Your SlideShare is downloading. ×
0
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Identity Management in the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Identity Management in the Cloud

540

Published on

Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.

Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
540
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Next >> R Previous Next darkreading.com Previous Next Previous Next NOVEMBER 2013 IDENTITY Management In The CLOUD Managing and securing user identities in the cloud is getting complicated. Here’s how to keep it under control. >> By Ericka Chickowski PLUS Security’s big headache: The evolving user >> Previous Download Subscribe Next
  • 2. Register Previous Next DARK DOMINION Previous Next Previous Next Previous Next Download Subscribe Safe In The Cloud Our Cloud Security Tech Center is your portal to all the news, product information, technical data and other information related to the topic of cloud security. Click Here darkreading.com Security’s Pain In The Neck: Evolving Users Security would be so much easier if users were like lamps. You turn them on, they do what they’re supposed to. You turn them off, they’re no longer something to worry about. You know where a lamp is all the time. You can monitor it to find out its status. Unfortunately, users are not lamps. If you look at the history of security breaches, almost all of them started with an end user mistake: a misplaced laptop, a user falling for a phishing attack, a curious employee downloading the wrong software. And yet even tech-savvy companies like Sony and RSA can’t completely stop breaches. One of the chief reasons is that users aren’t static. They change their locations and are now doing work from homes and coffee shops. But mobility is only one way users change. They change their job responsibilities, their projects and the tools they use. They get promoted. They quit. They get fired. This “evolution” of users has been a problem for businesses since the early days of comput- ing. Most IT organizations want to provision users with everything they need and then be finished. Changes create more work, sometimes forcing IT to reprovision a user who’s already been provisioned. It’s annoying. But failing to monitor a user’s changing responsibilities and access requirements can lead to nightmares. Matthew Keys, who is accused of helping hackers deface the Los Angeles Times website earlier this year, is a former Tribune Co. employee who had a user name and password that still worked two months after he was fired. In 2009, a fired IT employee used his still-active credentials to plant a logic bomb at Fannie Mae. These are just a couple of instances in which an employee’s change in status wasn’t updated quickly enough by IT, and disaster ensued. The problem, in a nutshell, is that there is still not much connection between a user’s identity — as defined under Active Directory or in the corporate system registry — and the user’s real identity, as defined by what he or she does for the organization. Employees TIM WILSON @darkreadingtim get transferred, and nobody tells IT. A user is terminated, but IT never disables his access. A new employee is given too much privilege and taps into the wrong data. As companies begin to tie into cloud services and other outsourced infrastructure, this problem becomes even more acute. In today’s Dark Reading digital issue, we examine the challenges of user provisioning and identity management in the cloud, which adds a new level of complexity to the access management picture. The cover story points out the need for more efficient methods for provisioning new users and changing access privileges as users’ jobs change. Security would be easier if users were like lamps. But they’re pretty complex — they change and evolve, and they get into places they shouldn’t. Enterprises would do well to build access management strategies that recognize these realities — and adapt to them. Tim Wilson is editor of DarkReading.com. Write to him at timothy.wilson@ubm.com. November 2013 2
  • 3. EXTEND ENTERPRISE SECURITY TO CLOUD APPLICATIONS 56% 76% 81% 20% 147M of organizations use 6 or more SaaS applications1 of network intrusions exploit weak or stolen credentials2 of employees use SaaS applications without IT approval3 of all Americans have 20 password-hungry online accounts4 cumulative malware samples captured5 “Among the nine threats identified in the Cloud Security Alliance’s ‘Top Threats to Cloud Computing’ research, account hijacking is one of the most serious on the list, and abuse of credentials is not far behind.” —SANS Institute 6 Control WHO has access to cloud applications Control WHAT they can do with that access McAfee Cloud Single Sign On McAfee One Time Password McAfee Web Gateway McAfee Data Loss Prevention McAfee Global Threat Intelligence ® Single sign-on for hundreds of popular cloud applications. Multifactor authentication to reliably verify users’ identities and prevent account breaches. Thwart malware infection with zero-day detection. Block malicious URLs with site reputation and threat intelligence. Easy user account provisioning and de-provisioning. Prevent confidential data from leaking with DLP policy control. Cloud activity monitoring and logging. Encrypt files stored in the cloud. Blacklist and whitelist cloud applications. Cloud Computing Demands Enterprise-class Password Management and Security, Enterprise Strategy Group, April 2013. 2013 Data Breach Investigations Report, Verizon, 2013. 3 Six Things You Need to Know about Shadow IT to Minimize Risks to your Company, Frost & Sullivan report, October 2013. AP Twitter Hack Shows It’s Time for the Post-Password Era, CNBC. McAfee Threats Report, Second Quarter 2013, McAfee Labs. 6 Simplifying Cloud Access Without Sacrificing Corporate Control, SANS Institute Analyst Program. 1 FIND OUT HOW McAFEE CAN HELP: www.mcafee.com/identity www.mcafee.com/webprotection 4 2 McAfee helps you leverage cloud applications without compromising security. 5 © 2013 McAfee, Inc.
  • 4. Register Previous COVER STORY Next Previous Next Previous Next Previous A Next Download Subscribe Identity Management In The Cloud Managing and securing user identities in the cloud is getting complicated. Here’s how to keep it under control. By Ericka Chickowski @ErickaChick darkreading.com s companies add more cloud services to their IT environments, the process of managing identities is getting more complex. When companies use cloud services — services they don’t control themselves — they still must develop sound policies around rolebased access. They still must grant rights to users who need information to get work done. And they must be able to automatically take away those privileges when people leave a company or change roles. On top of it all, companies using cloud services are also bound by any compliance rules that govern their identity and access management (IAM) initiatives. With the collection of cloud services now holding sensitive data, organizations have to contend with a smorgasbord of new login November 2013 4
  • 5. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Next Download Subscribe Who Goes There? Our Identity and Access Management Tech Center offers news and analysis on the latest developments in managing user identity in the enterprise. Click Here darkreading.com systems and proprietary connector APIs that often don’t work well with internal IAM systems. “I bet that not many IT professionals thought they would look nostalgically at large, complex, on-premises deployments, but now many do,” says Julian Lovelock, VP of product marketing for identity assurance at smart card manufacturer HID Global. Managing cloud IAM means “using a complex set of one-off procedures,” says Nishant Kaushik, chief architect for cloud IAM provider Identropy. This approach may lead to “chaos and an inability to audit any of the systems.” But sound identity management and governance is core to nearly all IT security functions. That’s why security experts are advocating that companies improve how they manage identities in environments that mix cloud services and enterprise networks. “In this new world, you have to stitch the identities together,” says Todd McKinnon, CEO of cloud IAM provider Okta. Building Policies Ask any enterprise IT administrator if his or her organization has a process for managing new software deployments, and the answer is invariably yes. You’ll also likely get all hands raised if you ask about password management and user account management controls, says Greg Brown, VP and CTO of cloud and data center solutions for McAfee. But there aren’t nearly as many raised hands when you ask how many have a procedure for someone to buy infrastructure-as-a-service, or November 2013 5
  • 6. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next for on-boarding users in a new software-as-aservice (SaaS) application, he says. Two of the most fundamental policies of IT are which software can be used and how the credentials to use them should be administered, says Brown. These policies govern which applications, devices and people have access to which pools of sensitive information. Companies have these policies largely in place for on-premises systems, but they often do not know which users are leveraging SaaS — and whether they’re compliant with corporate and regulatory policies. The need for security and compliance is driving some companies to find better ways to bridge enterprise IAM and cloud provider applications, often by provisioning user identity through cloud-capable, federated single sign-on (SSO). “In a bridge, the enterprise maintains control of its own identities and its own authentication,” says Allan Foster, VP of technology and standards for ForgeRock, an open platform provider of IAM systems. “And since the service transaction is initiated by the enterprise, it can maintain auditing as to who accessed the service and when, although not about what was done.” Many companies are achieving this bridge through Active Directory (AD) and Light- weight Directory Access Protocol connections, setting policies that can be enforced through group membership based on the users. Enterprises have been pressuring cloud providers to embrace standards including SAML, OAuth and OpenID for easier exchange of authentication information between the cloud provider and the enterprise. An employee using a federated single signon system is given one set of credentials to access multiple cloud accounts. This user is only authorized to use those cloud accounts permitted by the group he or she belongs to. For example, if a user is in the sales group in Active Directory, he or she would be given secure access to Salesforce.com as well as the enterprise’s in-house sales applications. This approach aids the rapid rollout of new cloud services to large groups of users. Even more importantly, using AD to aggregate identities in cloud environments speeds up the deprovisioning of cloud applications to employees when they leave the company or change roles. “Enforcing the use of federated SSO — and not using passwords with cloud apps — means that users can only log in to cloud apps if they have an account in AD,” says Patrick Harding, CTO of cloud IAM company Ping Identity. “Terminated users are usually imme- Top 10 Cloud Concerns When thinking about risks related to cloud services, what are your top concerns? 2013 2012 Security defects in the technology itself 52% 45% Unauthorized access to or leak of our proprietary information 50% 55% Unauthorized access to or leak of our customers’ information 48% 54% Application or system performance 26% 27% Unpredictable costs 11% Vendor lock-in 18% 18% 15% Difficulty with or inability for data recovery if the cloud provider fails 15% 17% Business continuity or DR readiness of provider 14% 14% Difficulty with or inability for data recovery if we cancel the service 14% 14% Lack of data segregation among the provider’s customers 8% 11% Data: InformationWeek Cloud Security and Risk Survey of 235 business technology professionals in June 2013 and 268 in June 2012 using, planning to use or considering public cloud services November 2013 6
  • 7. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next diately disabled in AD by IT and will Are You Using Single Sign-On With Your Cloud Apps? tion and with cloud data, many companies not be able to access any cloud apps.” resort to manually customized controls This type of single sign-on provides involving “complicated road mapping” that more control over the cloud sign-in can’t easily be audited, Kaushik says. Yes process, but it’s only at the first stage of Much of the blame lies with the cloud 48% maturity for efficiently getting people software providers, which haven’t given onto the system. This initial operational companies much access to the internal focus mirrors the maturation that hapsoftware controls that providers use to 48% 4% 4 pened with on-premises IAM years manage user rights within the system. Don’t know No ago, says Kaushik. “Once the cloud opSimilarly, user provisioning in cloud sererational things are solved, people revices is centered on proprietary APIs, and alize they have governance problems Data: 2013 State of Cloud Application Access Survey, OneLogin connectors frequently break and create and compliance problems,” Kaushik holes in IAM. Many companies move to says. “It isn’t simply about being able to zation at most organizations relies on a role the cloud as a cost saver and don’t have create accounts. It’s also how to create an ac- or group member status to determine if a per- the resources to build connectors, Kaushik count, when to create an account and how to son has access. So the single sign-on system notes. Cloud vendors spend considerable deprovision an account.” knows a person has access to, say, a Sales- time developing APIs and connectors around As companies get accustomed to cloud sin- force account, says Kaushik, but SSO doesn’t business functionality, but most haven’t ingle sign-on, they often find that cloud identity know whether the person can just view or vested in APIs that connect to data feeds that services lack fine-tuning for authorizing and also access customer information. One risk is enable identity governance, such as informamonitoring a user’s access to cloud resources. that tracking and monitoring becomes nearly tion about account privileges. impossible once a user is logged in to the Some cloud providers and SaaS developers Cloud Identity Control Gaps system, and many companies are required are beginning to recognize identity manageEven after companies implement single by internal and regulatory rules to track who ment as an opportunity to differentiate themsign-on, one of the biggest headaches they performs which actions to data, and when. selves. For example, ClickSoftware, a developer face in managing identity in the cloud is that A cloud system might only track that a com- of mobile workforce management software, IT managers still can’t control, or even see, pany’s account took a particular action. has invested heavily in CA IdentityMinder, Site­ what people do with the application after Right now, to get granular understanding of Minder and SiteMinder Federation for selfthey log on. For example, cloud app authori- what account holders do in a cloud applica- provisioning, which helps enterprises identify November 2013 7
  • 8. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next and authorize user access for its cloud-based software. “One of the main challenges every cloud company faces is the ability to provide its customer a way to self-provision services they are getting over the cloud,” says Udi Keidar, VP of cloud services for ClickSoftware. “A real cloud or SaaS service should give users the utmost independence to run and maintain the service by themselves.” HID Global’s Lovelock cuts cloud vendors more slack over not offering customers greater IAM control: “That’s not entirely the cloud provider’s fault — good standards have yet to emerge.” A new standard called System for Crossdomain Identity Management concentrates on accounts and attributes and has received the endorsement of applications vendors such as Salesforce and Cloud Foundry. But SCIM is still in its infancy. “The questions with SCIM is, one, can it be broadly endorsed by the SaaS application providers themselves?” McAfee’s Brown says. “And then, two, can we make sure that we can build in the administrative controls on the corporate side so that [the applications] are administered through the same interface?” Until SCIM or another standard takes root, organizations must consign themselves to negotiating with each SaaS provider to get identity control into contracts. For example, John Michener, chief scientist at security consulting firm Casaba, says that when it comes to platform-as-a-service, a typical cloud provider will likely have some kind of authentication and authorization framework that users can employ to access a specific enterprise’s instance of a cloud application. Companies should negotiate that a SaaS vendor provide full knowledge of all actions taken by users, including authentication attempts, monitoring alerts on repeated failures, and auditable tracking of problems using a monitoring tool of their choice. Identity management in SaaS is a little trickier than on-premises software because the available administrative features are usually limited by the cloud service’s functionality. Some SaaS providers may not have features that are capable of tracking a user’s access privileges, number of account log-ins, type of data accessed or downloaded, or amount of time spent in a system. They also may not let a company limit how much data or what type of data users can access through the SaaS application. Finally, cloud services may not have the API capabilities to connect with existing on-premises IAM tools. Companies should check on whether the cloud vendor is properly managing privileged access controls for administrative accounts. A recent survey conducted by CyberArk showed that 56% of organizations had no idea what their cloud provider was doing to protect and monitor privileged accounts. “The cloud isn’t magical IT,” says Lovelock. “It’s made of servers, software and all the normal stuff of any IT service. That means there are administrative accounts. Someone has those passwords and access to your important data.” Adding User Value Through IAM Sometimes the business need for a cloud app will outweigh concerns IT has about the ability to track what a user does inside the app. In those cases, IT organizations can try workarounds that may offer more insight into user behavior in the cloud. Brown says organizations should think about coupling single sign-on with data enforcement policies to audit SaaS activity using firewall or gateway logs, and then monitor user access via data leak prevention (DLP) tools. “Using that data enforcement policy, you can say, ‘I’m going to look at this SaaS application for these users,’” he says. “You can use the enforcement capabilities in DLP to say what is appropriate or inappropriate to be November 2013 8
  • 9. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next published out to an online sharing site.” As standards evolve and would-be buyers pressure cloud app providers to let them tap into the proper identity-related data feeds, companies should be building cloud identity portals to track and control user access rights and SSO projects that enhance the business case for cloud services. The more value security adds through IAM, the easier it will be for the IT department to rope rogue cloud deployments back under the IT governance umbrella. IAM can make it easier to shift gears between different cloud applications without having to log in using different credentials. Implementing SSO makes it possible to safely use one set of credentials for everything, with very little interaction with IT required. “If you make it highly functional, then users will be glad to use it, and then you’ve captured the prize,” Lovelock says. “Make the portal fancy enough to plug into apps from the on-premises side and the cloud. Make the Cloud Single Sign-On Vulnerabilities 73 71% 59% % of cloud SSO implementations have visibility of files users download replicate user data in the cloud and outside the organization’s control have experienced unauthorized access by users Data: Symplified Survey of 200 US IT pros, February 2013 password reset integrate right into the portal. Allow access from anywhere, but perhaps apply rules where some apps can be accessed from the coffee shop and some cannot.” If IT is seen as an inhibitor, Brown warns, then business units are more likely to spin up ad hoc cloud deployments. But if SSO is seen as an easier way to log in to everything, users will demand their new deployments work through the system. Brown offers the example of an enterprise customer that reined in deployments of Amazon Web Services by offering single sign-on. Staff from different business units used multiple AWS accounts, using native AWS sign-in capabilities for each account. IT worked with each unit to regain control of the cloud contract and do logins through a corporate SSO system. This made it easier for IT to track AWS use and helped users by letting them use their everyday password through AWS, rather than having to remember multiple credentials. And the company had better clout in negotiating with Amazon. If more groups take this lesson to heart, they may find that identity management not only helps IT set up the foundation to make security improvements to the cloud model, but it can improve IT operations that are fragmenting across the company. Write to us at editors@darkreading.com. November 2013 9
  • 10. Register Previous Next Online, Newsletters, Events, Research Next Previous Next Previous Previous Download Next Tim Wilson Dark Reading Site Editor timothy.wilson@ubm.com 703-262-0680 Kelly Jackson-Higgins Dark Reading Senior Editor kelly.jackson.higgins@ubm.com 434-960-9899 Rob Preston VP and Editor In Chief rob.preston@ubm.com 516-562-5692 Chris Murphy Editor chris.murphy@ubm.com 414-906-5331 Lorna Garey Content Director, Reports lorna.garey@ubm.com 978-694-1681 Jim Donahue Managing Editor james.donahue@ubm.com 516-562-7980 Shane O’Neill Managing Editor shane.oneill@ubm.com 617-202-3710 Mary Ellen Forte Senior Art Director maryellen.forte@ubm.com Subscribe SALES CONTACTS—WEST STRATEGIC ACCOUNTS UBM TECH Account Director, Jennifer Gambino (516) 562-5651, jennifer.gambino@ubm.com Paul Miller CEO Account Director, Ashley Cohen (415) 947-6349, ashley.i.cohen@ubm.com Account Director, Vesna Beso (415) 947-6104, vesna.beso@ubm.com Account Director, Matthew Cohen-Meyer (415) 947-6214, matthew.meyer@ubm.com SALES CONTACTS—EAST Events Get the latest on our live events and Net events at informationweek.com/events How to Contact Us darkreading.com/aboutus/editorial Western U.S. (Pacific and Mountain states) District Sales Manager, Vanessa Tormey (805) 252-4357, vanessa.tormey@ubm.com Electronic Newsletters Subscribe to Dark R ­ eading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe Reports reports.informationweek.com for original research and strategic advice Business Contacts VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (415) 947-6922, sandra.kupiec@ubm.com READER SERVICES DarkReading.com The destination for the latest news on IT security threats, technology, and best practices Strategic Account Director, Amanda Oliveri (212) 600-3106, amanda.oliveri@ubm.com Marco Pardi President, Events Scott Mozarsky President, Media and Partner Solutions SALES CONTACTS—MARKETING AS A SERVICE Kelley Damore Chief Community Officer Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, jonathan.vlock@ubm.com Simon Carless Exec. VP, Game & App Development and Black Hat SALES CONTACTS—EVENTS Angela Scalpello Sr. VP, People & Culture Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, robyn.duda@ubm.com Midwest, South, Northeast U.S. and Canada MARKETING VP & National Co-Chair, Business Technology Media Sales, Mary Hyland (516) 562-5120, mary.hyland@ubm.com VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, winnie.ng@ubm.com Eastern Regional Sales Director, Michael Greenhut (516) 562-5044, michael.greenhut@ubm.com Lenny Heymann Exec. VP, New Markets Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com List Rentals Specialists Marketing Services Inc. E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x30203 Media Kits and Advertising Contacts createyournextcustomer.com/contact-us Letters to the Editor E-mail editors@darkreading.com. Include name, title, c ­ ompany, city, and daytime phone number. Subscriptions E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Director of Marketing, Monique Lutrell (415) 947-6958, monique.luttrell@ubm.com District Manager, Jenny Hanna (516) 562-5116, jenny.hanna@ubm.com David Michael CIO Editorial Calendar informationweek.com/edcal Marketing Assistant, Hilary Jansen (415) 947-6205, hilary.jansen@ubm.com District Manager, Cori Gordon (516) 562-5181, cori.gordon@ubm.com darkreading.com November 2013 10

×