Welcome!

Big Data Journal Authors: Elizabeth White, Liz McMillan, Kevin Benedict, Pat Romanski, Andreas Grabner

Related Topics: Cloud Expo, SOA & WOA, Virtualization, Security, Big Data Journal, SDN Journal

Cloud Expo: Article

Mirror Mirror: Difference Between Identity Management & Access Management

And companies need both to maintain a secure environment

One of the biggest misconceptions in cloud security is the perception that identity management (IDaaS) and access management (SSO) are the same thing.

They’re not.

And it took a viewing of the famous Star Trek episode called Mirror Mirror for me to best illustrate and articulate the difference between the creation and management of a user account and credentialed rights and the funneled applications that entity is allowed to see. For those unfamiliar with the episode, it’s the one where Kirk is transported into an alternate universe and meets evil Spock (the one with the beard)...but more about that soon.

Simply, IDaaS is the administrative function that creates and maintains a user’s network identity. It segments their privileges by roles and rules. This is called provisioning. Your starship just hired a new lieutenant to communicate with new life and new civilizations as you boldly go places—in this world we call it inside sales, but you get the idea. In the organizational hierarchy, this officer needs access to certain functions and applications-but not others. So when her “enterprise” identity is created, she is assigned certain access rights. She needs to see the languages database, but not the weapons console. Her identity group, as a junior officer, is similar to others of her job description and rank. Identity management  establishes her credentials, manages her passwords, and the provisioning synchronizes this information instantly so that a specific level of the network is accessible. This works in reverse as well. As soon as she resigns her commission, automatic de-provisioning rescinds those rights and prevents her from accessing information after she’s left the ship. It’s all based on process and workflow.

So how is this different than access management? If Identity Management is about the development of a privilege strata and the source of password details, why does a company need access management? Because it is the difference between authentication and authorization. it's the difference between administrative availability and tightly controlled access. Case in point: our communications officer is standing on the planet Saas and dialing into the Enterprise (BYOD!). Her identity settings allow her to access the ship’s computer, but it is her SSO that channels her access see only certain applications. And because access management is about single sign on, once she is authenticated, all of her applications (including the dozens of unique passwords) are controlled from a single portal (and blocked from seeing/accessing other). The single sign on function also authenticates each individual application, so she doesn't have to do it again once she is within the protection of the portal. And the segmentation of each application is also personalized to her rights automatically. She sees only the slice of the database she is permitted to see.  But what if it wasn’t her? What if it was a Klingon who cloned her tricorder or her body was taken over by a non-corporeal lifeforce? Single sign on enforces multi-factor identification. So if her password is stolen, the nasty Romulan might not know the year she graduated from the Starfleet Academy or the name of her first pet was Cochrane.  Simply put, IDaaS is the intelligence and SSO is the locked doorway-- and they need to seamlessly integrate to create a better security platform. Having one without the other is like transporting into an alternate universe and having to fight an evil Spock. (I told you I’d get to it!)

While looking to acquire dilithium crystals, the Enterprise gets hit by an unexpected ion storm (for our metaphoric purposes, let’s call this a suspicious intrusion resulting in breach!).  This causes a landing party to transport (access management) to an alternate universe. In this world everyone looks the same (except for Spock’s Machiavellian beard!), but their intentions are less than honorable. Conversely evil Kirk is now on the original Enterprise. Allegorically, if this were a fully integrated and unified security Enterprise, the SIEM program would have noted the original suspicious activity and Mr. Scott would have received an immediate alert based on the parameters of what constitutes a breach. But if Evil Kirk gets through nonetheless and tried to log onto the system to arm the photon torpedoes, there are a few security hurdles in his way. His alternate universe password of “UglyKittens6” doesn’t work. In fact after several tries, he is locked out and an alert is sent to Mr. Scott for review and remediation. But Evil Kirk is wily. He clicks “forgot password” because he figures he can self-serve and generate a revised password. However the system asks him how many TekWar novels he's written (or any other personalized information to further verify his identity) and without the correct answer, his evil machinations are again thwarted. However, let’s say the passwords match (“OverActing4#5!”) and he is authorized into the access portal. He may be captain (CEO) of the ship, but his role does not include the direct management of weapons systems, so this application is absent from his portal of available applications.

Silliness aside, the IT moral of this episode is that identities are just a single level of integrated security.  That controls WHO you are. As a partner or employee, the enterprise affords you this amount of visibility within the network. Access controls the applications to which you may connect .As most companies use a wide variety of applications—on premise legacy, cloud-based ASP/SaaS or general web-based programs—the need to channel controls is mission critical. This is Access Management. There simply can’t be a login name and password that provides any user limitless exposure to the network. Best practice, regulatory compliance and strong security demand that these functions work in concert.

But best practices that require investment into two separate solutions, two separate deployments with two separate providers, and the extra eyeballs to continuously monitor activity seems to be counterproductive…right?

The fact that SSO and IDaaS are two different solution sets is tempered by cloud-based security deployment.  As a singularly sourced seamless operation from the cloud, the pairing increases the ability to control who gets to see what across a heterogeneous enterprise with competing priorities, needs and identity types. Just as partners and vendors need certain access that is separate from employees—not all employees are the same; and they too fall into unique roles and rules that can be managed by identity Management and Controlled by Access Management. There are many solutions on the market that address either IDaaS (IDM) or Access (IAM, SSO) in the cloud, but I obviously know of only one that provides both as a multi-tenant (true-cloud) initiative. This mixes the best practice of best-of-breed with the all the cost and productivity benefits promoted by the cloud.

And if my metaphors and wink-and-a-nod sci-fi geek inferences were too obscure, here is a straightforward listing of the differences between IDaaS and SSO:

Standard IDaaS features (Administrative):

  • Provisioning/deprovisioning (add/delete user accounts)
  • Password management
  • Role-based identity groups/individuals for access
  • Automatic Directory (Active, LDAP, etc…) propagation (using data on these infrastructure databases to populate/control IDM)
  • User self-service
  • Multi-lateral password synchronization
  • Access recertification
  • Request management
  • Business process/rules mapping
  • Federated connectors to secure applications
  • Comprehensive  audits, reports for compliance
  • Graphical integrated approval workflow

Standard SSO features: (Active Application of Administrative Controls)

  • Access for both SaaS and Web applications/platforms
  • Authentication by and Access control by IP address
  • Integration with AD, LDAP, SQL, etc.
  • Dynamic Portal grouping users permitted applications
  • User self-service for password reset
  • 2 factor authentication for BYOD
  • Authentication chaining
  • Whitelist, blacklisting of allowed/disallowed sites/apps
  • Risk adaptation (traveling IP’s)
  • Identity gateway enables access to 1000s of websites, on premise and legacy applications

Live long and securely prosper!

Kevin Nikkhoo
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

Cloud Expo Breaking News
Next-Gen Cloud. Whatever you call it, there’s a higher calling for cloud computing that requires providers to change their spots and move from a commodity mindset to a premium one. Businesses can no longer maintain the status quo that today’s service providers offer. Yes, the continuity, speed, mobility, data access and connectivity are staples of the cloud and always will be. But cloud providers that plan to not only exist tomorrow – but to lead – know that security must be the top priority for the cloud and are delivering it now. In his session at 14th Cloud Expo, Kurt Hagerman, Chief Information Security Officer at FireHost, will detail why and how you can have both infrastructure performance and enterprise-grade security – and what tomorrow's cloud provider will look like.
The social media expansion has shown just how people are eager to share their experiences with the rest of the world. Cloud technology is the perfect platform to satisfy this need given its great flexibility and readiness. At Cynny, we aim to revolutionize how people share and organize their digital life through a brand new cloud service, starting from infrastructure to the users’ interface. A revolution that began from inventing and designing our very own infrastructure: we have created the first server network powered solely by ARM CPU. The microservers have “organism-like” features, differentiating them from any of the current technologies. Benefits include low consumption of energy, making Cynny the ecologically friendly alternative for storage as well as cheaper infrastructure, lower running costs, etc.
Cloud backup and recovery services are critical to safeguarding an organization’s data and ensuring business continuity when technical failures and outages occur. With so many choices, how do you find the right provider for your specific needs? In his session at 14th Cloud Expo, Daniel Jacobson, Technology Manager at BUMI, will outline the key factors including backup configurations, proactive monitoring, data restoration, disaster recovery drills, security, compliance and data center resources. Aside from the technical considerations, the secret sauce in identifying the best vendor is the level of focus, expertise and specialization of their engineering team and support group, and how they monitor your day-to-day backups, provide recommendations, and guide you through restores when necessary.
Web conferencing in a public cloud has the same risks as any other cloud service. If you have ever had concerns over the types of data being shared in your employees’ web conferences, such as IP, financials or customer data, then it’s time to look at web conferencing in a private cloud. In her session at 14th Cloud Expo, Courtney Behrens, Senior Marketing Manager at Brother International, will discuss how issues that had previously been out of your control, like performance, advanced administration and compliance, can now be put back behind your firewall.
Cloud scalability and performance should be at the heart of every successful Internet venture. The infrastructure needs to be resilient, flexible, and fast – it’s best not to get caught thinking about architecture until the middle of an emergency, when it's too late. In his interactive, no-holds-barred session at 14th Cloud Expo, Phil Jackson, Development Community Advocate for SoftLayer, will dive into how to design and build-out the right cloud infrastructure.
The revolution that happened in the server universe over the past 15 years has resulted in an eco-system that is more open, more democratically innovative and produced better results in technically challenging dimensions like scale. The underpinnings of the revolution were common hardware, standards based APIs (ex. POSIX) and a strict adherence to layering and isolation between applications, daemons and kernel drivers/modules which allowed multiple types of development happen in parallel without hindering others. Put simply, today's server model is built on a consistent x86 platform with few surprises in its core components. A kernel abstracts away the platform, so that applications and daemons are decoupled from the hardware. In contrast, networking equipment is still stuck in the mainframe era. Today, networking equipment is a single appliance, including hardware, OS, applications and user interface come as a monolithic entity from a single vendor. Switching between different vendor'...
More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security. In his session at 14th Cloud Expo, Sachin Agarwal, VP of Product Marketing and Strategy at SOA Software, will walk you through the various aspects of how an API could be potentially exploited. He will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business’s digital initiatives.
You use an agile process; your goal is to make your organization more agile. What about your data infrastructure? The truth is, today’s databases are anything but agile – they are effectively static repositories that are cumbersome to work with, difficult to change, and cannot keep pace with application demands. Performance suffers as a result, and it takes far longer than it should to deliver on new features and capabilities needed to make your organization competitive. As your application and business needs change, data repositories and structures get outmoded rapidly, resulting in increased work for application developers and slow performance for end users. Further, as data sizes grow into the Big Data realm, this problem is exacerbated and becomes even more difficult to address. A seemingly simple schema change can take hours (or more) to perform, and as requirements evolve the disconnect between existing data structures and actual needs diverge.
SYS-CON Events announced today that SherWeb, a long-time leading provider of cloud services and Microsoft's 2013 World Hosting Partner of the Year, will exhibit at SYS-CON's 14th International Cloud Expo®, which will take place on June 10–12, 2014, at the Javits Center in New York City, New York. A worldwide hosted services leader ranking in the prestigious North American Deloitte Technology Fast 500TM, and Microsoft's 2013 World Hosting Partner of the Year, SherWeb provides competitive cloud solutions to businesses and partners around the world. Founded in 1998, SherWeb is a privately owned company headquartered in Quebec, Canada. Its service portfolio includes Microsoft Exchange, SharePoint, Lync, Dynamics CRM and more.
The world of cloud and application development is not just for the hardened developer these days. In their session at 14th Cloud Expo, Phil Jackson, Development Community Advocate for SoftLayer, and Harold Hannon, Sr. Software Architect at SoftLayer, will pull back the curtain of the architecture of a fun demo application purpose-built for the cloud. They will focus on demonstrating how they leveraged compute, storage, messaging, and other cloud elements hosted at SoftLayer to lower the effort and difficulty of putting together a useful application. This will be an active demonstration and review of simple command-line tools and resources, so don’t be afraid if you are not a seasoned developer.
SYS-CON Events announced today that BUMI, a premium managed service provider specializing in data backup and recovery, will exhibit at SYS-CON's 14th International Cloud Expo®, which will take place on June 10–12, 2014, at the Javits Center in New York City, New York. Manhattan-based BUMI (Backup My Info!) is a premium managed service provider specializing in data backup and recovery. Founded in 2002, the company’s Here, There and Everywhere data backup and recovery solutions are utilized by more than 500 businesses. BUMI clients include professional service organizations such as banking, financial, insurance, accounting, hedge funds and law firms. The company is known for its relentless passion for customer service and support, and has won numerous awards, including Customer Service Provider of the Year and 10 Best Companies to Work For.
Chief Security Officers (CSO), CIOs and IT Directors are all concerned with providing a secure environment from which their business can innovate and customers can safely consume without the fear of Distributed Denial of Service attacks. To be successful in today's hyper-connected world, the enterprise needs to leverage the capabilities of the web and be ready to innovate without fear of DDoS attacks, concerns about application security and other threats. Organizations face great risk from increasingly frequent and sophisticated attempts to render web properties unavailable, and steal intellectual property or personally identifiable information. Layered security best practices extend security beyond the data center, delivering DDoS protection and maintaining site performance in the face of fast-changing threats.
From data center to cloud to the network. In his session at 3rd SDDC Expo, Raul Martynek, CEO of Net Access, will identify the challenges facing both data center providers and enterprise IT as they relate to cross-platform automation. He will then provide insight into designing, building, securing and managing the technology as an integrated service offering. Topics covered include: High-density data center design Network (and SDN) integration and automation Cloud (and hosting) infrastructure considerations Monitoring and security Management approaches Self-service and automation
In his session at 14th Cloud Expo, David Holmes, Vice President at OutSystems, will demonstrate the immense power that lives at the intersection of mobile apps and cloud application platforms. Attendees will participate in a live demonstration – an enterprise mobile app will be built and changed before their eyes – on their own devices. David Holmes brings over 20 years of high-tech marketing leadership to OutSystems. Prior to joining OutSystems, he was VP of Global Marketing for Damballa, a leading provider of network security solutions. Previously, he was SVP of Global Marketing for Jacada where his branding and positioning expertise helped drive the company from start-up days to a $55 million initial public offering on Nasdaq.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 14th Cloud Expo, Marc Jones, Vice President of Product Innovation for SoftLayer, will explain how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.