Identity Management Blog | Symplified
|
 RSS Feed
July 2010
Have you ever been to a town (or lived in one) where the number of homes has grown faster than the supporting infrastructure could keep up? In other words, the freeways and other services could not adequately keep up with the pace of home construction resulting in traffic delays, confusion, and frustration.
Something similar has occurred with the evolution of the cloud and cloud services. The cloud and its significant number of apps have grown explosively and many companies are adopting the cloud for at least some of their basic IT functions such as email, payroll, and HR. Still, other companies are taking bolder initiatives and outsourcing both data and applications to the cloud in an attempt to save money and streamline operations. Regardless of the intent, all companies have a concern about cloud security. How safe is my data in the cloud? How much risk am I at with multi-tenancy applications? And what about my user accounts and providing access to all these new apps?
As enterprises shift some of their data and applications to the cloud they are caught between managing identities locally at the network level, and providing access to their users to applications in the cloud. Just like the proliferation of homes without the supporting infrastructure causes problems, so does the proliferation of user accounts with cloud adoption. IT cannot reasonably manage user identities for both the cloud and the network, nor can the end user!
So, the cloud is challenging the typical security model like never before. Organizations know that in order to be competitive they must provide an environment with access to multiple types of users (employees, partners, and customers). But, they must also maintain unprecedented levels of security due to today’s threats and compliance requirements. As more apps proliferate to the cloud and more companies migrate some of the apps and data to the cloud, the issue becomes more acute.
The answer lies in maintaining security credentials where they currently reside; protected behind corporate firewalls and enabling cloud-based apps to reach out to these secure user stores to verify access and implement user policies. There is no need to replicate user identities across the cyberscape of the universe, but rather make use of the directories and databases that you already have in use and have already spent tons of money and time to implement. This type of solution bridges the gap between cloud applications which inevitably need identity management and local user stores that already have the user's access and credentials defined. Doesn’t that seem like a better approach to you and your users?
Symplified | The Cloud Security Company
June 2010
I always like checking in with Salesforce.com to see what they are up to. And last week's Cloudforce event did not disappoint. It's great to see Salesforce continue to bring leading edge Cloud Computing to the mainstream, and the ever rampant adoption of their offerings reinforces my conviction about the widespread move to the Cloud.
The big buzz was about Salesforce Chatter, which incorporates elements of social networking into their Salesforce automation and Force.com platform. It's social, mobile, and real time--allowing employees to collaborate across their company. Apparently, Facebook reaching 50 million users in a mere 5 months inspired Salesforce--and for good reason. Jigsaw also presents some new capabilities--for improving the quality of data about companies and employees. Overall, the capabilities and presence behind Salesforce continue to grow.
In examining this trend, I can't help but ask, "How will companies manage the transition to Cloud based SFA?" On the surface, the transition seems easy-just sign up and use it. But ad hoc SaaS adoption leads to a number of issues, including proliferation of (often inconsistent) enterprise identities, loss of centralized access control, audit and compliance issues, provisioning nightmares, security risks, and more.
These problems are precisely why Symplified has introduced SinglePoint® for Salesforce.com. This product greatly reduces integration headaches and solves these problems. For starters, existing identities (e.g., employees in Active Directory) can be used for access to Salesforce via Single Sign-On. Integrated Windows Authentication can even be provided to allow authenticated network users to seamlessly access Salesforce without additional login. Or what if you don't want an on-premises directory or database to be the System of Record for your identities? It is Easy-the Contacts or Users you have set up in Salesforce can serve as the Identity Store. And with Symplified Access Control and Auditing, you can control and review what your employees are doing in Salesforce. Extend this technology to your other Cloud or On-Premises applications and you have a powerful platform that transcends the Cloud. And with SinglePoint Universal Sign-On (TM) you don't even need SAML to do it.
In conclusion, I am very excited about the growth of Salesforce, and the value added through Symplified integration. The partnership between our companies has yielded great synergies, and there is much yet to come. Stay tuned!
Coby Royer
Technical Product Manager
Symplified
May 2010
Applause for the Trust Cloud
I'd like to take a moment to applaud Symplified's latest milestone in providing purpose-built Identity and Access Management technology for Amazon's EC2. We've heard a lot lately about Platform as a Service (PaaS) and an obvious gap in the offering has been IAM. I'm sure many of you have already gone to EC2 to fire up virtual server instances for test drives and even production applications. The technology is truly "ready for prime time" as you can select a variety of virtual hardware configurations and operating systems, and then connect storage, load balancing, VPN, etc. You can get almost everything you need on your stack--except support for authenticating users, providing Single Sign-On, and Access Control.
Symplified Takes the Stage
Since I've been with Symplified we've built our team, product, and operations into a world class offering. Our network appliance and proxy architecture have served our customers well. Moving into Amazon EC2 seems like an obvious next step. As IT shops of all kinds are recognizing the value of elastic computing and PaaS, Amazon EC2 deployments have grown wildly, with some estimates exceeding 50,000 machine instances per day. Putting our technology where it is needed makes a lot of sense. We can offer the same functionality that can be obtained in an Identity Router appliance, only virtualized and running alongside the EC2-based applications it protects. And the benefits of PaaS extend not only to the applications running at EC2, but also now to our own IAM infrastructure. Because of its huge scale, Amazon can offer commodity pricing on a pay-as-you-go model. It's data centers are closely monitored and highly available. And the ease of use is truly compelling. It seems almost funny to look back at the days when it took weeks to months to order, rack, wire, and configure application servers, let alone integrate with legacy IAM technologies that required server plugins, databases, and custom coding.
April 2010
With the formation of the Open Identity Exchange and OASIS Identity in the Cloud TC there is a renewed interest in Identity Management Standards and a new focus on the Cloud model. This has led to some recent discussions such as "What standards to use?", "How to derive value from standards (old and new)?", and "What resources to leverage in delivering standards-based IDM?".
With Symplified's approach, enterprises can indeed leverage existing expertise and technologies. E.g., our embedded virtual directory allows you to retain any number of directories that you presently use for authentication and user profiles. If you have in-house SAML technology and expertise, we integrate with it--but if you don't, our solution still delivers and you don't need to purchase other tools or expertise. Although we are SaaS based and add great value to integration and protection of SaaS apps, we also can deploy on-premises components for customers who are more comfortable keeping certain functions inside their four walls. (This approach can be used to keep network traffic internal and to contain all user data within the enterprise.)
As with most infrastructure, employing third party products and services should allow an enterprise to focus on their own core competencies and lines of business. Value should be seen in not having to employ resources for the care and feeding of such systems, knowing that not only are initial needs met, but the solution continues to expand and evolve, for example integrating with new applications and services, and adopting new standards and functions. With the current splintering of standards, using a vendor that is not locked into any single standard is highly advisable. Time to implementation and TCO are important considerations as well. I have worked for large institutions that have implemented their own systems (as the need predated IDM technology) and can personally attest to the costs for creation and maintenance of such systems. With these lean times, CxOs, boards, and shareholders are raising eyebrows at large investments on internally developed infrastructure. Hence service based solutions, especially those with pay-as-you-go pricing, are increasingly desirable.
The fact that applications have differing trust models often complicates deployments and has contributed to failures in the adoption of federation. Eric Olden wrote an excellent article on this: Federation is Dead: Long Live Federation Fabric. So while I agree that federation is the way to go, the pragmatist in me knows we need solutions that work now. Waiting for a standard to mature and gain adoption means waiting to integrate, delaying such capabilities as User Provisioning, Single Sign-On, Access Control, and Compliance. I don't know of many IT managers willing to tell their business sponsor that they can't deliver a solution now because they must wait for an infrastructure standard to take hold! Please know I hold the utmost optimism and support for IDM standards to me this is all a matter of timing and planning of enterprise roadmaps. In short: set realistic expectations to leverage emerging technologies.
In closing I must add that I am excited to see renewed interest in making standards work. The biggest challenges I have seen are lack of adoption, and splintering not only in the adoption of specific standards, but also in decisions that determine interoperability--such as profiles, assertions, and semantics. It's the classic chicken and egg scenario: until standards adoption and interoperability are the norm there is less incentive to support the standards in the first place. For federation to become ubiquitous the network effect must be realized.
February 2010
One of the key issues in today’s highly inter-connected computing model, especially regarding Cloud Computing, is Control. In the old days, if I needed access control, I pulled together the Ops teams that managed applications to execute a plan for installing plug-ins that can both authenticate and authorize web accesses. I had control (or at least some influence!) on the applications and stacks that ran my enterprise business. But we now enter a new generation where I do not have that control. Just imagine calling Google, Salesforce.com, and Taleo to ask that they install my favorite brand of IAM plug-in on their servers! One of the first things I’d like to point out is that many IAM Vendors support deployment models that simply do not suit today’s needs. Network based IAM is the way to go. SaaS Applications require an entirely different approach.
When we talk about Virtualized Datacenters, our natural inclination is to say they are mostly no different than brick and mortar data centers. And what’s the difference if my enterprise owns and runs one as opposed to a hosting partner? The challenge I see is that the virtualization trend has gone beyond enterprises managing their own virtual machines with their own hosting infrastructure. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) have driven virtualization, standardization, and commoditization further down the stack--which has two effects. Firstly, I might not be able to install platform-specific software components like WAM plug-ins. The new trend is for these environments to provide services that are abstracted away from the underlying machines, operating systems, and applications. Secondly, even if I can install the old style IAM tools, this is missing a huge opportunity for cost savings—putting standard infrastructure for IAM into the “drinking water” is the wave of the future, and it’s going to be difficult for legacy IAM vendors to adopt.
But despite the virtues of Cloud Computing, and the fact that the Cloud visionaries are leading the wave with standards, they are often ad hoc standards (e.g., proprietary Authentication and Provisioning APIs). It will take time for the industry standards to shake out, and there remains much skepticism in the industry. So hitching your enterprise IAM strategy to a vendor that only offers one type of solution (e.g., SAML) appears risky at best. The dominant integration standards have yet to reach critical mass among SaaS vendors (e.g., SAML, WS-Fed, SPML)—and IAM Vendors are having difficulty integrating with SaaS vendors that don’t support standards. In effect, the Cloud Computing Permutations present challenges to many IAM vendors.
In closing, it’s important to understand that IAM (Identity and Access Management) spans many facets and has different meaning to different folks. While the basic building blocks may not have changed much, delivering manageable solutions with SSO, access control, provisioning, and user administration is challenging when we include the Cloud. So while creation of a user in a local Windows Domain is not fundamentally much different than doing so in a SaaS app, provisioning a user in a way that allows multiple Cloud and on-premise apps to automatically accept authentication of the user and provide SSO is indeed a challenge.
Coby Royer
Technical Product Manager
Symplified
Cloud leader, Salesforce.com, is in the midst of their DreamForce conference in San Francisco. It's amazing to reflect on their success and growth. Even with our current economic woes, Salesforce has managed to continue steady growth and stock performance. And with 19,000 people registered for this year's DreamForce, interest is certainly not dropping off.
At the helm of Salesforce, CEO Marc Benioff spoke of new product innovations and what lies ahead. With the announcement of Sales Cloud 2 and Service Cloud 2, we see expansions of Salesforce services into exciting new areas with a strong Cloud Community theme. New offerings for knowledge management tie into Google, Facebook, and Twitter with email integration and complete customer service call centers in the Cloud. Salesforce will offer social networking for the enterprise with their own Salesforce Chatter and scheduling with Salesforce Scheduler.
And if you are in San Francisco for this event, Symplified would like to extend an invitation to our exclusive Cloud party where you can learn how to unlock the potential of Force.com and other SaaS applications by making Salesforce the center of your cloud platform.
From collaboration to sales mobility, Symplified secures the Cloud, the enterprise & everything in between. We are the Cloud security experts.
Coby Royer
Technical Product Manager
Symplified
October 2009
Bob Blakley from The Burton Group recently posted a great reponse to Andrea DiMaio of Gartner Group regarding privacy.
There are lots of great viewpoints expressed in Bob's blog and comments. But I'd like to raise a perspective on privacy that is not fully addressed.
I'll start with an analogy. Fortunately, my daughter is not yet old enough to drive but I'm sure this story is a reality for many of you. You loan your car to your kid. You set an expectation-either explicitly ("you may go to the mall with your friend but only you can drive and you may not go anywhere else") or implicitly (previously communication or rules and/or precedent about who can drive the vehicle). The expectation is a shared understanding of what may be done with the vehicle. You take on a calculated risk based on the nature of the act, your ability to "know" that the expectation is fulfilled (visibility), and to incent the fulfillment of that expectation. (The incentive can be a carrot or a stick-and can arise from friends, family, or institutions in our society, e.g., law enforcement.) In short, I let the kid have the car and cross my fingers she is not letting her friend drive or going somewhere other than the mall. Visibility is tough, although GPS and other technologies are helping these days. In a hypothetical world of complete trust, I can simply ask my daughter if she followed the expectation.
So why am I talking about loaning a car in a blog about Privacy? The answer is simple-privacy is a special case of trusting others with assets. In the world of privacy, the asset is information. Instead of loaning her a car, suppose I am telling my doctor about a medical condition. I take a calculated risk. (Will my doctor tell others or post my name and condition on a web page?). I believe we have a common expectation. (Thank you HIPAA for ensuring I receive a Privacy Statement.) And I know there are incentives to uphold the Privacy Statement. (HIPAA does have teeth, right? Well, maybe: In a recent survey by Ponemon Institute, 80 percent of responding health care organizations had experienced at least one incident of lost or stolen electronic health information in the past year.)
Now, in the automobile analogy I set an expectation about the transference of the asset. "You may not let any one else drive." I didn't say "you can only loan the car to someone you trust." In the case of my HIPAA Privacy Policy, there is a provision for transference-my medical information will be provided to my health insurance provider. But not my employer. OK.
In short, my view is that this is all about setting and meeting expectations. This is as old as human discourse and is not based on technology. But technology changes things-it both helps and hurts. And it could help a lot more than it is presently doing. I haven't said much about visibility so far. Visibility is tricky: it's nearly impossible to know if my daughter lets her friend drive and where she takes the car. (Well, until I get the photo radar speeding citation with friend Suzie driving nowhere near the mall.) But visibility could be easy with information assets-metadata can be included to identify the source of an asset (and even the chain of transference if it has been passed along). And privacy policies abound, so maybe we have enforceability to incent stewards of private information to abide by our expectations. Maybe.
So to me, privacy is not black and white. I might trust low-risk information to others even when there is little visibility or privacy incentives. I might set an expectation that transitive trust is OK-I not only trust my doctor with my medical history, I trust them to pass it along to others that are trusted and fall within the same parameters of our shared expectation. In some cases I know litigation is a real incentive. In other cases, societal pressures may suffice (when I expect a social behavior and not an anti-social behavior as Bob would say). And in many cases, the expectation is not fully articulated or precise-I expect that "private information will be used to benefit me and not harm me."
One thing that is fascinating about today's connected world is the ease of disseminating information. One post to a website can get millions of viewers. And information is freely replicated, unlike physical assets. So we need to be extremely careful with our private information. And digital information can stick around a long, long, time. And it is readily searched. So in these ways the technology hurts privacy.
The first time someone sent me a "gift from Pennsylvania" on Facebook, I declined because of the warning that the Gift application can access all of my personal information. And there is no transitive expectation of what that application will do with it. There was no privacy expectation period. Even if there was, I don't feel I have visibility. (At least with the doctor's office I can ask who my medical history was shared with.) And as far as incentives and enforceability are concerned, I don't feel very protected on today's social networking sites. But, in the end, I have accepted (and sent) these kinds of gifts-based on one fact: my activities on Facebook are really pretty pedestrian. But I have yet to rush home from the doctor after being diagnosed with an embarrassing condition to post it on my Facebook wall. Check out Ian Glazer's blog about the Facebook issue and PPIA.
So as we further our privacy interests as a collective community of advocates, let's continue to ask about expectations, how they are asserted, communicated, and agreed, how privacy infractions can be made visible, and the economic, legal, social, and moral incentives we can cultivate. Regardless of what you feel should or should not be "private", we all have a right to set expectations that we trust will be met. And as technologists, we have the capability to improve the state of privacy in the face of technological advances that might otherwise undermine it. Privacy is not an Illusion. It is a challenge.
October 2009This is a good question, but we have to understand what is meant by Enterprise Architecture (EA). It is generally accepted to be a discipline and sometimes a role or organization responsible for those activities that strategically align an organization to its technology and business goals. Activities such as Enterprise Architecture Planning (EAP) serve this need and are essential to IT Governance. Other activities relate to the application of Enterprise Architecture to specific domains, such as Line of Business (LOB) portfolios, Technical Architecture (which may include networking, security, etc.) and Application Architecture.
So, given this definition--YES, EA is essential because even (or perhaps especially) if the applications and business processes leave the enterprise four walls (ala SaaS), planning and governance are needed to ensure alignment to strategic goals. The role of EA is to periodically adjust those long term goals and the trajectory to attain them in response to changing technologies, business drivers, etc. So as new paradigms like SaaS and other types of Cloud Computing emerge, EA must evaluate them and establish standards, guidelines, policies, etc. For example, EA may incorporate SaaS based on cost benefit and an assessment that recognizes SaaS apps as being aligned to enterprise needs for security, privacy, compliance, service level, business function, etc.
And in addressing whether there is a need to architect solutions when adopting SaaS (presumably in support of EA as a discipline), then YES, there is still a critical need to define how SaaS integrates with the enterprise technology landscape. Questions such as What is the master of my data? How do I manage Identities and Accounts? How do I produce Compliance Reporting? How do I migrate to/from adopted and sunset SaaS Apps? How do I establish Trust Relationships? How do I provide Quality and Service to my constituencies? etc. require solutions in the domains of Information Architecture, Security Architecture, Network Architecture, Application Architecture, Technical Architecture and so on--presumably envisioned and vetted by architects of various types (including Portfolio Architects, Solutions Architects, etc.)
So while the GAME may have changed, the need for the PLAYERS has not. Architecture--in all senses of the word--remains essential.
In closing I will say that SaaS pushes the emergence of Business Architecture to a new height because of the direct empowerment of LOB owners. Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many of the above questions may go unanswered without engagement of EA, and latent risks (such as compliance and security) may turn into real issues.
Coby Royer
Technical Product Director
Symplified | Cloud Security Experts
Managing The Threat Within
I'd like to applaud some of the recent points raised by Richard Stiennon (http://information-security-resources.com/2009/09/09/identifying-and-countering-the-insider-threat/ and http://threatchaos.com/). In his post, "Identifying and Countering the Insider Threat", he raised some points that resonated with me. For a long time I have been recapitulating concerns to enterprises about managing the internal threat. And with the recent economic downturn, layoffs and other sources of employee dissatisfaction are increasing the internal threat. The web is full of stats and case studies if you want to read more, e.g., http://www.secretservice.gov/ntac.shtml and http://www.csoonline.com/article/454890/Tough_Economy_Heightens_Insider_Threat. The fact is, corporate management must pay attention to the insider threat and implement policies and controls to manage it.
What to Do?
The one message I'd like to leave our readers with is well stated in Stiennon's article: "Identity and Access Management tools are the single most valuable defense you have against the insider threat."
Authentication
Employ authentication strength that is commensurate with risk and which complies with applicable rules and regulations. Whether this means passwords or MultiFactor Authentication (MFA) such as biometrics or smartcards, be sure to invest in appropriate technologies and train your user base on tools and policy.
Provisioning
Be sure your processes and tools for the creation, removal, and management of accounts do not leave you exposed. Entitlements and accounts for former employees must be revoked as quickly as possible. Use approval and/or attestation workflows and role based access control (RBAC) wherever possible. And do not forget about privileged account management: "You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution."
RBAC
Defining and enforcing roles is a huge topic. Although simple in theory, assigning roles to people and then setting access control according to role is non-trivial. Bruce Schneier has some great info in his latest newsletter: "Real World Access Control" http://www.schneier.com/crypto-gram-0909.html#3. What may seem easy at first is complicated by poorly defined roles, constant role churn, multiple roles, and the pragmatic fact that under-entitling employees incurs productivity costs. I like Stiennon's suggestions to keep it simple, start by defining groups for each function in the organization, and include tools for review of exceptions; as he puts it, "granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require."
Compliance and Reporting
Regular review of audit logs to see who has accessed what is important. Monitoring and logging are essential to understanding risk and detecting malicious activities.
Enter the Cloud
Of course, all the above take on new challenges once we leave the corporate four walls. Technologies that extend the span of Authentication and Access Control to SaaS Apps are indispensible. Simply because an app is SaaS does not make it immune to regulatory needs.
What Now?
Listen to the experts! Employ processes and tools that manage the insider threat. Look at the facts: this threat is real. And all organizations have these risks. And of course, build your single most valuable defense: IAM--http://www.symplified.com/.
Coby Royer| Technical Product Manager
Symplified | Cloud Security Experts
September 2009  For years, enterprise architects worked toward standardization and consolidation to achieve economies of scale across enterprise LOB portfolios. Data centers often looked like IT museums with one of every imaginable RDBMS, App Server, Web Server, OS, and hardware platform--and capacity was underutilized while TCO was out of control. Platforms like J2EE were initially created around N-Tier discretionary architectures that provided scalability and standardization. As enterprises achieved some successes in the standardization and consolidation in the 1990s and early 2000s, a new technology entered the scene: Virtualization. Even with a diversity of stacks, economies could be achieved, as peaks and valleys in CPU and memory of VM guests averaged out in the VM host. And the ease of deployment and management of VM guests introduced unparalleled cost reductions.
So virtualization is here to stay, but is it the end game? I think of virtualization as a means to achieve micro-scale economies. At the macro-scale, we still have to address needs for ping, power, and pipe at the data center, and ensure availability, disaster recovery, and more. So the consolidation of VM resources represents the next wave of change. (And with grid computing, the VM hosts do not even have to be physically collocated.) So now I can use Amazon EC2 to fire up VM servers of my choosing, on demand. No, virtualization is not the end game—it is a crucial enabler for Cloud Computing (more specifically, for PaaS and IaaS). And given its importance, and the economies that are fueling this trend, I do see virtualization vendors making Cloud Computing more of a reality.
So what about security and enabling infrastructure such as IAM? The same economies that are driving Cloud Computing will extend across all crucial infrastructure that adds value to it. And in time, standards will be adopted to lend further economies and broaden the reach of standard infrastructure. (Standards can be a mixed bag, though, as they often embrace a philosophy of “Build it and they will come.”)
We are already seeing high demand for Cloud Security and IAM here at Symplified, and we believe this trend will continue strongly. We are building the network that enables SSO and Access Control across the full breadth of SaaS Apps, as well as COTS and homegrown Apps that our customers host. This is the real deal, and our own SaaS economies are delivering these capabilities at a fraction of the cost of the former generation of IAM technology.
Check out some additional perspectives on Cloud Computing and the Enterprise. Check out the Linked In Conversation surrounding this question written by Brian Nettles, VP of IT at CB Richard Ellis: “Everyone is talking about cloud computing these days. I've heard various opinions from execs but little from Architects and Engineers. Is this another passing fad? Do you think the moves by top tier virtualization vendors will make cloud computing more of a reality? If you believe this is the real deal, what direction do you see vendors going to provide security for large scale enterprises and will it be cost effective?”
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Experts
http://www.symplified.com
Error sending email
Email sent successfully
|
|
|
|