|
|
 Coby Royer has over 20 years technology experience in software and security startups, consulting, and large enterprises. He has served roles in software development, enterprise architecture, and management, in lines of business that include Internet security, commercial software, financial services, consumer goods, e-commerce, and expert systems. He holds a number of patents in security and e-commerce. Coby serves as Technical Product Manager at Symplified, Inc.
|
|
 |
|
|
We're always open to hearing what other identity management professionals have to say.
Click here if you'd like to write a guest post for our audience!
|
|
|
|
|
 |
Identity Management Blog | Symplified
|
 RSS Feed
February 2010
One of the key issues in today’s highly inter-connected computing model, especially regarding Cloud Computing, is Control. In the old days, if I needed access control, I pulled together the Ops teams that managed applications to execute a plan for installing plug-ins that can both authenticate and authorize web accesses. I had control (or at least some influence!) on the applications and stacks that ran my enterprise business. But we now enter a new generation where I do not have that control. Just imagine calling Google, Salesforce.com, and Taleo to ask that they install my favorite brand of IAM plug-in on their servers! One of the first things I’d like to point out is that many IAM Vendors support deployment models that simply do not suit today’s needs. Network based IAM is the way to go. SaaS Applications require an entirely different approach.
When we talk about Virtualized Datacenters, our natural inclination is to say they are mostly no different than brick and mortar data centers. And what’s the difference if my enterprise owns and runs one as opposed to a hosting partner? The challenge I see is that the virtualization trend has gone beyond enterprises managing their own virtual machines with their own hosting infrastructure. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) have driven virtualization, standardization, and commoditization further down the stack--which has two effects. Firstly, I might not be able to install platform-specific software components like WAM plug-ins. The new trend is for these environments to provide services that are abstracted away from the underlying machines, operating systems, and applications. Secondly, even if I can install the old style IAM tools, this is missing a huge opportunity for cost savings—putting standard infrastructure for IAM into the “drinking water” is the wave of the future, and it’s going to be difficult for legacy IAM vendors to adopt.
But despite the virtues of Cloud Computing, and the fact that the Cloud visionaries are leading the wave with standards, they are often ad hoc standards (e.g., proprietary Authentication and Provisioning APIs). It will take time for the industry standards to shake out, and there remains much skepticism in the industry. So hitching your enterprise IAM strategy to a vendor that only offers one type of solution (e.g., SAML) appears risky at best. The dominant integration standards have yet to reach critical mass among SaaS vendors (e.g., SAML, WS-Fed, SPML)—and IAM Vendors are having difficulty integrating with SaaS vendors that don’t support standards. In effect, the Cloud Computing Permutations present challenges to many IAM vendors.
In closing, it’s important to understand that IAM (Identity and Access Management) spans many facets and has different meaning to different folks. While the basic building blocks may not have changed much, delivering manageable solutions with SSO, access control, provisioning, and user administration is challenging when we include the Cloud. So while creation of a user in a local Windows Domain is not fundamentally much different than doing so in a SaaS app, provisioning a user in a way that allows multiple Cloud and on-premise apps to automatically accept authentication of the user and provide SSO is indeed a challenge.
Coby Royer
Technical Product Manager
Symplified
Cloud leader, Salesforce.com, is in the midst of their DreamForce conference in San Francisco. It's amazing to reflect on their success and growth. Even with our current economic woes, Salesforce has managed to continue steady growth and stock performance. And with 19,000 people registered for this year's DreamForce, interest is certainly not dropping off.
At the helm of Salesforce, CEO Marc Benioff spoke of new product innovations and what lies ahead. With the announcement of Sales Cloud 2 and Service Cloud 2, we see expansions of Salesforce services into exciting new areas with a strong Cloud Community theme. New offerings for knowledge management tie into Google, Facebook, and Twitter with email integration and complete customer service call centers in the Cloud. Salesforce will offer social networking for the enterprise with their own Salesforce Chatter and scheduling with Salesforce Scheduler.
And if you are in San Francisco for this event, Symplified would like to extend an invitation to our exclusive Cloud party where you can learn how to unlock the potential of Force.com and other SaaS applications by making Salesforce the center of your cloud platform.
From collaboration to sales mobility, Symplified secures the Cloud, the enterprise & everything in between. We are the Cloud security experts.
Coby Royer
Technical Product Manager
Symplified
October 2009
Bob Blakley from The Burton Group recently posted a great reponse to Andrea DiMaio of Gartner Group regarding privacy.
There are lots of great viewpoints expressed in Bob's blog and comments. But I'd like to raise a perspective on privacy that is not fully addressed.
I'll start with an analogy. Fortunately, my daughter is not yet old enough to drive but I'm sure this story is a reality for many of you. You loan your car to your kid. You set an expectation-either explicitly ("you may go to the mall with your friend but only you can drive and you may not go anywhere else") or implicitly (previously communication or rules and/or precedent about who can drive the vehicle). The expectation is a shared understanding of what may be done with the vehicle. You take on a calculated risk based on the nature of the act, your ability to "know" that the expectation is fulfilled (visibility), and to incent the fulfillment of that expectation. (The incentive can be a carrot or a stick-and can arise from friends, family, or institutions in our society, e.g., law enforcement.) In short, I let the kid have the car and cross my fingers she is not letting her friend drive or going somewhere other than the mall. Visibility is tough, although GPS and other technologies are helping these days. In a hypothetical world of complete trust, I can simply ask my daughter if she followed the expectation.
So why am I talking about loaning a car in a blog about Privacy? The answer is simple-privacy is a special case of trusting others with assets. In the world of privacy, the asset is information. Instead of loaning her a car, suppose I am telling my doctor about a medical condition. I take a calculated risk. (Will my doctor tell others or post my name and condition on a web page?). I believe we have a common expectation. (Thank you HIPAA for ensuring I receive a Privacy Statement.) And I know there are incentives to uphold the Privacy Statement. (HIPAA does have teeth, right? Well, maybe: In a recent survey by Ponemon Institute, 80 percent of responding health care organizations had experienced at least one incident of lost or stolen electronic health information in the past year.)
Now, in the automobile analogy I set an expectation about the transference of the asset. "You may not let any one else drive." I didn't say "you can only loan the car to someone you trust." In the case of my HIPAA Privacy Policy, there is a provision for transference-my medical information will be provided to my health insurance provider. But not my employer. OK.
In short, my view is that this is all about setting and meeting expectations. This is as old as human discourse and is not based on technology. But technology changes things-it both helps and hurts. And it could help a lot more than it is presently doing. I haven't said much about visibility so far. Visibility is tricky: it's nearly impossible to know if my daughter lets her friend drive and where she takes the car. (Well, until I get the photo radar speeding citation with friend Suzie driving nowhere near the mall.) But visibility could be easy with information assets-metadata can be included to identify the source of an asset (and even the chain of transference if it has been passed along). And privacy policies abound, so maybe we have enforceability to incent stewards of private information to abide by our expectations. Maybe.
So to me, privacy is not black and white. I might trust low-risk information to others even when there is little visibility or privacy incentives. I might set an expectation that transitive trust is OK-I not only trust my doctor with my medical history, I trust them to pass it along to others that are trusted and fall within the same parameters of our shared expectation. In some cases I know litigation is a real incentive. In other cases, societal pressures may suffice (when I expect a social behavior and not an anti-social behavior as Bob would say). And in many cases, the expectation is not fully articulated or precise-I expect that "private information will be used to benefit me and not harm me."
One thing that is fascinating about today's connected world is the ease of disseminating information. One post to a website can get millions of viewers. And information is freely replicated, unlike physical assets. So we need to be extremely careful with our private information. And digital information can stick around a long, long, time. And it is readily searched. So in these ways the technology hurts privacy.
The first time someone sent me a "gift from Pennsylvania" on Facebook, I declined because of the warning that the Gift application can access all of my personal information. And there is no transitive expectation of what that application will do with it. There was no privacy expectation period. Even if there was, I don't feel I have visibility. (At least with the doctor's office I can ask who my medical history was shared with.) And as far as incentives and enforceability are concerned, I don't feel very protected on today's social networking sites. But, in the end, I have accepted (and sent) these kinds of gifts-based on one fact: my activities on Facebook are really pretty pedestrian. But I have yet to rush home from the doctor after being diagnosed with an embarrassing condition to post it on my Facebook wall. Check out Ian Glazer's blog about the Facebook issue and PPIA.
So as we further our privacy interests as a collective community of advocates, let's continue to ask about expectations, how they are asserted, communicated, and agreed, how privacy infractions can be made visible, and the economic, legal, social, and moral incentives we can cultivate. Regardless of what you feel should or should not be "private", we all have a right to set expectations that we trust will be met. And as technologists, we have the capability to improve the state of privacy in the face of technological advances that might otherwise undermine it. Privacy is not an Illusion. It is a challenge.
October 2009This is a good question, but we have to understand what is meant by Enterprise Architecture (EA). It is generally accepted to be a discipline and sometimes a role or organization responsible for those activities that strategically align an organization to its technology and business goals. Activities such as Enterprise Architecture Planning (EAP) serve this need and are essential to IT Governance. Other activities relate to the application of Enterprise Architecture to specific domains, such as Line of Business (LOB) portfolios, Technical Architecture (which may include networking, security, etc.) and Application Architecture.
So, given this definition--YES, EA is essential because even (or perhaps especially) if the applications and business processes leave the enterprise four walls (ala SaaS), planning and governance are needed to ensure alignment to strategic goals. The role of EA is to periodically adjust those long term goals and the trajectory to attain them in response to changing technologies, business drivers, etc. So as new paradigms like SaaS and other types of Cloud Computing emerge, EA must evaluate them and establish standards, guidelines, policies, etc. For example, EA may incorporate SaaS based on cost benefit and an assessment that recognizes SaaS apps as being aligned to enterprise needs for security, privacy, compliance, service level, business function, etc.
And in addressing whether there is a need to architect solutions when adopting SaaS (presumably in support of EA as a discipline), then YES, there is still a critical need to define how SaaS integrates with the enterprise technology landscape. Questions such as What is the master of my data? How do I manage Identities and Accounts? How do I produce Compliance Reporting? How do I migrate to/from adopted and sunset SaaS Apps? How do I establish Trust Relationships? How do I provide Quality and Service to my constituencies? etc. require solutions in the domains of Information Architecture, Security Architecture, Network Architecture, Application Architecture, Technical Architecture and so on--presumably envisioned and vetted by architects of various types (including Portfolio Architects, Solutions Architects, etc.)
So while the GAME may have changed, the need for the PLAYERS has not. Architecture--in all senses of the word--remains essential.
In closing I will say that SaaS pushes the emergence of Business Architecture to a new height because of the direct empowerment of LOB owners. Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many of the above questions may go unanswered without engagement of EA, and latent risks (such as compliance and security) may turn into real issues.
Coby Royer
Technical Product Director
Symplified | Cloud Security Experts
Managing The Threat Within
I'd like to applaud some of the recent points raised by Richard Stiennon (http://information-security-resources.com/2009/09/09/identifying-and-countering-the-insider-threat/ and http://threatchaos.com/). In his post, "Identifying and Countering the Insider Threat", he raised some points that resonated with me. For a long time I have been recapitulating concerns to enterprises about managing the internal threat. And with the recent economic downturn, layoffs and other sources of employee dissatisfaction are increasing the internal threat. The web is full of stats and case studies if you want to read more, e.g., http://www.secretservice.gov/ntac.shtml and http://www.csoonline.com/article/454890/Tough_Economy_Heightens_Insider_Threat. The fact is, corporate management must pay attention to the insider threat and implement policies and controls to manage it.
What to Do?
The one message I'd like to leave our readers with is well stated in Stiennon's article: "Identity and Access Management tools are the single most valuable defense you have against the insider threat."
Authentication
Employ authentication strength that is commensurate with risk and which complies with applicable rules and regulations. Whether this means passwords or MultiFactor Authentication (MFA) such as biometrics or smartcards, be sure to invest in appropriate technologies and train your user base on tools and policy.
Provisioning
Be sure your processes and tools for the creation, removal, and management of accounts do not leave you exposed. Entitlements and accounts for former employees must be revoked as quickly as possible. Use approval and/or attestation workflows and role based access control (RBAC) wherever possible. And do not forget about privileged account management: "You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution."
RBAC
Defining and enforcing roles is a huge topic. Although simple in theory, assigning roles to people and then setting access control according to role is non-trivial. Bruce Schneier has some great info in his latest newsletter: "Real World Access Control" http://www.schneier.com/crypto-gram-0909.html#3. What may seem easy at first is complicated by poorly defined roles, constant role churn, multiple roles, and the pragmatic fact that under-entitling employees incurs productivity costs. I like Stiennon's suggestions to keep it simple, start by defining groups for each function in the organization, and include tools for review of exceptions; as he puts it, "granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require."
Compliance and Reporting
Regular review of audit logs to see who has accessed what is important. Monitoring and logging are essential to understanding risk and detecting malicious activities.
Enter the Cloud
Of course, all the above take on new challenges once we leave the corporate four walls. Technologies that extend the span of Authentication and Access Control to SaaS Apps are indispensible. Simply because an app is SaaS does not make it immune to regulatory needs.
What Now?
Listen to the experts! Employ processes and tools that manage the insider threat. Look at the facts: this threat is real. And all organizations have these risks. And of course, build your single most valuable defense: IAM--http://www.symplified.com/.
Coby Royer| Technical Product Manager
Symplified | Cloud Security Experts
September 2009  For years, enterprise architects worked toward standardization and consolidation to achieve economies of scale across enterprise LOB portfolios. Data centers often looked like IT museums with one of every imaginable RDBMS, App Server, Web Server, OS, and hardware platform--and capacity was underutilized while TCO was out of control. Platforms like J2EE were initially created around N-Tier discretionary architectures that provided scalability and standardization. As enterprises achieved some successes in the standardization and consolidation in the 1990s and early 2000s, a new technology entered the scene: Virtualization. Even with a diversity of stacks, economies could be achieved, as peaks and valleys in CPU and memory of VM guests averaged out in the VM host. And the ease of deployment and management of VM guests introduced unparalleled cost reductions.
So virtualization is here to stay, but is it the end game? I think of virtualization as a means to achieve micro-scale economies. At the macro-scale, we still have to address needs for ping, power, and pipe at the data center, and ensure availability, disaster recovery, and more. So the consolidation of VM resources represents the next wave of change. (And with grid computing, the VM hosts do not even have to be physically collocated.) So now I can use Amazon EC2 to fire up VM servers of my choosing, on demand. No, virtualization is not the end game—it is a crucial enabler for Cloud Computing (more specifically, for PaaS and IaaS). And given its importance, and the economies that are fueling this trend, I do see virtualization vendors making Cloud Computing more of a reality.
So what about security and enabling infrastructure such as IAM? The same economies that are driving Cloud Computing will extend across all crucial infrastructure that adds value to it. And in time, standards will be adopted to lend further economies and broaden the reach of standard infrastructure. (Standards can be a mixed bag, though, as they often embrace a philosophy of “Build it and they will come.”)
We are already seeing high demand for Cloud Security and IAM here at Symplified, and we believe this trend will continue strongly. We are building the network that enables SSO and Access Control across the full breadth of SaaS Apps, as well as COTS and homegrown Apps that our customers host. This is the real deal, and our own SaaS economies are delivering these capabilities at a fraction of the cost of the former generation of IAM technology.
Check out some additional perspectives on Cloud Computing and the Enterprise. Check out the Linked In Conversation surrounding this question written by Brian Nettles, VP of IT at CB Richard Ellis: “Everyone is talking about cloud computing these days. I've heard various opinions from execs but little from Architects and Engineers. Is this another passing fad? Do you think the moves by top tier virtualization vendors will make cloud computing more of a reality? If you believe this is the real deal, what direction do you see vendors going to provide security for large scale enterprises and will it be cost effective?”
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Experts
http://www.symplified.com
August 2009 
Who Holds the Keys to the Kingdom? In today’s On Demand world, organizations face new
challenges when trying to manage user access, security, and audit to
cloud delivered applications. Unlike the past, when user identities and
access control could be managed within the enterprise network,
enterprises that deploy SaaS must manage user access to applications
that reside outside the firewall. Access management has always been a
difficult problem to solve; with the disappearing perimeter it has
become even more complicated. There are many more technical and
organizational challenges that must be addressed to manage access,
authentication, single sign-on, auditing, and regulatory compliance for
cloud-based applications.
“Organizations, large and small, are implementing cloud-based solutions
for collaboration, personal productivity, and line of business
applications. However, many industries are governed by compliance
regulations that require documented and auditable security controls
over who can access data,” said Darren Platt, CTO of Symplified.
“Managing access control across more than one SaaS application quickly
escalates in complexity, while auditing usage is problematic for even
just one cloud service.
Enterprises must now manage the shift of infrastructure control from
the enterprises over to service providers. SaaS providers (not the
enterprise) control the application’s technology stack and
multi-tenancy arrangements. New ways to secure access for Cloud apps
are needed because first generation WAM relies on agents; an outdated
architecture that doesn’t work in multi-tenant environments. The ideal
approach to Cloud security is to extend existing roles and policies to
the new environment, while keeping the keys to the kingdom - user
credentials – inside the firewall. This reduces redundant
administration, password reset costs and policy management points.
In
response, IT teams first turn to authentication technology and
processes in place today. Soon, they discover first generation identity
and access management technology was designed strictly for use
on-premises, inside the firewall and not across the Cloud.
Agent-based
architectures like those used by CA SiteMinder and RSA ClearTrust,
along with their assumptions on control of protected applications, no
longer function in Cloud-based scenarios. Because Cloud apps are
distributed and reside on the Internet, firewall perimeters can’t be
used to control access .SinglePoint Cloud Access Management (CAM)
enables security policy to be extended out to the Cloud without
exposing internal identities outside the firewall. Users get the
convenience of SSO and IT can unify multiple application and security
domains. 
» Download The Cloud Access Management Data Sheet & Learn More About
Symplified's CAM Solution
Eric Olden| CEO, President and Founder Symplified | Cloud Security Experts
August 2009 How to Have Your Cake and Eat It Too: Cloud Based Identity Management without Identities in the Cloud
This week I’d like to say a few things about managing User Identities. There has been a lot of talk lately about Private Clouds vs. Public Clouds. Enterprises that are slow to adopt SaaS and Cloud Based PaaS/IaaS are firing up their own virtualized environments and IT groups are provisioning on-demand applications for business processing. Some of the same Cloud benefits result, such as usage-based charges, ease of provisioning, location independence, and reduced overall demand due to load distribution over time.
One of the drivers for Private Clouds has been Security. Enterprises are sometimes unwilling to accept risks associated with the Public Cloud (i.e, Internet). Identity Management is sometimes a concern and I’d like to share some important considerations today.
Eric Ogren recently posted a great article about Cloud Security. One of his points is that early stage cloud vendors should support corporate clouds in early product releases. I’m proud to say that is exactly what Symplified has done, recognizing the needs to support security-focused enterprise adopters.
Ogren raised a good point that “The hurdle that must be cleared [in providing identity services] is assuring IT that corporate identities can be securely maintained in a cloud service... .” This is precisely why Symplified optionally provides on-premise components that integrate with our SaaS policy administration.
With Symplified, credentials and attributes for end users can remain on the Customer Premise if necessary. While our Policy Management Point (PMP) is SaaS based, the Policy Decision Point (PDP) (which retrieves user attributes for making access decisions) can be placed on-premise by way of our Identity Router. Even if in the Cloud, the PDP only briefly holds attributes in memory and never on disk. Credentials for Single Sign On (SSO) to applications are similarly stored on the customer premise. We have a number of security options for where these are placed and use established best practices and cryptography to keep these credentials secure (regardless of where stored). And, unlike many other SSO products, we do not store credentials on workstations or browsers.
I have to say that Ogren’s points resonated well with me. I can’t take the position that no enterprise should dismiss SaaS and Public Clouds. That is a topic for Enterprise Risk Management and every company has its own tolerance for risk. But whichever way an enterprise adopter leans, there are companies like Symplified out there who can support both Private and Public Clouds. I recognize (and have been part of) Enterprise security and risk management and as a vendor, am in no position to dispel the well thought out concerns Enterprises may have. But I can say with certainty: There are options that comply with your security and risk management policies! As folks are now returning from Burton Catalyst—the event that publicly launched Symplified about a year ago—let’s enjoy some birthday cake! Coby Royer, Technical Product Manager Symplified | The Cloud Security Experts
July 2009
It seems like just yesterday when companies struggled to manage
identities across multiple on-premise applications. As they adopted
more desktop applications, managing user access became a greater
challenge with multiple user accounts and passwords scattered across
the enterprise.
Eventually single sign-on solutions appeared on the market to address
the diverse mix of identities and access scenarios. While these
solutions offered acceptable identity and access management (IAM)
within a single corporate network, these products also introduced
business challenges including:
» Steep upfront software costs
» Hidden maintenance, support and upgrade costs
» Lengthy integration and deployment cycles
» Vendor lock-in
» Non-scalable solutions
Just a few years later the enterprise is changing once again. This
evolving ecosystem has created a new paradigm in the way organizations
deploy, access, and use networked information, applications, and
resources. As companies look to improve collaboration of their
resources and streamline costs, they are turning to Software as a
Service (SaaS) and Cloud-based computing to solve these business
challenges.
For companies looking to expand network boundaries to the edge and
embrace the Cloud, IAM once again takes center stage as a mission
critical requirement. As always, organizations must tackle these
security and business challenges with reduced budgets and limited staff
without increasing the size of their existing infrastructure. Like any
IT solution, there is an even greater need in today’s economy to reduce
the time to value of identity and access implementations. Today’s
Cloud-based security solutions must:
» Lower upfront costs through subscription-based pricing
» Avoid IT infrastructure costs
» Provide easy integration and automatic upgrades
» Be secure and scalable solution
Register for this live webcast on Aug 6th at 1 PM EDT: Symplified | The Cloud Security Experts
July 2009 Here are the top technical challenges: 1) Identity Management--How to avoid Identity Silos? Companies already have invested heavily in directory servers and tools to manage and provision/deprovision users and their accounts. Extending this to the cloud can be a challenge. Research cloud-based solutions before moving to the cloud.
2) Data Exchange--SaaS can introduce data issues ranging from Silos to multi-mastered data. In the absence of widely adopted standards, supporting enterprise needs is a challenge to SaaS vendors.
3) Security--Ensuring security that meets the needs of customers is a challenge for SaaS vendors. While implementation of best practices is not a huge challenge per se, many customers still believe SaaS to be inherently less secure (e.g., exposing privacy risks in multitenancy etc) and SaaS vendors must anticipate this concern and have real solutions in hand.
4) Audit and Compliance--The boundary for ownership and stewardship of data and transactions extends beyond the enterprise walls with the adoption of SaaS and so SaaS vendors must consider how to simplify compliance with the many rules and regs their customers must meet.
5) Operations--The success of every SaaS vendor rests on their ability to deliver services reliably and efficiently. From network and server response times to customer support, there are a range of challenges to SaaS vendors.
6) Customization--Every SaaS vendor must choose a tenancy model and feature set that serves their market and business plan. And be prepared for customer requests that go beyond their planned support of customization. Per-customer customization is costly and can unwind your business model. Not supporting customization can compromise market share. And architecting a solution (like Force.com) that enables customization within a standard framework is costly. Coby Royer | Technical Product Director Symplified | The Cloud Security Experts To Learn more, Register to watch "
Error sending email
Email sent successfully
|
|
|
|
 |
|