Weekly Update

SSO and Identity Management must be part of any cloud strategy

Over the past five years, security topped the list of concerns about cloud computing. Rightfully so, if security is truly a concern, it should also serve as an inhibitor to cloud adoption. However, many of the security issues raised are red herrings that take the focus off true security risks when considering cloud-based solutions. One of those risks has to do with identity.

One of the fundamental means to security is often based on identity. For many, this means a username and password that is based on Microsoft’s Active Directory framework. This works well for applications and services located on-premises or within the company’s network.

Enter the cloud

When cloud-based applications come into the fold, there is often a new set of credentials issued. You might be ‘crawfordt’ on one system and ‘crawford.tim’ on another system. Or more confusing is two systems with ‘crawfordt’, but with different passwords. Yet, both credentials refer to the same person. Start to multiply this by the number of cloud-based applications in use along with the number of users and it leads to an exponential number of combinations to manage.

The field of Identity Management solutions

Enter the Identity Management (IM), Single Sign On (SSO) applications and services for cloud. A few of the common solutions are Active Directory Federation Services (ADFS), Okta, Ping Identity and Symplified among a dozen or so products on the market today. Each with a varied list of features but commonly address two fundamental issues: Identity and Provisioning/ De-Provisioning.

Identity management

The most common feature across systems is IM. Identity refers to the identity of the individual. One individual may have multiple identities that are used for different systems. Even so, the individual will authenticate with a single username/ password. Or they may authenticate using two-factor authentication (something you have and something you know). As part of SSO, those authenticated credentials are then passed to authorized systems that are part of the SSO system. This eliminates the need for different systems to prompt for login once a user has been authenticated. When using internal applications, it is easy to tie into Active Directory (AD) as the authentication system.

When using cloud-based services and applications, the problem is not so simple. Theoretically, a hole could be made in the firewall to allow said cloud service access to AD. Unfortunately, that opens up Pandora’s box in terms of other security related threats.

The solution is to leverage a cloud-based SSO solution that can tie back to the established AD infrastructure in a secure manner. That way, only one application (the cloud-based SSO solution) would connect to AD from the outside. All other external applications and services would in turn connect to the cloud-based SSO solution. Many SSO solutions also provide a comprehensive solution that covers both on-premises and cloud-based applications.

When a user connects to a cloud-based application using this setup, they would use their standard credentials. This eliminates the need for different credentials across multiple systems. Not to mention the nightmares avoided from managing password changes across the systems too. AD becomes the ‘system of record’ and all other systems look to it directly or via the SSO solution.

Provisioning and de-provisioning

More solutions are starting to include Provisioning and De-provisioning or the ability to automatically setup (and remove) users in different systems based on a set of criteria. For example, when user ‘crawfordt’ is setup in AD, provisioning can automatically setup their account in a number of different cloud services based on the AD tree or setting for that user. Likewise, when the user leaves the company and is removed from AD, it automatically removes their access from all of the other systems that are part of the federation.

Automatically provisioning and de-provisioning users is a valuable tool as the number of different cloud-based solutions in use increase over time. This automation removes the user errors and speeds up the time to provision and de-provision therefore further reducing risk.

Standards in flux

The way the different systems exchange credentials and information is often based on one or more of the following standards: SAML (or SAML 2.0), OAuth (or OAuth 2.0) and OpenID. Not all of the solutions support all of the standards. Similarly, it is important to look at the portfolio of cloud-based solutions in use to determine the standard most commonly supported.

Administration and risk

There is quite a bit of risk from manually managing identities across the growing number of cloud-based applications. Any cloud strategy today needs to include a strategy for SSO and IM outside the corporate network and into the growing landscape of cloud-based providers. The alternative of manual management requires a level of discipline and process that is both easy to do, but equally easy to deviate from. And those deviations will lead to open opportunities from orphaned accounts or unauthorized access to sensitive corporate data. With today’s sensitivity around data, the wise decision is to leverage a cloud-based SSO and IM solution.