Extending Enterprise Identity and Security Tools to the Cloud

| 0 Comments | 0 TrackBacks
Cloud-based computing, also known as hosted services and Software-as-a-Service, may reduce IT infrastructure expense but it can't shake off the need for enterprises to know which humans are doing what in the cloud.

Accomplishing that can draw on more traditional tools: strong authentication methods physical security professionals can champion to ensure the human presence matches the digital persona, and IT-based identity management tools to help define what the digital persona may do.

Ping.jpgAt the SecureWorld Expo in Houston February 11, we chatted with Mike Donaldson, vice president of marketing for Ping Identity, and Darren Platt, CTO and founder of Symplified, symplified.jpgto understand more about where convergence and the cloud can or should come together. (See also our video conversation with Mike.)

Leveraging Existing Investments

Today's enterprise employees are demanding SaaS applications and their use is "exploding," said Donaldson. Companies are approaching Ping to manage employee identities among these applications, in which users may create accounts and passwords that aren't necessarily secure, he said.  While the cloud problem may be new, the enterprises Ping works with generally have significant identity and access management systems in place. Ping's federated identity solution draws on these tools to distribute already-validated identity data to a supplier or other trusted business partner using Security Assertion Mark-up Language, or SAML. "We leverage the security the enterprise already has," said Donaldson.

Ping's integration with existing enterprise authentication tools enables hosted applications to look much like enterprise-based applications to a user. For example, when a user who has logged into the enterprise network wants to access a hosted application, he simply clicks on a link. Ping extends the enterprise network's validation of the user's identity to the cloud and/or trading partners via SAML, yet makes the process invisible. "There's a lot of technology under the cover to make it easy for the user," said Donaldson.

An alternative approach would be for a user to attempt to login to a cloud application, whereupon she'd be redirected to authenticate to the enterprise server before being granted access. In this way, Donaldson explained, the user's enterprise id is re-used, and the service provider doesn't need to duplicate and maintain it, eliminating a potential security issue.

Ping generally sells to large and technically sophisticated companies, such as Fortune 100 firms exchanging data with trading partners and identity/federation service providers like Exostar. However, Donaldson noted that Ping can integrate with Active Directory, making that the basis for a cloud identity solution if an enterprise doesn't have comprehensive identity management tools.

Identity from the Cloud or in a Box

By contrast, Symplified targets medium and smaller-sized entities that often don't have an extensive identity infrastructure or the ability to manage SAML, said Darren Platt, CTO and founder. Yet these are the very companies extensively adopting cloud-based applications and can experience proliferating user accounts and identities with little oversight.

Like Ping, Symplified will work with an enterprise's existing identity management system to extend user access roles and security policies to the cloud. Symplified, though, also styles itself as providing cloud-based traditional identity management services, such as access control, authentication, user management, compliance and auditing. These tools, which can also be used for authentication to internal network-based applications, also are available in the form of an on-premise appliance Symplified calls its Identity Router.

Platt explained the Identity Router draws user access policies from Active Directory or a Lightweight Directory Access Protocol-based directory. It can then authenticate user identities, either to internal or intranet applications, or out to the ecosystem of Software-as-a-Service destinations to which Symplified has connections, from Google to ADP to SalesForce.com.

The access process is transparent to users, who simply log onto the enterprise network once and then have seamless access to internal and cloud-based applications. In turn, the ease and breadth of such access has companies looking at stronger authentication methods, Platt said. 

Getting Strong with the Cloud

"A lot of people think single sign on (SSO) necessitates [strong authentication] because they've concentrated their risk behind that one credential," said Platt.  

He noted concentration of access to many applications does have its benefits: better security policies governing more applications and elimination of lists of passwords, to name two. Further, two or more factors of authentication also mitigate much of the risk of SSO. Still, Platt said whether and when to use stronger authentication is a risk management decision. "You have to apply the right security controls to the situation," he said.

"The place where the user comes in the door to the application is critical," Ping Identity's Donaldson said, noting the process has to be easy, yet secure, and can build on what the enterprise has already invested in. "Do one strong authentication to the [enterprise] directory, then leverage that," Donaldson said.

That makes it important to have an authoritative source for identity data that can be used for physical access control solutions as well as access to internal and cloud applications, so that enterprises get more utility out of their investments in stronger credentials and/or authentication methods.  

"The user store is where convergence has to happen," said Platt, who pointed out how user administration issues grew ever more complex as enterprises created user silos around their individual web applications. For secure cloud identity management, he emphasized that enterprises should try to have as few points of administration for user data as possible, structure access policies based on various attributes about a person, such as their business role, then ensure these are enforced out to the cloud.

Given the well-understood weakness of passwords to protect enterprise assets, Donaldson expects to see increasing use of multiple factors of authentication and stronger credentials. "I think you will see the two worlds come together more than in the past," he said.

* * *
Our editorial note: As the use of stronger credentials to extend secure identities to cloud-based (and other) enterprise applications becomes more likely, physical, network and IT security professionals should logically partner on how best to get the most value from these investments. While it might not matter where an application resides, it might be very important to know the location of the user opening it. Credentials that span logical and physical assets, and physical/logical identities linked across these to those credentials, provide such data as well as greater security and are natural convergence points.
 
###

Cloud-based computing, also known as hosted services and Software-as-a-Service, may reduce IT infrastructure expense but it can't shake off the need for enterprises to know which humans are doing what in the cloud.

Accomplishing that can draw on more traditional tools: strong authentication methods physical security professionals can champion to ensure the human presence matches the digital persona, and IT-based identity management tools to help define what the digital persona may do.

Ping.jpgAt the SecureWorld Expo in Houston February 11, we chatted with Mike Donaldson, vice president of marketing for Ping Identity, and Darren Platt, CTO and founder of Symplified, symplified.jpgto understand more about where convergence and the cloud can or should come together. (See also our video conversation with Mike.)

Leveraging Existing Investments

Today's enterprise employees are demanding SaaS applications and their use is "exploding," said Donaldson. Companies are approaching Ping to manage employee identities among these applications, in which users may create accounts and passwords that aren't necessarily secure, he said.  While the cloud problem may be new, the enterprises Ping works with generally have significant identity and access management systems in place. Ping's federated identity solution draws on these tools to distribute already-validated identity data to a supplier or other trusted business partner using Security Assertion Mark-up Language, or SAML. "We leverage the security the enterprise already has," said Donaldson.

Ping's integration with existing enterprise authentication tools enables hosted applications to look much like enterprise-based applications to a user. For example, when a user who has logged into the enterprise network wants to access a hosted application, he simply clicks on a link. Ping extends the enterprise network's validation of the user's identity to the cloud and/or trading partners via SAML, yet makes the process invisible. "There's a lot of technology under the cover to make it easy for the user," said Donaldson.

An alternative approach would be for a user to attempt to login to a cloud application, whereupon she'd be redirected to authenticate to the enterprise server before being granted access. In this way, Donaldson explained, the user's enterprise id is re-used, and the service provider doesn't need to duplicate and maintain it, eliminating a potential security issue.

Ping generally sells to large and technically sophisticated companies, such as Fortune 100 firms exchanging data with trading partners and identity/federation service providers like Exostar. However, Donaldson noted that Ping can integrate with Active Directory, making that the basis for a cloud identity solution if an enterprise doesn't have comprehensive identity management tools.

Identity from the Cloud or in a Box

By contrast, Symplified targets medium and smaller-sized entities that often don't have an extensive identity infrastructure or the ability to manage SAML, said Darren Platt, CTO and founder. Yet these are the very companies extensively adopting cloud-based applications and can experience proliferating user accounts and identities with little oversight.

Like Ping, Symplified will work with an enterprise's existing identity management system to extend user access roles and security policies to the cloud. Symplified, though, also styles itself as providing cloud-based traditional identity management services, such as access control, authentication, user management, compliance and auditing. These tools, which can also be used for authentication to internal network-based applications, also are available in the form of an on-premise appliance Symplified calls its Identity Router.

Platt explained the Identity Router draws user access policies from Active Directory or a Lightweight Directory Access Protocol-based directory. It can then authenticate user identities, either to internal or intranet applications, or out to the ecosystem of Software-as-a-Service destinations to which Symplified has connections, from Google to ADP to SalesForce.com.

The access process is transparent to users, who simply log onto the enterprise network once and then have seamless access to internal and cloud-based applications. In turn, the ease and breadth of such access has companies looking at stronger authentication methods, Platt said. 

Getting Strong with the Cloud

"A lot of people think single sign on (SSO) necessitates [strong authentication] because they've concentrated their risk behind that one credential," said Platt.  

He noted concentration of access to many applications does have its benefits: better security policies governing more applications and elimination of lists of passwords, to name two. Further, two or more factors of authentication also mitigate much of the risk of SSO. Still, Platt said whether and when to use stronger authentication is a risk management decision. "You have to apply the right security controls to the situation," he said.

"The place where the user comes in the door to the application is critical," Ping Identity's Donaldson said, noting the process has to be easy, yet secure, and can build on what the enterprise has already invested in. "Do one strong authentication to the [enterprise] directory, then leverage that," Donaldson said.

That makes it important to have an authoritative source for identity data that can be used for physical access control solutions as well as access to internal and cloud applications, so that enterprises get more utility out of their investments in stronger credentials and/or authentication methods.  

"The user store is where convergence has to happen," said Platt, who pointed out how user administration issues grew ever more complex as enterprises created user silos around their individual web applications. For secure cloud identity management, he emphasized that enterprises should try to have as few points of administration for user data as possible, structure access policies based on various attributes about a person, such as their business role, then ensure these are enforced out to the cloud.

Given the well-understood weakness of passwords to protect enterprise assets, Donaldson expects to see increasing use of multiple factors of authentication and stronger credentials. "I think you will see the two worlds come together more than in the past," he said.

* * *
Our editorial note: As the use of stronger credentials to extend secure identities to cloud-based (and other) enterprise applications becomes more likely, physical, network and IT security professionals should logically partner on how best to get the most value from these investments. While it might not matter where an application resides, it might be very important to know the location of the user opening it. Credentials that span logical and physical assets, and physical/logical identities linked across these to those credentials, provide such data as well as greater security and are natural convergence points.
 
###

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/176

Leave a comment