Analyst Report: Identity-based security and the cloud

1 Summary

The rise of cloud computing has led to the reassessment of how both cloud and non-cloud systems approach security. Considering the complex and distributed nature of cloud-based platforms, security approaches that leverage identity are the best fit. This will require a fundamental shift in thinking — and in technology.

There are many players in the field of identity and access management (IAM) ranging from the old guard of Oracle, CA, and IBM to newer players that are built specifically for the cloud. However, the movement to identity-based solutions is not as easy as the technology providers describe. While it’s fairly straightforward to build new approaches to security in new applications that reside on the cloud, the harder aspect of IAM is to extend this security model to the traditional enterprise, so the entire environment is secure. Security should be consistent and systemic, which is lacking in most traditional enterprise systems. This security problem needs to be solved before moving to the cloud.

In this report we’ll look at the concept of IAM, as related to the emerging use of cloud, and in the context of traditional enterprises that are adopting the cloud. We’ll consider changes that need to happen, best practices, new concepts (such as centralized trust), and solutions that IT buyers should consider right now.

Key findings from the report include:

  • As cloud adoption increases, identity-based approaches to security are the best fit. This means that many companies have to change their enterprise security approaches and technology to accommodate the use of the cloud. Shifting to IAM is the most logical step.
  • Enterprises that develop mature IAM capabilities can reduce their identity management costs, and, more importantly, become significantly more agile in supporting new business initiatives.
  • The use of IAM within cloud application deployment will back-fill into the enterprise as well, as companies modernize their security approaches and technologies to align with the use of public clouds.
  • The benefit of centralized identity management is the ability to quickly add identities for resources outside of the enteprise’s direct control while ensuring that they are both valid and have the proper credentials.
  • Different vendors approaches cloud security and IAM differently, so enterprise should review each product against specific requirements.

 

 

Thumbnail image courtesy: iStock/Thinkstock

2 Introduction

Identity and access management, also known as identity management (IdM), is not new. But with the emerging use of cloud computing, IAM is clearly the best security model and best practice. Indeed, many cloud providers, such as AWS, provide IAM as a service right out of the cloud. Others require you to select and deploy third party IAM systems, such Ping Identity.

The concept is simple: IAM provides a security approach and technology that enables the right individuals to access the right resources, at the right times, for the right reasons. The concept follows the principle that everything and everyone gets an identity. This includes humans, servers, APIs, applications, data, etc. Once that verification occurs, it’s just a matter of defining which identities can access other identities and creating policies that define the limits of that relationship.

For example, a company might define and store the identity of a set of cloud-based APIs that are only to be leveraged by a single set of smart phones that are running an application. The APIs each have an identity, as do the smart phones, applications, and the humans using the smart phones. They have to authenticate each other’s identity before they are granted access, or grant access, using an IAM. Each checks with the IAM each time they interact with another resource, such as an application running on a smart phone, linking to and invoking an API.

The idea is that you have much more control when leveraging an IAM. In our simple example above, you could remove access by any resource simply by not authorizing the relationship, using their identities and credentials as a way of determining who and what they are. Moreover, you can also set access policies, such as time of day, even geographical locations, as ways of limiting access around certain high-risk situations to better protect the assets that the IAM is securing.

Why identity, and why now?

IAM’s strengths come into play as enterprises move to more distributed and heterogeneous systems, which is exactly what cloud-based platforms are. Moreover, as security and compliance issues gain priority, the investment in IAM is being made both within the traditional enterprise and within the emerging use of public and private cloud-based systems.

In Gigaom Research’s 2014 Enterprise IT Buyers survey, security remained the number one reason cited for both mainstream and leading-edge enterprises not moving to the cloud. (It held the top spot in 2013 as well.) Indeed the recent issues around iCloud security that made the mainstream news cycles, as well as the revelations from the Snowden/NSA/PRISM scandal, have added to the skittishness for enterprises and government agencies moving to cloud computing.

While technology is not always the sole answer, the use of IAM could bring around those who are on the fence about the use of public clouds. In many instances, data is actually more secure in the cloud, when the right security models are leveraged. According to Alert Logic’s Fall 2012 State of the Cloud Security Report, the variations in the threat activity are not as important as where the infrastructure is located.

The report further finds that Web application-based attacks hit both service provider environments (53 percent of organizations) and on-premise environments (44 percent of organizations). However, on-premise environment users or customers actually suffer more incidents than those of service provider environments. On-premise environment users experienced an average of 61.4 attacks, while service provider environment customers averaged only 27.8. On-premise environment users also suffered significantly more brute force attacks compared to their counterparts.

We’re seeing this trends for a few reasons:

  • Newer and more capable security models, such those that employ identity management, are typically leveraged by cloud-based systems.
  • There is an increased focus on security when the data assets are maintained on hardware that is out of the direct control of corporate IT.
  • The number of cloud-based systems is still relatively small, and thus the focus of attacks seems to be on traditional systems which tend to be on-premise.

Driving to identity via the cloud

IAM should be viewed as both a business driver and a security technology. Those who deploy IAM have to focus on the core business processes as well as the details around security. This is a shift from days when security was considered a technical matter for IT to worry about, and the business drivers were largely unconsidered.

Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives. Nearly all new applications built on the cloud will involve IAM but it will also be part of a majority of the existing applications that migrate to the public cloud.

The use of IAM within cloud application deployments will back-fill into the traditional enterprise as well, as companies modernize security approaches and technologies to align with the use of public clouds. In many instances, the IAM will be provided as a service, back into the enterprise. This leads to the concept of cloud-delivered IAM, which quickly leads to the concept of centralized identity management.

3 Moving to centralized identity

The use of IAM has remerged around the need to secure the highly distributed and heterogeneous cloud-based platforms. But the cloud brings its own set of problems, as well as its own opportunities.

Moving forward, there could be a movement to IAM systems that are more centralized, perhaps around specific verticals, community of users, or geographies. The idea being that each IAM system exists at the cloud and enterprise level, but also includes a centralized repository of all valid identities that can be leveraged as part of a large distributed hierarchical IAM system.

Centralized identity management allows many enterprises to share and validate identity information, thus increasing efficiency (fewer redundant identities) and security (better-defined identities).

Screen Shot 2014-10-15 at 11.25.03 AM

Source: Gigaom Research

The benefit of centralized identity management is the ability to quickly add identities for resources outside of the enterprise’s direct control while ensuring that they are both valid and have the proper credentials. For instance, a data analytics service that is delivered via a cloud provider can be quickly identified and validated using a centralized identity management system, versus having to locate, define, validate, and onboard that service into a company’s own specific IAM system.

This could be at the enterprise level, and most people in enterprise IT would choose that option. However, as we move to cloud computing, it makes more sense that we centralize trust in, well, the cloud. It’s the same concept as identity management, in that each “actor” in a system — a device, person, database, server, or queue — goes to the mother of all identity servers to validate its credentials and be allowed access. This provides several advantages:

  • Common identity validation for systems both inside and outside the enterprise, such as those hosted on public clouds.
  • The ability to centrally solve problems, such as identifying and neutralizing security problems.
  • Less spending on enterprise security by relying on the centralized trust model to deal with identity management across external and internal systems.

The potential problem with this model is the same that was raised with cloud computing a few years ago: Enterprise IT does not trust anything that does not exist in its data center, especially security servers. However, for this notion to work, companies must do exactly that: Take identity out of the data center and centralize it in the cloud. Central identity management will be slow in coming — it can progress only as fast as people are willing to accept it.

4 IAM components

Before selecting and deploying an IAM for cloud-based platforms, or otherwise, companies first need to consider their core requirements. While each problem domain is different, and thus the security solution for each is different, there are some common approaches:

  • Identity Management Services refer to identity life cycle management, access provisioning, centralized role management, and workflow design and implementation. The idea is to provide core identity management services that enable companies to define identities for all resources/actors, provide access for those resources, provide a centralized (enterprise-wide) mechanism for storing and reading those identities, and, finally, manage how they will be operationally leveraged.
  • Access Management Services refer to single sign-on services, federation services, role-based access, and access to the platform. This works in conjunction with the identity management services, leveraging identity information to grant access based upon authorization.
  • Identity Governance Services refer to role engineering, compliance, and identity assurance. This places policies around how identities are managed, including the roles that they have, how identities are linked with compliance policies, and other aspects of managing identities and when governance controls should be put in place.
  • Authentication Services refer to multi-factor authentication, out-of-band authentication, and managed authentication services.

What is important here for buyers is to be able to understand the core components of the IAM system they are selecting, based upon the requirements they have identified. The path to selecting the right solution means that buyers must list their core IAM requirements and match up the solution components provided by each IAM technology provider.

Enterprises typically fall down by not understanding their own requirements and issues early in the process. Vendors all have their own approaches to IAM. This includes those that are focused on cloud computing and those that focus on more traditional enterprise approaches.

The trick is to pick an IAM solution that’s able to meet most requirements. This may also include deploying cloud-based platforms that leverage multiple IAM solutions for different aspects such as identity management and single sign-on.

5 Emerging best practices

While best practices are still emerging around the use of identity-based security with cloud computing, some of the more notable patterns include the following:

  • The integration of cloud-based identity management solutions with enterprise security from the outset. While many companies are okay with creating “security silos” that leverage different approaches and technologies, these have a tendency to be counter productive over time considering that companies eventually need to consolidate around a single security model.
  • IAM solutions tend to focus either on cloud computing or the traditional enterprise. Don’t be afraid to focus on the design and architecture of the identity-based security solution and then select the technology. While the solution will be more complex, the architecture should endure through many technological changes. Never let technology lead requirements, or design.
  • Splurge on testing, including “white hat” security tests. These lead to an understanding of where the vulnerabilities exist and thus better approaches and use of security technology. So far, IAM systems that focus on cloud computing have a great track record. However, this could be due to the fact that many on-premise enterprise systems are much less secure and thus provide better pickings for those with ill intent.
  • Make sure to consider things such as performance in the design. While most IAM systems don’t slow things down, they can. These are typically issues that are hard to fix after deployment and can cause issues with security systems because users quickly figure out ways around performance problems and thus the security.
  • Make sure to consider all required regulations for compliance. These are typically managed by the identity governance system within the IAM, and they need to be understood in the beginning. It’s tough to retrofit these policies after implementation.

6 Established vendors and new players

The IAM market will be worth about $12 billion by 2018, if the current rate of adoption continues. Many enterprises will be updating their security systems in the next year. This means that IAM systems, both traditional and cloud-oriented, are starting to show stronger sales, including legacy names such as Oracle and CA, as well as relatively new names such as Ping Identity, and even cloud providers such as AWS.

For example, AWS Identity and Access Management is a full-blown identity management and security system that allows companies to control access to AWS services, including database services such as RDS and DynamoDB NoSQL Cloud Database Service. The AWS identity management offering is a solid cloud-based IAM solution that allows companies to create and manage AWS users and user groups via permissions that allow and disallow access to data. The AWS IAM is systemic to the entire AWS cloud and can integrate with existing enterprise on-premise security. In many instances, the data and other resources are actually more secure in AWS because many enterprises don’t support systemic and distributed access management.

Other large vendor IAM solutions, with different degrees of cloud integration, that are not attached to a cloud provider include:

  • CA Identity Manager
  • Hitachi ID Identity Manager
  • Horacious Identity Manager
  • IBM Tivoli Identity Manager
  • NetIQ Identity Manager
  • Oracle Identity Management (Sun Java System Directory Server)

These players are typically more focused on enterprise IT, and not as much on public cloud computing. However, they all claim deep integration with cloud-based systems. I’ve not found that to be the typical case with these products, other than those which leverage their directory services for use with an IAM solution that was specifically designed for the clouds, which are listed below.

The newer IAM players are typically focused on cloud, usually through the promise of providing both identity management services and single sign-on services. These include:

Of course, each player approaches cloud security and IAM differently, so buyers have to review each product as to specific requirements. Keep in mind, as mentioned above, the best solution could be a few IAM products that need to work and play well together. IAM systems typically integrate through common directory services and companies will need to test compatibility before placing bets on specific IAM systems. Again, start with the requirements, move to the approach, and then pick the technology or technologies that are likely to provide the ultimate solution.

7 Key takeaways

Some of the key concepts to consider around identity management and cloud computing include:

  • As cloud computing increases, identity-based approaches to security are the best fit. This means that many enterprises have to change their enterprise security approaches and technology to accommodate the use of the cloud. A shift to IAM is the logical choice.
  • IAM is focused on distributed and heterogeneous systems, which is exactly what cloud-based platforms are. As security and compliance issues gain priority, the investment in IAM is being made both within the enterprise and the emerging use of public and private cloud-based systems.
  • IAM provides increased control. It enables companies to set access policies, such as time of day, even geographical locations, as ways of limiting access around certain high risk situations to better protect the assets that the IAM is securing.
  • Enterprises that develop mature IAM capabilities can reduce their identity management costs and become significantly more agile in supporting new business initiatives.
  • The use of IAM within cloud application deployments will back-fill into the enterprise as companies modernize their security approaches and technologies to align with the use of public clouds. In many instances, the IAM will be provided as a service, back into the enterprise.
  • The benefit of centralized identity management is the ability to quickly add identities for resources outside of your direct control while ensuring that they are both valid and have the proper credentials.
  • Before selecting and deploying an IAM for cloud-based platforms, consider the core requirements. Each problem domain is different, and thus each security solution is different. But common patterns are emerging around: Identity Management Services, Access Management Services, Identity Governance Services, and Authentication Services

8 About David Linthicum

David S. Linthicum is the lead Gigaom Research Analyst on Cloud. He is an internationally recognized industry expert and thought leader in the world of cloud computing, the author or co-author of 15 books on computing, including the best-selling Enterprise Application Integration, and his latest book, Cloud Computing and SOA Convergence. He is a blogger for InfoWorld, Intelligent Enterprise, eBizq.net, and Forbes, and he conducts his own podcast, the Cloud Computing Podcast. His industry experience includes tenure as the CTO and CEO of several successful software companies and upper-level management positions in Fortune 100 companies. In addition, Linthicum was an associate professor of computer science for eight years and continues to lecture at major technical colleges and universities.

9 About Gigaom Research

Gigaom Research gives you insider access to expert industry insights on emerging markets. Focused on delivering highly relevant and timely research to the people who need it most, our analysis, reports, and original research come from the most respected voices in the industry. Whether you’re beginning to learn about a new market or are an industry insider, Gigaom Research addresses the need for relevant, illuminating insights into the industry’s most dynamic markets.

Visit us at: research.gigaom.com.

10 Copyright

© Knowingly, Inc. 2014. "Identity-based security and the cloud" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Tags