Identity Governance Blog

A Layered Approach to Security: MFA, SSO, and IGA

By Andrew Silberman, Product Marketing Director at Omada

November 3, 2022

Security Controls – MFA and SSO

Multi-factor authentication, or MFA, is one of the best-known security controls that organizations can implement to dramatically improve their security posture. In fact, Microsoft claims that “99.9% of cyberattacks can be prevented by using multi-factor authentication.” Multi-factor authentication works by implementing multiple steps that a user must complete before being granted access to internal resources, applications, or data. This can be executed in a combination of something they know (like a username/password combination, or your mother’s maiden name), something you are (like a fingerprint or retina scan) or something you have (like a push sent to a mobile device, or a onetime passcode, otherwise known as OTP).

Single sign-on, or SSO, is typically a complementary control to MFA that enables users to authenticate to more than one application while only needing to use one login. Typically, SSO sits behind MFA in that a user will enter in two or more factors of authentication, then be directed to a portal that houses all trusted applications. This relationship is based on a certificate exchanged between the SSO provider and the application to ensure that the person is trusted and verified.

Some organizations think MFA and SSO alone will solve their identity security issues. After all, Microsoft says 999 out of 1,000 cyberattacks are prevented this way. The additional thought being that, after all, if people can securely authenticate and prove that they are who they are, and if we assume those people are good, then what could go wrong? As with anything, cyber criminals are adapting, and now are increasingly seeking out one-time passwords as a way in. This is typically done either via brute force, where an attacker will overload the system with guesses of what the code is or by using social engineering or phishing attacks to trick an unknowing user to approving a phony request. This was more or less the genesis for the Uber hack earlier this year.


A Layered Approach to Security

While it is true that no one solution or no one (or two) security controls can solve all problems, particularly when it concerns identity management, a layered security approach is critical. While MFA and SSO help grant trust to users and applications, there are things that identity governance and administration (IGA) brings to the table that not only help improve security and bring peace of mind, but also help with compliance, and can improve the efficiency of end users and administrators alike.

Identity governance helps organizations achieve centralized visibility into who has access to what, why, for how long, who granted it, and more. IGA solutions can also certify that access is both necessary and current for each person’s daily responsibilities, provision and deprovision access throughout the identity lifecycle (joiner, mover, leaver), and compile identity analytics.

The benefits of IGA solutions

While MFA and SSO help to enforce authentication of who someone is, IGA is needed to create, manage, and certify access for each identity in the organization. IGA first helps support MFA and SSO solutions by role mining, which supports the analysis and establishment of roles that can be used as templates to assign people with similar responsibilities, which without an IGA tool can soak up endless resources and time. IGA helps in connecting to the different applications and infrastructure throughout the enterprises and can enable CRUD operations for authorized users, and more. IGA helps in provisioning access to different applications, and similarly, IGA can also be used to revoke that access when someone moves roles or leaves the organization. The IGA tool can signal to the identity provider that someone has moved roles, left the organization, taken on new projects, or otherwise, and the SSO provider can add those applications to the portal if that is part of the new role, group, or policy that the person is taking on.

IGA can also help organizations by enabling access workflows that provide end users with the ability to self-serve for things like password resets and requesting additional access. For requesting additional access, in particular, people require a unified place where people can go to easily request access to additional resources with the ability to easily track the status of those requests. Being able to request and grant access to resources that are not provisioned based on someone’s role is a critical way to keep people productive, but without proper checks and balances in place, can quickly over-permission access that can be a grave security danger. IGA helps to ensure that access is only granted to someone with proper justification, with a full audit trail of who granted access, when, and for what reason.

Finally, IGA tools bring a level of visibility into an organization that helps strengthen the MFA and SSO security controls. The visibility that IGA provides into key data points like who is accessing what and how often, from what IP ranges are they accessing data and applications, group members and their respective activity within those groups, peer analysis, and more, can help organizations improve their ability to meet compliance, and make intelligent decisions about who should have access to what.

Omada, a leader in modern identity governance, helps customers implement foundational elements within 12 weeks to enable customers to improve security, enhance productivity, and meet compliance.


Let's Get

Let us show you how Omada can enable your business.