1. Kuppinger Cole Webinar
Bridging the Cloud Sign-On Gap
Sebastian Rohr, Kuppinger Cole
sr@kuppingercole.com
Matt Berzinski, Oracle
matthew.berzinski@oracle.com
February 9th, 2012
This Webinar is supported by
One of the benefits of Cloud Applications is that they provide access for employees from anywhere. Here we see that employees can just as easily access applications from the office, which is behind the firewall, as they can from their home, hotel or even a coffee shop that is outside the firewall. This allows employee to remain productive wherever they are
However, with this increase access to the applications so does the risk of attack. Just like the employee, any would be hacker has access to the application as well. To compound this problem, most cloud applications have a standard naming convention for all their customers. Be this an e-mail account or and first initial last name, it isn’t hard for someone to determine the logon ID and then begin to hack the password. So now your critical data is exposed to anyone with internet access.
The natural Knee Jerk reaction to solve this problem is to increase security . Whether this is through increasing password policies (i.e. stronger \\ longer passwords that change more frequently) or implementing a strong authentication solution provide by the Cloud Application. However this results in a Decrease in productivity as user lose the strong authentication device, or they forget their passwords which results in account lockouts and prevents access to data.
There are events that require termination of user’s access to applications. Most of the time this is result of the termination. For internally hosted applications, this is easy. Simply remove the employee’s network access and building badge and they can no longer access the information in the applications. However, with hosted applications this becomes a problem since they are available from anywhere. What is to stop them from access a valuable company asset and puling down all the data. With ESSO Logon Manager controlling the user’s password once the process of terminating the network ID still works. Without access to ESSO, the user will no longer be able to gain access to the data in the cloud.When a user is moved from one role and organization to another, instead of having to adjust the ID on the Cloud Application, a simple request to ESSO Provisioning Gateway to remove the credentials from ESSO disables the user the ability to access the data. Both of these processes can be done internally and are easier to incorporate into current practices and ensure termination of access, rather than hoping someone went to the external site to modify the logon credential.
ESSO Anywhere is the only enterprise single sign solution that can address this use case. ESSO Anywhere allows users once authentication to their corporate directory to access the Single Sign On Solutions. This allows users to gain access to their secure credentials from any location they desire. Once authenticated, the LM Agent is downloaded and configured on the user’s machine. This operation can be done on any machine as administrative rights are not needed. After the agent has been configured, the user’s credential are downloaded and available. As the user launches their cloud applications, the LM Agent injects credentials just as if it was on the corporate network. All login events are audited events are retained to ensure your compliance stance.Once the user is done using SSO, and disconnects from the corporate directory, the LM agent can be configured to remove itself and the credentials from the local machine.
Pre-integration of OAAM, OAM and OIM for self-service password management and secure login flowsEasily add needed security to vulnerable flows such as password resetBenefits over OIM+OAM alone:KBA (Knowledge Based Authentication)Large OOTB question libraryQuestion management – edit, create, deleteLocalization – 26 languagesControls to balance usability with securityRegistration logicValidationsQuestion setTune categories to user populationBalance complexityAnswer logicIncrease usability – less service calls
The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
Recently Aberdeen Research published a brief comparing the benefits of a platform approach vs a point solution approach. Many organizations use an IAM suite to meet their identity and access management requirements and that is refered to as a platform approach. In contrast there are other organizations that use a collection of best of breed solutions from multiple vendors and that is referred to as the point solution approach. In compiling their research report Aberdeen interviewed more than a 100 odd customers and their findings were very interesting. They found that a platform based approach to IAM resulted in a cost savings of 48% over a comparative point solution approach. So in effect using an IAM platform can help organizations using a collection of point solutions to recover their investment with a positive ROI. This paper is available on o.com/identity for download.