Identity Management Services and the Cloud
I was recently interviewed for an upcoming article, and thought the questions and answers would make for a good blog post.
Interview on Identity Management Services in the Cloud
What is the current state of Identity Management Services, in particular relative to the Cloud?
"Identity Management services have been rapidly maturing over the past few years. At the same time, adoption of cloud services has changed the way that organizations are thinking about and managing Identity. Organizations are shifting their approach from trying to fully synchronize user identities to internal authentication systems via proprietary solutions and connectors to a standards based approach leveraging protocols like SAML2 and WS-Federation where Identity Providers provision user accounts on-demand to cloud applications and services. Pertinent examples include Microsoft's recently announced support for federated access to its Office 365 cloud offering from a subscribing organization's Identity Provider.
Also, customers, partners and suppliers are demanding increased and easier access to applications and data, prompting organizations to adapt their applications and access management systems to allow federated authentication, using standards based protocols from their partner's / supplier's Identity Provider. The US Government has also been driving the requirement that citizens be able to authenticate at low assurance levels to Federal applications via openID providers like Yahoo and Google.
The first cloud-based Identity Management services have also recently emerged. These services include credential and authentication providers like IdOnDemand, Gemalto and Verizon Business and allow organizations to issue FIPS201 compliant ID Cards that allow Smartcard authentication to their physical and logical access control systems. These services provide low-cost access to advanced Identity Technologies that were previously unavailable to small organizations who could not afford the large infrastructure investment to issue their own credentials."
What vulnerabilities have been exposed by recent events, hacks, etc.?
"The Advanced Persistent Threat (APT) is a concern for organizations that are considering moving to the cloud. The Advanced Persistent Threat emanates from state sponsored cyber-attacks as well as hacktivist organizations. Recent events include the alleged hacking of Gmail accounts by China, attacks on Sony's PlayStation network and the RSA breach. The security community believes that Cloud services will continue to be targeted due to the large and varied number of tenants. Although attacks may be directed at a specific organization utilizing the cloud service, the multi-tenant nature of Cloud Computing can spread those risks of data disclosure and loss of availability to unintended targets as well."
Is a "secure borders" approach adequate?
"The secure borders approach is still necessary, but by no means adequate in and of itself. Arguably, the most significant threat today is the client-side exploit which can largely bypass perimeter defenses. Only a defense in depth approach - which includes perimeter defenses - is adequate for today's threat landscape."
What happens when security information itself is accessed by unauthorized users? Or, more to the point is there a need for more of a defense in depth approach or some other way to handle identity management?
"A proactive approach to Identity Management is one of many strategies needed to defend today's network and application infrastructure. Proper management of Identity can provide insight into transactions on the network and improve the ability to understand what is happening on the network and in the cloud for a full Situational Awareness view of the network."
Advice for those wrestling with how to implement or maintain an identity management service...
- Simplify first and focus on processes. Many organizations try to automate inefficient, suboptimal and/or insecure manual processes or provision across too many systems and repositories. This introduces complexity and robs a project of its ROI and security benefits.
- Focus on fundamental blocking and tackling of your Identity Infrastructure first. Ensure that you have a strong Identity provisioning architecture prior to starting on role management and federation projects.
- If your requirements support it, consider using niche offerings in the Identity Management space. Niche software providers are improving their offerings and are often lower cost and easier to implement than their large suite counterparts (CA, IBM, Oracle, etc…).