|
|
Jeff Hughes brings over 18 years industry leadership and skills as a marketer, publisher and keynote speaker in high technology industries. He has also worked for McAfee, Blue Coat Systems, Webroot, and Novell over the course of his career. Hughes is the author of 12 marketing and technology books and numerous trade press articles on high technology and marketing topics. Hughes has a BS in Marketing/Minor in Computer Science from Brigham Young University and resides with his family in Scottsdale, Arizona.
|
|
 |
|
|
We're always open to hearing what other identity management professionals have to say.
Click here if you'd like to write a guest post for our audience!
|
|
|
|
|
 |
Identity Management Blog | Symplified
|
 RSS Feed
August 2010
Last week Ping Identity announced availability of its PingFederate SaaS Connector for Cisco WebEx. While a lot of people use this application and will benefit from federation using this SaaS connector, there are still a lot of applications not supported by Ping Identity. This presents challenges for enterprises. IT staffs must deal with connecting today’s mixed SaaS and enterprise environments with an increasingly mobile workforce and many varying applications. SSO approaches typically rely solely on SAML federation, restricting applicability to only about 5% of apps that support this protocol. For external users, desktop software must be installed which is often not acceptable for customers or partners who need to access your network. Enterprises wishing to extend network logins like Windows Kerberos to new apps like SaaS lack a way to bridge the internal with the external.
For end users, the problem is also challenging. Your typical employee must remember between seven and 30 different passwords and they may be required to change them as frequently as every 30 days. Using sticky notes to remember passwords compounds the problem and weakens your corporate security efforts. So, password proliferation strains users, increases management costs and slows application adoption.
Users demand, and administrators require a simpler experience to SSO.The benefits of SSO are realized immediately as users are no longer required to remember numerous passwords and helpdesk calls are reduced to reset passwords. IT operations are streamlined as users and administrators are more productive without the delays of continuous password management. Symplified’s SinglePoint Universal Single Sign On is a next-generation approach to SSO, extending Windows Kerberos logins to cloud apps – all without installing or managing desktop software.
SinglePoint utilizes HTTP Federation for proven interoperability with the vast number of Cloud and enterprise applications that have not been SAML-enabled. SinglePoint supports next generation HTTP federation enabling federation without changes to target applications. HTTP-FED SSO provides 30X coverage vs. SAML-only support.
SinglePoint supports destination-first SSO and bookmarked app use cases. SinglePoint acts both as an identity provider (IdP) and service provider (SP) meaning you can both send and receive logins. SinglePoint provides SSO for all your platforms – SaaS, PaaS, IaaS and enterprise Web apps. Citrix integration extends user sessions to virtual desktops. When you’re considering SSO solutions be sure to understand the vendor’s SSO approach as many of them rely on SAML federation and many apps don’t support this protocol.
Symplified | The Cloud Security Company
April 2010
With the formation of the Open Identity Exchange and OASIS Identity in the Cloud TC there is a renewed interest in Identity Management Standards and a new focus on the Cloud model. This has led to some recent discussions such as "What standards to use?", "How to derive value from standards (old and new)?", and "What resources to leverage in delivering standards-based IDM?".
With Symplified's approach, enterprises can indeed leverage existing expertise and technologies. E.g., our embedded virtual directory allows you to retain any number of directories that you presently use for authentication and user profiles. If you have in-house SAML technology and expertise, we integrate with it--but if you don't, our solution still delivers and you don't need to purchase other tools or expertise. Although we are SaaS based and add great value to integration and protection of SaaS apps, we also can deploy on-premises components for customers who are more comfortable keeping certain functions inside their four walls. (This approach can be used to keep network traffic internal and to contain all user data within the enterprise.)
As with most infrastructure, employing third party products and services should allow an enterprise to focus on their own core competencies and lines of business. Value should be seen in not having to employ resources for the care and feeding of such systems, knowing that not only are initial needs met, but the solution continues to expand and evolve, for example integrating with new applications and services, and adopting new standards and functions. With the current splintering of standards, using a vendor that is not locked into any single standard is highly advisable. Time to implementation and TCO are important considerations as well. I have worked for large institutions that have implemented their own systems (as the need predated IDM technology) and can personally attest to the costs for creation and maintenance of such systems. With these lean times, CxOs, boards, and shareholders are raising eyebrows at large investments on internally developed infrastructure. Hence service based solutions, especially those with pay-as-you-go pricing, are increasingly desirable.
The fact that applications have differing trust models often complicates deployments and has contributed to failures in the adoption of federation. Eric Olden wrote an excellent article on this: Federation is Dead: Long Live Federation Fabric. So while I agree that federation is the way to go, the pragmatist in me knows we need solutions that work now. Waiting for a standard to mature and gain adoption means waiting to integrate, delaying such capabilities as User Provisioning, Single Sign-On, Access Control, and Compliance. I don't know of many IT managers willing to tell their business sponsor that they can't deliver a solution now because they must wait for an infrastructure standard to take hold! Please know I hold the utmost optimism and support for IDM standards to me this is all a matter of timing and planning of enterprise roadmaps. In short: set realistic expectations to leverage emerging technologies.
In closing I must add that I am excited to see renewed interest in making standards work. The biggest challenges I have seen are lack of adoption, and splintering not only in the adoption of specific standards, but also in decisions that determine interoperability--such as profiles, assertions, and semantics. It's the classic chicken and egg scenario: until standards adoption and interoperability are the norm there is less incentive to support the standards in the first place. For federation to become ubiquitous the network effect must be realized.
July 2009 Cloud Integration-We are not alone PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems. Constituency What constituencies are you serving? So you are creating an app with PaaS-Is it for your company's employees? Or are you creating a corporate SaaS app to serve your partners or customers? Integration needs will vary based on constituencies. Single Sign-On Corporate users will want Single Sign-On (SSO) tied to their existing directories. Customers and Partners may want Single Sign-On tied to their own directories and systems. There are many options ranging from calling out to another authentication system to federation with standards like SAML. If you are in corporate IT, you can implement your own session management and validate session tokens from your own authentications. But if you are a SaaS vendor, federation may be the best way to provide SSO. For example, OpenSAML provides toolkits to make it easy to SAML enable your SaaS application.
Identities Avoid creating yet another Identity Silo that requires user provisioning/deprovisioning and profile management. Again, federation can help. Providing integration to external identity systems avoids the whole problem of managing Identity life cycles. Don't take on the burden of managing this yourself when your customer is likely to already have solutions in place!
User Profiles and Attributes In addition to being able to authenticate users and ensure proper management of Identity life cycles you should consider how you manage profile data associated with identities. There are methods to "single source" your data and minimize the need to synchronize and update multiple copies of the same information. Consider tying your new PaaS-hosted app to existing directories and Identity Management systems. Some systems (like Symplified) can pass user attributes to your application to avoid having to mirror what is already in your directories and databases. You can also expose secure APIs that enable import and export of data.
You Are Not the Only App
We have a natural tendency to focus on just the one application we are creating. But since almost no one uses "just one app" there is an aggregation effect: as each new app is added to your portfolio, it introduces incremental increase in pain surrounding credentials, profile data, transactional data, compliance data, etc. So even if managing users in your app is so easy you can do it in your sleep, your customers and their constituencies will still need to learn how your system works. This is Incremental Pain that turns into a nightmare-no matter how simple one task is, repeating that task many times in many ways is costly and prone to error.
Collaboration Does your app need to support collaboration between different users of your app? Or across different apps? How can they securely exchange data while not violating privacy requirements? Will customers or integrators be creating mash ups with your application? How do you expose data and functionality (again, securely). These are all important considerations, and are increasingly easy to do in the world of Cloud Computing. But as we address our needs for security and privacy, identity and access management are fundamental building blocks. When handling a request for data, how do you know who is asking? How do you know they have permissions?
Conclusion I hope the questions in this blog have been thought provoking. As you consider the PaaS and IaaS for hosting and deploying new apps, remember that "You are not Alone". Your app will be one of many for your customers; and collaboration and integration require identity management and access control solutions.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company View Symplified's Webcast with presenting Partner, Log Rhythm, Register to Receive The Identity Management Blog weekly by entering your e-mail address in the left hand toolbar.
June 2009
Last week the Global Language Monitor announced that Web 2.0 had become the millionth word or phrase added to the English Language. While responses have ranged from debate to disinterest, I think the event does say something about our society's affinity for reinventing technology (and the buzzword bingo that goes along with it). When it comes to evolution and revolution of technology, identity federation immediately comes to mind. Symplified's founders were a seminal force in shaping federation and we are once more at a time when this influence is shaping the future of federation. Today, federation suffers from complexity, prohibitive cost, and fails to address critical capabilities like access control, auditing, and user management. In the past I've blogged about the Network Effect and the power of one-to-many. The unfortunate reality about the current state of federation is that it does not provide the one-to-many feature that enables easy adoption. Enter Federation 2.0: With technology like Symplified, you can connect to more applications at a lower cost than you would otherwise bear if you integrated those applications one at a time. And every time Symplified adds a new application to its network, everyone benefits from it. Stay tuned for our upcoming newsletter to hear more. Coby Royer, Technical Product Manager at Symplified
May 2009 Most of us remember when Sun announced "The Network Is the Computer" back in 2003. It's certainly not the first time we've heard similar things but there is truly a transformation under foot these last few years. Cloud Computing in particular is catalyzing change. For me, it's all about the network effect. Although this popular buzzword means a lot of different things to different people, I think of it as a generalization of Metcalf's Law--namely that the value of a network is proportional to the square of the number of nodes in the network. As the number of people--and services--on the Internet grows, its importance grows at an ever increasing rate.
My own exposure to this kind of geometric growth goes back to the early 90s, coding document conversion modules for a startup in Scottsdale, Arizona. We created technology to convert documents between such classics as WordStar, MS Word (Windows and before), WordPerfect, PageMaker, and dozens of others. The business model was remarkable and we earned a spot in the Inc. 500 a few years in a row for rapid growth. Every time a customer came to us with a request to support document conversion of their own format we would realize royalties for licensing to them. Then we would add the new capability to our own consumer products, making them more valuable. And then we could license the new conversion capability to everyone else who had an interest in it. For our customers in the business of creating word processing apps (as they were called back then), this was often a way to enhance their own market share by readily allowing users to migrate existing docs into their own apps. Interestingly, when we added the document formats to our licensed offering, everyone, including our latest customer's competitors, could reap the benefit of the additional document conversion capability. We helped level the playing field in the emergent "office productivity tools" space. (I might add that the biggest players in this space came to us to reverse engineer and write "converters" between different versions of their own products. Figure that!)
So, I got a lot more than just good programming chops out of the document conversion gig--I learned an important lesson about marketing and something very similar to today's Network Effect. The key to low cost development of new document conversion modules was a hub and spoke model that used a generic format that any document could be converted to or from. (This all predated XML and standards like OpenDoc. As a historical side note, I did get to work with the Xerox Star system.)
In Cloud Computing, the ability to collaborate and exchange data with other Cloud Partners is key. This is analogous to my experience in converting data formats—only instead of pushing data from one format to another, we are pushing data from one partner to another. The Cloud Network Effect ensures that the value of using Cloud technology increases with each new partner. For Identity Management, it’s all about the value of a one-to-many model over a one-to-one model: identity assertions from one party can be carried to many other parties and enable Single Sign-On. Adopting technology that provides the benefit of connecting to all of the other adopters (the “many”) has obvious benefit over integrating individually with a one-to-one (point to point) approach. Would you rather do integration (e.g., federation) with each partner as a whole new exercise for each one or would you rather integrate once and get the benefit of the existing integrations already available? Coby Royer, Technical Product Director Symplified | The Cloud Security Company
Error sending email
Email sent successfully
|
|
|
|
 |
|