the extent which is technically feasible. This security program, when feasible, is required to…
Have secure user authentication protocols which provide:
- Control over user IDs and other identifiers.
- Reasonably secure assignment and selection of passwords, or use of unique identifier technologies, such as multi-factor authentication.
- Control of passwords to ensure they are kept in a location and/or format that does not compromise the security of the data they protect.
- Restriction of access to active users and active user accounts only.
- The ability to block access after multiple unsuccessful access attempts, or limitation placed for the particular system.
Secure access control measures that:
- Restrict access to records and files containing personal information to those who need such information for their job.
- Assign unique identifications and passwords, which are not the vendor supplied default to any person with access.
As well, the security program must include:
- Encryption of all transmitted records and files containing PI which will travel across public networks or wirelessly.
- Reasonable monitoring of systems for unauthorized use of or access to personal information.
- Encryption of all personal information stored on laptops or other portable devices.
- Require a reasonably up-to-date firewall protection and operating system security patches for systems containing personal information which are connected to the Internet.
- Reasonably up-to-date versions of system security software which must include malware protection with reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education of employees on the proper use of the computer security system and personal information security.
As you can see, I saved the best for last. This law, just like the one from the state of Nevada, can have a national or international reach. Now I didn’t write all of this for you to panic about. I feel that these three laws serve as a good motivation for any business to improve their IT security and IT policies in general. Additionally, these three laws in combination provide a great framework that any business could build their IT security upon. Security is not the job of a single person, nor is it the job of a single business, instead it is a task for everyone.
The first step to building a good home is laying down a strong foundation. Similarly, the first step to building a strong and compliant IT infrastructure is finding the right platform to build upon. Kaseya was designed and built with security as the fundamental building block to its core architecture. To learn more: Click Here.
If you’re interested in learning more about PCI compliance: Click Here.
If you’re interested in another interesting compliance requirement for Law Enforcement: Click Here.
Author Harrison Depner
Whether you are a managed service provider using a remote monitoring and management (RMM) system to monitor client infrastructures, or an IT Operations group monitoring your company’s internal infrastructure, your IT management system is an important infrastructure component that needs to be secured. It’s also a key tool that you can use as part of your security apparatus to help protect the remaining infrastructure. Without strong security capabilities, your RMM system can easily become a tool for hackers and cyber criminals instead of serving its intended purpose.
PCI DSS Compliance
This is particularly important for businesses where industry security compliance is required. For retail and financial businesses, the Payment Card Industry Data Security Standards (PCI DSS) require that cardholder data be protected behind a firewall, yet the monitoring system, especially if it’s remote, is likely to operate through the firewall. Hackers gaining access to the system can have an immediate entry to the core of your infrastructure – or to your end devices such as POS terminals and self-service kiosks. Beyond direct access, remote management systems can obviously be used to change configurations and security settings on communications devices and firewalls, to download software (or malware) to end devices, and patch (or to indicate as patched) existing applications any or all of which can be used to open further vulnerabilities.
To further protect against communication with “untrusted networks” (the term used for any network not under direct control), the PCI DSS standards also require the securing of infrastructure information, the maintenance of an accurate and up-to-date inventory of all components that are in scope for PCI DSS requirements, and the development and maintenance of standard configurations for those components, along with many other factors. Your RMM system is likely to be a significant help in meeting these expectations and in helping with ongoing audits. For example, policy management can be used to ensure configuration standards are maintained and that only approved applications are able to be run on protected end devices. It can also be used to periodically ensure that mobile laptop computers have encryption technology installed and enabled to protect health records from disclosure in the event of theft.
For IT professionals in the healthcare field, securing protected healthcare information (PHI) is a major issue. While HIPAA and its related regulations do not spell out how patient data should be protected, it goes beyond technical recommendations to legally mandate that it must be protected. Both healthcare organizations (HIPAA’s “covered entities”) and their business associates (organizations supplying healthcare-related services that require access to patient data) are subject to HIPAA regulations. From an IT perspective this certainly means that the IT Operations personnel of both covered entities and any business associate organizations must take every precaution to maintain security and patient privacy when managing electronic systems that contain or process PHI.
Perhaps more interesting is the case of MSPs who provide managed services to healthcare organizations. It can be argued that, by the letter of the law, they are not considered business associates for the purposes of HIPAA on the ground that they do not require access to patient data to do their work. However, in practice, it’s unlikely that a healthcare provider would contract for their managed services without the requisite guarantees of security and data protection. Certainly it’s been a common Kaseya experience that when raising the need for strong security capabilities and processes, MSPs who service healthcare clients have immediately recognized the need.
So in either case, whether you are an internal or an external IT service provider, you should be taking all necessary steps to secure your monitoring capabilities and to use them, appropriately, to ensure the security of the systems you monitor and manage. And it’s our belief that MSP’s seeking healthcare clients will find that strong security capabilities and processes are the price of entry into that market.
Beyond securing their technology, those providing IT services must also ensure that their own policies and procedures support their (internal or external) customer needs. The use of strong passwords, single sign-on, multi-factor authentication, cyclical password updates, regular threat assessments, defined device configurations, test-before-going-live reviews, frequent security education etc., should be documented and adhered to requirements for all systems and personnel.
Kaseya is the leader in cloud-based remote monitoring and management and offers a comprehensive monitoring solution used by MSPs and SMBs worldwide. To find out more about what you can accomplish from a single pane of glass and how your monitoring solution can help protect your infrastructure click here.
To find out how best to control access to your secure assets and applications and how you can log who can access what, then click here.
If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.
Are you using your IT monitoring systems to enhance the security of your IT infrastructure?
Author: Ray Wright
My friend Tony loves electronics and gadgets and probably owns every type of man toy – iPads, home theatre system, Xbox, GoPro, Quadcopter with Wifi camera, etc. He travels a lot for work and is always connected to the internet via his phone and wireless HotSpots. He is a technophile, which makes work and life convenient for everyone associated with him. Or does it?
In my opinion, Tony is a perfect embodiment of the statement, “Employees are the biggest vulnerabilities for a company’s information security.”Tony’s work emails have been setup on every tablet he has owned. He never cared about removing email settings and data from the old devices when he bought a new one (Who does that anyways?). His kids have access to his old mobile devices and most of them do not have passcode locks because, for end users, ease of use often trumps security concerns. This gives Tony little to no control over who else can use those old devices for casual browsing. And he not only compromises his personal data, but his work data as well. While he is no Jennifer Lawrence(trust me, his personal photos are not in demand!), he still makes his personal information vulnerable and exposes his work email to casual browsing by others, inadvertently compromising his company’s information security. And he is not an exception. There are lots of folks like Tony. Not too long ago we had this news:
Furthermore, what happens when Tony quits his job? All that data on his mobile devices is the company data/IP walking out of the door unchecked.
The Bash Bug, also known as “Shellshock,” is in a commonly used piece of Unix system software called Bash, which has been around since 1989. It is a command shell that provides instructions to your computer. Exploiting a security hole in Bash means hackers could instruct your computer to do things you would prefer it not do! For example, the Bash Bug could be used to seize control of a vulnerable web server to collect online passwords stored in databases, download identities, or take other undesirable actions.
Exposure is rather broad, as Bash is used on a variety of Unix-based systems, including Linux and Mac OS X. Servers, routers, Android phones, Mac computers, and medical devices are some of the devices that use Unix. Even systems running power plants and municipal water systems could be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.
So what steps can you take to minimize the risk that the Bash Bug does harm to your business?
Consider the following four steps:
Identify all devices that can be affected, which will likely include network devices (such as routers, switches, etc.), servers, workstations, computers, appliances, etc. Anything connected to your network that is UNIX-derived, whether that be an appliance-based system or a computer running Linux, OS X, or BSD, could be exposed. To make this first step easier, you should use a strong discovery, inventory and audit management tool to help with the identification.
Create scripts to test whether or not those systems are vulnerable. Companies such as Red Hat are creating advisories which detail the exact commands you’ll want to include in the script along with the expected responses. The scripts should be created in a management tool to make it easier to create, document and manage the script.
Run the scripts to create a list of vulnerable systems. The systems you identified now need to be listed in way that makes it easy to take action. You could simply list them in a spreadsheet in preparation for a long day of manually trying to complete repairs. Or, you could again leverage a management tool, one which can capture the results from the testing and make it easier to implement the fix.
Patch any affected devices. In the case of Linux this will involve using package managers like Yum (Yellowdog Updater, Modified), an open-source command-line package-management utility for Linux, or YaST (Yet another Setup Tool), a Linux operating system setup and configuration tool. When Apple releases security fixes for OS X, it can be deployed in scripted fashion with the Apple command-line process ‘softwareupdate.’ These tools can be used in conjunction with a management automation tool that will automatically patch the affected devices and document their updated status, eliminating the need to manually fix and track every device.
Kaseya’s management and automation solution can help you move through these four steps with greater ease, speed, and efficiency, while minimizing the human error factor. More specific information on the Kaseya approach using Agent Procedure can be found on the Kaseya Community Forum. Managed Service Providers using the Kaseya solution, such as Upstream, can also help you resolve the issue. And once you have used the Kaseya solution to address the Bash Bug, you then have a leading management and automation solution in place to help you address the next, unfortunately inevitable security and compliance issue (which at current course and speed might be just days away!).
When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots between concepts and practices. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and entertaining. When you make your lessons entertaining, you can improve the amount of knowledge your employees retain, it’s just that simple.
With that in mind, let’s take a look at one lesson which won’t fail to entertain and inform your end users. Here are five lessons about IT Security we can learn from everyone’s favorite jaundiced TV family: The Simpsons.
Quote One: “Me fail English? That’s unpossible!” – Lisa on Ice (Simpsons S6E8)
Lesson in IT security: No-one, and nothing is infallible.
No matter how adept your computer security skills are, there will always be things which catch you unaware. Viruses, malware, and social engineering are continually being refined, and as such their potency is always greater than ever before. You may speak IT as your native language, but that doesn’t mean failure is unpossible.
Malware in the wild is only half of the equation, because Shadow IT also falls under this lesson. Most of the time, when you encounter an instance of Shadow IT, it’s just a user with the best of intentions. It could be a worker trying to improve their productivity, or a “tech savvy” user “improving” the security of their system. Unfortunately there is a strong correlation between Shadow IT and malware, and, while correlation doesn’t necessitate causation, in the world of IT security there’s usually a fire if you smell smoke. No-one is infallible, and when non-IT staff are free to install apps of their own volition, the risks become compounded.
Quote Two: “You tried your best and you failed miserably. The lesson is: never try.” – Burns’ Heir (Simpsons S5E18)
Lesson in IT security: IT Security is about risk mitigation, not risk elimination.
Let me say that again, IT security is about mitigation, not elimination. This quote is a solid example of the inverse of the rule, which is what many people believe. I’ve heard numerous end-users tell me that they “don’t bother running any of those anti-virus programs”, because they “used to pay for one and they got a virus anyways.”
“Anti-virus” programs, which are more accurately named “anti-malware” programs, are not infallible. The same goes for firewalls, any form of authentication, or any other IT security related product in existence. The only absolute in IT security is the absolute possibility of risk. That doesn’t mean the products do not work, in fact many are extremely effective at mitigating the risk of various attack angles, it’s just that there’s no such thing as a “silver-bullet product” which is capable of eliminating risk.
Quote Three: “Don’t worry, head. The computer will do our thinking now.” – The Computer Wore Menace Shoes (Simpsons S12E6)
Lesson in IT security: Having strong security practices does not mean that you can stop thinking about IT security.
A lot of professionals feel that automation can handle everything, including the security of their IT infrastructure. Unfortunately, that’s only a half-truth. Automation is a glorious tool for the IT professional. Mundane and advanced tasks can be automated so as to execute with more efficiency than ever before. Never again will driver updates be so strenuous a task. Unfortunately, maintaining security is less of a science, and more of an art form, and as such the human element is always critical.
Consider Cryptolocker, which has recently been seen distributing itself under the guise of a fax notification email. Short of sandboxing every internet browser across your entire network, there’s not a lot you can automate to stop this threat. If you pay attention to various security forums though, then you may have found people who had recently encountered that variant. With human intervention, you could then set up an email filter for any emails including the word “fax”, and inform your staff of the risk and how to avoid infection. When that level of automation is possible you can let the computer do your thinking, until that time though, you can’t simply assume your systems will be able to handle everything.
Quote Four: “They have the Internet on computers, now?” – Das Bus (Simpsons S9E14)
Lesson in IT security: Keeping your intranet internal and your DMZ demilitarized are no longer easy tasks.
Yes Homer, they have the internet on computers now. To be more accurate, they have the internet on everything now. Back in the day, keeping users off of unsecured connections was as easy as telling them that being caught with a personal modem in the office was a termination-worthy offense; however, with the prevalence of cell-phones and other portable devices, a far greater risk than the 2400 baud modem of yore lies in every employees pockets.
What this means is that endpoint security and security awareness training are more critical than ever before. You can’t always trust your users, but you can teach them to not trust themselves. That may sound like a candidate for “most depressing speech ever given to new employees”, but if they’re aware of the risk each of them poses to the security of your network, they may hesitate before using their smartphone to send out that confidential business information in the future.
Quote Five: “Cant someone else do it?” – Trash of the Titans (Simpsons S9E22)
Lesson in IT security: This final rule has an easy explanation. No, someone else cannot do it. IT security is everyone’s job.
This episode is one of the most memorable Simpsons episodes, and incidentally it’s also one of the most relevant lessons you can pass on to your users. How does garbage disposal tie in to IT security? Quite easily, just consider IT security like running a sanitation department.
Homer’s sanitation plan failed because of the inefficiency inherent in getting a third party to handle all of the jobs previously handled by the citizens. Why is it okay then, to have IT security be handled by a single department, or person? People take their garbage to the curb to decrease the work required of sanitation workers, it’s this collaboration that makes the process effective. It logically follows, that such collaboration would equally benefit an IT department. Minimize the work you place on your IT staff, if you bring them your security concerns, such as potential malware infections, rather than leave it to them to notice and/or figure out, then the entire process is streamlined. Work smarter and minimize the workload placed on IT’s shoulders, because, while someone else can do it, having someone else do it is extremely inefficient.
If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.
A properly implemented Single Sign-On solution can also drastically improve the efficiency of business. For more information on that subject: Click Here.
Author: Harrison Depner
Unless your network consists of a room full of users connecting to an unsecured consumer-grade router, the most vulnerable part of your network are your users. Technology is good at following rules consistently, while people are not. You can trust a computer not to install viruses on itself, it can be infected, but that’s not how it was designed to function. Technology may not always work the way it’s supposed to, but it’s not like the technology itself has any control over its actions. People on the other hand…Well, you just can’t trust people not to make bad decisions…
Even the Romans knew it. To err is human: Errare humanum est. -Seneca
Trusting in your users to do everything right is foolhardy; however, it’s quite possible to teach them not to trust themselves! In the field of IT security you should trust no one. Think about how much risk would be mitigated if you could pass that notion on to your users.
Would your average users stop opening random links people send them to featuring “10 cute kitten videos you have to see?” Probably not, but if we change the question a little and ask, “Would your users engage in that sort of risky behavior less often?” Then the answer becomes a definitive “yes.”
When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and relevant. Try having a brownbag lunch and discussing IT security issues that have recently received media coverage. People remember large events like when Sony was hacked, so you could work that into a lesson about why it’s dangerous to recycle passwords across websites. Make your lessons relatable and you will improve the amount of knowledge your employees retain. It’s just that simple.
Maybe this doesn’t apply to your business. Perhaps you work at an MSP where the most computer illiterate employee you have is the janitor from Elbonia who has his CIS degree printed on what looks to be a cereal box. Well, even then there’s still plenty to learn.
Work can be hectic and busy. There are always new patches to install, and break-fix work to do. After a certain point, it gets really easy to just become apathetic to the process. Well, no surprises here but, not embracing life-long learning is one of the worst possible things you can do. IT security isn’t something you can just learn and be done with, it’s a constantly changing and evolving field! You can memorize your ABCs, but the closest things to that I have seen in IT are the four cardinal rules of IT security.
Have you heard of the four cardinal rules? Probably not, because I’m sure my instructor was improvising when he taught us. That would explain why they’re pretty much the same as the four cardinal rules of gun safety. Well, here are those four rules, so read them and see if you pick up anything new!
All guns are always loaded.
Connecting things to a network is a lot like picking up a gun. It could be loaded (with malware), or be poorly manufactured, which adds the risk of it blowing up in your face. You might want to trust the ergonomic keyboards your techs brought from home, but even that can be risky.
In short: Assume nothing, and check everything.
Always point the muzzle in a safe direction.
Patches, updates, hardware installations, this applies to everything. If you’re going to change anything on your network, don’t just plow ahead and do it. Aim those changes in a safe direction (like a test server, or non-critical system) and try things out there first. If things work well on the test server, then safely implement the changes across all systems. You wouldn’t play Russian-Roulette with your life on the line, so why would you do it with your network?
In short: Test everything before it goes live.
Keep your finger off the trigger until you are on target and ready to shoot.
It’s good to stay on top of the most recent updates, but there’s a fine line between updating appropriately and excessively. Just because you can update to the newest beta version of Java doesn’t mean you should, and just because there’s a newer version of an OS, that doesn’t mean you need it.
In short: Don’t change anything on the fly and don’t install anything without considering the results.
Know your target, and what lies beyond.
When changing anything, make sure you are fully aware of what it is, what it does, and what needs it. Consider what happened with the release of Windows Vista. Many businesses updated to Vista because their hardware supported it; unfortunately, a number of devices which relied on XP’s resources no longer functioned as a result. Users were scrambling to figure out why their printers, webcams, and other gadgets no longer worked, and it caused quite a headache for the people who supported those systems.
In short: Do your research. Nothing is as modular as it seems, and updating something as innocuous as a printer could bring your network to its knees.
Above all else, always remember that you can never know too much. Keep on learning, keep reading those blogs, and keep reading those forums. You’ll never know if something you learned is relevant until you have to do it yourself.
Now, before you go looking for random lessons to train your coworkers on, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, why not take a look at Kaseya University.
Kaseya University is a state-of-the-art training platform for Kaseya users. It utilizes an innovative blended learning approach to provide both structured and flexible access to technical product training. The Learning Center allows students to build a truly customized learning experience unique to their needs. Kaseya University is kept current with Kaseya product releases, and refreshed multiple times a year. To learn more about Kaseya University: Click here
With that knowledge you can accomplish even more from a single pane of glass.
If you want more information on IT security or just want some topic starters: Click Here
If you want a more direct approach for improving your IT Security: Click Here
Author: Harrison Depner
As people gain access to more online resources, they need to remember an ever-increasing number of usernames and passwords. Unfortunately, having more usernames and passwords means spending more time spent keeping track of those usernames and passwords.
If you’re a business owner and you don’t have password management software, then you’re letting your employees manage their passwords on their own. Your users could be setting the stage for every IT security manager’s worst nightmare: an office full of sticky notes with user names and passwords clearly visible around their workstations or cubicles. Without some form of password management solution, your employees are suffering from ongoing frustration as they try to manage their passwords while following your IT security requirements.
If your business is already using password management software, then you should have a solution that manages which resources your employees are able to access, and which credentials they should use to do so. Unfortunately, your password system may not be doing everything it can to provide simple, and secure access for your employees.
What if there was a way for users to have strong passwords without the need to remember them, while also retaining a high degree of security?
Regardless of how you’re managing your passwords today, you can eliminate password frustration, increase your employees’ efficiency, and improve your IT security by implementing a single sign-on password management solution.
What is Single Sign-On?
Single sign-on (SSO) is a system through which users can access multiple applications, websites, and accounts by logging in to a single web portal just once. After the user has logged into the portal, he or she can access those resources without needing to enter additional user names or passwords.
Single sign-on is made possible by a password management system that stores each user’s login ID and password for each resource. When a user navigates from a single sign-on portal to a site or application, the password management system typically provides the user’s login credentials behind the scenes. From the users’ perspective, they appear to be logged in automatically.
High quality SSO solutions are able to provide access to a variety of internal and external resources by utilizing standard protocols such as SAML, WS-Fed, and WS-Trust.
As with any password management application, security is a critical consideration for SSO systems. Single sign-on is often implemented in conjunction with some form multi-factor authentication (MFA) to ensure that only authorized users are able to log into the SSO web portal.
5 Reasons MSPs Benefit from Single Sign-On
- SSO can create exceptionally strong password security. When paired with multi-factor authentication (MFA), single sign-on gives you a password management solution that can be both user friendly and extremely secure.
- SSO makes enforcing password policies easier. In addition to allowing for strong passwords for critical resources, an SSO system makes it easier to assign and maintain those passwords. In some cases, you can take users out of the password management process entirely—a good SSO system will allow you to can assign them behind the scenes, and change them as needed when your security needs evolve.
- Users won’t need or want to save passwords to their unsecure browser. To the average end user, the ability of a web browser like Chrome to remember and submit passwords is a huge bonus; however, while saved passwords offer some of the benefits of single sign-on, web browsers offer none of the security that comes with a true password management solution. When you implement an SSO system, you eliminate the temptation for employees to save their passwords in their browsers, because the SSO portal does that job instead, and often does it better. At that point you could remove that feature from their browsers without the risk of angering your users.
- Single sign-on makes your systems easier to secure. Rather than securing dozens or even hundreds of access points to your systems, your security administrators can focus the majority of their efforts on securing just one—the SSO system. If you pair the SSO system with multi-factor authentication, you’re your credentials will be more secure and manageable, than a collection of independently secured websites and systems.
- Reduced IT help desk calls. Experts estimate that the average employee calls the IT help desk for password assistance about four times per year. Given that an average IT helpdesk call takes about 20 minutes, that’s 80 minutes per year. That’s 160 minutes of wasted time (IT staff + end user) per year per end user. A good SSO solution will help you put that money back on your bottom line, and free your IT professionals to spend their time on more important projects.
Now, before you go looking for a single sign-on system for your business, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. Scorpion Software was acquired by Kaseya not long ago, and they offer a full Kaseya integration of their user authentication and password management suite. Their suite offers single sign-on, multi-factor authentication, and many other features. So, if you’re looking for a Kaseya-optimized suite, there’s no better place to start. That way you can accomplish even more from a single pane of glass.
If you want more information on what a good single sign-on system should do: Click Here
If you want to know what I would recommend as a single sign-on solution: Click Here
Author: Harrison Depner