Nelson Cicchitto, Chairman & CEO We Live in a Software-Defined World. Evolve at the Pace of Innovation or be Vaporized.
In the 1990s and early 2000s, identity management was simply an organic term stemming from the need to handle account requests and entitlement assignments. If companies were small enough, spreadsheets and simple e-mail exchanges were accepted as a means to control system access. Companies falling into the larger category were typically left with developing homegrown solutions that would support limited automation of identity-related tasks.
It wasn’t until highly public incidents such as Enron and Tyco that companies and government regulators saw the need for a more centralized, compliant platform. Regulations, such as SOX required controls over employee access to prevent internal practices, which could present risk or a conflict of interest.
Regardless of the size of their organization, IT departments at both small and large companies saw a need for centralized governance and controls. This was even more evident when dedicated IT staff was needed to maintain homegrown systems over time. This is where companies, like Avatier, rose to define platforms that could handle entire user lifecycle phases of corporate growth in a secure manner.
In 1997, Avatier pioneered what is now known as Identity Access Management (IAM). Since that time, IAM platforms have done much more than simply reset and remove system access. Today, identity management providers have transformed into Identity Governance and Administration (IGA) platforms. These platforms need to support more than user provisioning and password management. New business cases required IGA vendors to support access certification, workforce asset management, single sign-on, leading multi-factor authentication (MFA) systems, biometrics, software licensing, and asset management in an integrated, scalable, and clutter-free environment. This also meant moving from last century’s architecture to those that are securely hosted in any cloud or on-premise with a common, secure, scalable, and portable digital transformation DevOps architecture.
The Innovator’s Identity Management Dilemma
Legacy identity management companies are struggling to bring all on-premise functionality to their cloud offering. In the end, the customer has to choose between full functionality on-premise or cloud version with limited functionality. Cloud-first identity management companies put their customers at risk since these multi-tenant solutions share CPU, memory, and even disk space with all other tenants. If the cloud IAM provider is compromised, all their customer data, identities, and even passwords are compromised.
Thinking Inside the “Virtual Machine” Box Exposes Your Brand to Hackers
Nelson Cicchitto, chairman and CEO of Avatier, the leading developer of innovative, secure, and scalable identity management solutions, throws light on the complexities and vulnerabilities associated with your current identity management solutions hosted on-premise in a virtual machine environment.
“Chances are that your ‘first-generation’ identity management application is designed to run on an operating system like Microsoft Windows or Unix. Your organization most likely deployed it on virtual machines (VM) to save cost and attempt to centralize administration. There may be several operating systems running on one machine, and each of those is a doorway in for a computer hijacker. Each VM has to be individually monitored, scanned for viruses, and patched. Such architecture is not only difficult to maintain and protect, but also has a broader attack surface. The higher the number of attack vectors which a hacker can use to access an environment (caused by these OS and identity application instances), the more ways your system can be compromised,” said Nelson.
Do some basic cost-benefit analysis, then ask yourself: ‘At what point do you realize your identity solution is leaving your organization exposed and is costing you more than what it is worth?
“From a scalability and fault tolerance standpoint, your company may have deployed ‘load balancers,’ which drives up the overall cost, maintenance, and patching time for your identity management environment.” Nelson asks CSOs, “Do some basic cost-benefit analysis, then ask yourself: ‘At what point do you realize your identity solution is leaving your organization exposed and is costing you more than what it is worth?’”
Addressing this “elephant in the room” is what sets Avatier’s IGA model apart from the other players in the space.
Containerized Identity Management Reduces Attack Surface, Enables Continuous Delivery and Unlimited Scaling
Identity Management as a Container (IDaaC) forms the core of Avatier’s solution, dubbed “Identity Anywhere.” With a minified operating system on a host platform, rewritten identity management framework, and all disk I/Os externalized, containers bring standardization and ease of use for starting, running, and maintaining the various instances. Such an approach decreases the attack surface, drastically reducing the burden levied on the VMs and removes the need to patch the OS frequently. Avatier also added a rotating customer encryption key and has strategically partnered with Docker—the go-to platform for running complete container ecosystems—to build its range of offerings. This not only assures each container has its own secure resources isolated from other customer containers but enables Avatier to manage thousands of customers independently with private instances, memory, data, and CPU. What this means is a customer-specific instance won’t “eat” your available resources and lead to performance degradation or downtime for other customer instances. This is an entirely different approach from how typical multi-tenant cloud applications deliver solutions today.
Companies can run and manage their containers through open source Kubernetes or Docker Swarm, both of which can balance the traffic automatically and eliminate the need for load balancers and subsequently, licensing costs. For enterprises not familiar with or do not have the technology resources or expertise in leveraging containers, Avatier, “carries the load” for them by offering the entire, readily deployable solution as either a cloud service or an on-premise installation.
The Digital Transformation of Identity Management
Container technology is widely regarded as the next evolution of cloud infrastructure and is part of all digital transformation strategies. Given the technology’s sleek and secure deployment model, it is rather surprising as to why only a few identity management or other security solution providers adopt it. Either the idea of thinking outside the “VM” box did not occur to them, or they chose not to entertain it since it would mean realigning, rebuilding, and redefining solution deployments from the ground up. It could also be an attempt to shoehorn security in the backdrop of a rapidly evolving enterprise sphere and threat landscape, and it will only be a matter of time until they begin to follow Avatier’s footsteps.
Moving Beyond Today’s Identity Management Offerings
Avatier’s technology stack has carved a league of its own by going beyond what enterprises generally expect from IGA solutions. “Identity Anywhere” is an integrated suite of products that includes an industry-first; Full self-service password reset and single sign-on (SSO) product with advanced MFA support.
The solution verifies the identity of a user using two-factor authentication and provides easy access to applications and assets with single sign-on using customized policies and controls on a per-application basis.
Avatier replaces traditional role-based access control (RBAC) mechanisms with an end-to-end user lifecycle provisioning solution. It is generally an industry consensus that rolling out RBAC is challenging. RBAC requires every person in the organization to have a role created. The problem is that roles change, and so do people, tasks, and assets. To this end, Avatier has integrated user lifecycle management with a first-of-its-kind IT Store through which companies and individuals can request any form of access they need for any cloud service, such as salesforce. com, G Suite, as well as support for enterprise apps like Oracle, SAP, AS400, and more. Avatier’s IT Store brings a new class of convenience and ease similar to that of the app stores of prominent smartphones.
Avatier’s integrated suite also delivers robust access compliance and asset governance solutions that enable enterprises to monitor, track, and report on every user lifecycle activity. Be it when an employee accesses their company’s servers or even the server room itself for that matter, Avatier’s solution can analyze the corresponding risk factors associated with the asset access. Through a “Risk Radar,” enterprises can administer and grant access, or even enforce additional authentication or verification based on the user ID and risk levels.
What is Next? An Integrated AI Virtual Customer Assistant
Since its inception in 1997, Avatier has always brought innovations to the IAM space. They were the first to roll out the only integrated access management ITIL-based business services catalog. Avatier patented its iconic “IT Store with Automated Workflow” before bringing their SSO offering with a SaaS license cost-savings calculator, which helps enterprises in identifying unused cloud services licenses. Not to mention, 2018 is the checkpoint for Avatier’s breakthrough IDaaC novelty.
This innovation continues through the release of another industry first in April of this year, Avatier’s Apollo Virtual Assistant. Apollo allows requests and fulfillment to be handled automatically through a series of authenticated workflows. Users can simply request access to an application via a chatbot on their phone or computer using almost any messaging channel, then if permitted, get immediate access. Apollo is the first commercial chatbot technology that securely validates user identity, through biometric, MFA, or one-time passcode over SMS/e-mail as well as leading MFA providers like DUO, RSA, Ping, Symantec VIP, Google Auth, Okta, and even FIDO2. Apollo can also handle requests for account creation and removal, password resets, and even schedule an employee for a leave of absence.
Delivering Measurable Business Value
Today, some of the largest, most recognized brands are clients of Avatier. After successfully trialing “Identity Anywhere” and comparing its value proposition with offerings from two other vendors from Gartner’s Magic Quadrant, DriveTime, a premier used-car retailer and finance company—with over 140 dealerships across 26 states—chose to partner with Avatier. They were able to save more than $750,000 annually on their IT audits and achieved utmost transparency and visibility in knowing “who had access to what” as Cicchitto recalls. “Identity Anywhere” was seamlessly integrated with their complex environment which included AS400 Active Directory and in-house custom applications.
"AI Virtual Customer Assistant with Analytics will change how we interact with Identity Management forever"
The company’s track record and client success stories are indicative of how they strive to realize their mission statement. Having gauged the IAM market trends and challenges inside out, Avatier has a clear vision—with Cicchitto at its helm—on how to steer forward, and ride and lead the waves of innovative change.
Avatier's new mobile experience is designed for the modern workforce, giving employees, customers, contractors and vendors a single mobile app that enables self-service business agility for time-sensitive security requests. Now anyone in the company can be alerted on their mobile device to approve business requests to access data and assets. Change management for the entire business can run through Avatier's new mobile workflow experience, reducing overhead for IGA, streamlining provisioning and ensuring security compliance.
The new mobile platform is secure and frictionless because Avatier's password-less authentication automatically integrates with third-party multifactor authentication (MFA) solutions already deployed in most enterprises. Avatier has MFA support for Duo Security, Google Authenticator, Okta Verify, Ping Identity, Radius, RSA SecureID, Symantec VIP and any FIDO2-compliant solution. Additionally, Avatier provides one-time passcode (OTP) support for SMS and email as well as biometric MFA solutions.
"IT staffs spend an inordinate amount of time managing user access requests and conducting access audits," said Nelson Cicchitto, founder and CEO of Avatier. "Research from HDI shows that 30 percent of help desk calls are for access requests at an average cost of 17 dollars per call. Avatier's user experience changes the game with push notifications and a touch interface that can save companies millions of dollars by streamlining security controls and authorization while enabling their entire workforce to approve access immediately when needed. With Avatier's mobile application support, CSOs, IT personnel, security and compliance teams save time and resources by simplifying identity management and truly enabling enterprise-wide self-service."
Avatier's mobile platform includes a complete set of self-service identity management solutions, including:
• Universal workflow: For the first time, the workflow interface used for all business requests and change control is now also the same interface used to conduct certification campaigns and verify access. Push notifications call attention to urgent business requests that need to be approved or denied. All role, access, assets, change control and user management is controlled through Avatier's Universal Workflow Platform„¢. Access governance is part of workflow support, streamlining verification of granular access/assets, roles, direct reports, self-certification and native system security controls., including empowering attestors to allow, deny, allow exceptions, reassign attestor, or even return to the certification campaign owner.
• Self-service group management: Enable self-service group membership requests with push notification for workflow approvals, including group creation, deletion, renaming and modifying group ownership.
• User management: User access can be granted, disabled, or deleted either in real-time or as a scheduled task. As part of user management, Avatier Mobile makes it easy to manage data assets and software licenses to reallocate seats as needed.
• Single sign-on: Onboard mobile and remote workers faster with Just-in-Time (JIT) cloud app user provisioning and de-provisioning to provide secure remote access to assets by simply adding users to your active directory groups. Avatier SSO supports leading industry standards like SAML, oAuth, OpenID and SCIM for JIT provisioning.
• Self-service password management: Eliminate help desk calls by giving users secure control over password reset and synchronization using leading MFA providers to verify identity. Avatier's Password Policy Manager enforces enterprise password policy to maintain strong passwords across all systems.