SlideShare ist ein Scribd-Unternehmen logo
1 von 10
Downloaden Sie, um offline zu lesen
Next >>

R
Previous

Next

darkreading.com

Previous

Next

Previous

Next

NOVEMBER 2013

IDENTITY

Management
In The

CLOUD
Managing and securing user identities
in the cloud is getting complicated.
Here’s how to keep it under control. >>
By Ericka Chickowski
PLUS Security’s big headache: The evolving user >>

Previous

Download

Subscribe

Next
Register
Previous

Next

DARK DOMINION

Previous

Next

Previous

Next

Previous

Next

Download

Subscribe

Safe In The Cloud
Our Cloud Security Tech Center is
your portal to all the news, product information, technical data
and other information related to
the topic of cloud security.
Click Here

darkreading.com

Security’s Pain In The Neck: Evolving Users
Security would be so much easier if users
were like lamps.
You turn them on, they do what they’re
supposed to. You turn them off, they’re no
longer something to worry about. You know
where a lamp is all the time. You can monitor
it to find out its status.
Unfortunately, users are not lamps.
If you look at the history of security
breaches, almost all of them started with
an end user mistake: a misplaced laptop, a
user falling for a phishing attack, a curious
employee downloading the wrong software.
And yet even tech-savvy companies like Sony
and RSA can’t completely stop breaches.
One of the chief reasons is that users aren’t
static. They change their locations and are
now doing work from homes and coffee
shops. But mobility is only one way users
change. They change their job responsibilities, their projects and the tools they use.
They get promoted. They quit. They get fired.
This “evolution” of users has been a problem
for businesses since the early days of comput-

ing. Most IT organizations want to provision
users with everything they need and then be
finished. Changes create more work, sometimes forcing IT to reprovision a user who’s
already been provisioned. It’s annoying.
But failing to monitor a user’s changing
responsibilities and access requirements can
lead to nightmares. Matthew Keys, who is accused of helping hackers deface the Los Angeles Times website earlier this year, is a former
Tribune Co. employee who had a user name
and password that still worked two months
after he was fired. In 2009, a fired IT employee
used his still-active credentials to plant a logic
bomb at Fannie Mae. These are just a couple
of instances in which an employee’s change
in status wasn’t updated quickly enough by
IT, and disaster ensued.
The problem, in a nutshell, is that there is
still not much connection between a user’s
identity — as defined under Active Directory
or in the corporate system registry — and
the user’s real identity, as defined by what he
or she does for the organization. Employees

TIM WILSON
@darkreadingtim

get transferred, and nobody tells IT. A user is
terminated, but IT never disables his access.
A new employee is given too much privilege
and taps into the wrong data.
As companies begin to tie into cloud services and other outsourced infrastructure,
this problem becomes even more acute. In
today’s Dark Reading digital issue, we examine the challenges of user provisioning and
identity management in the cloud, which
adds a new level of complexity to the access
management picture. The cover story points
out the need for more efficient methods for
provisioning new users and changing access
privileges as users’ jobs change.
Security would be easier if users were like
lamps. But they’re pretty complex — they
change and evolve, and they get into places
they shouldn’t. Enterprises would do well to
build access management strategies that recognize these realities — and adapt to them.
Tim Wilson is editor of DarkReading.com. Write to him at
timothy.wilson@ubm.com.
November 2013 2
EXTEND ENTERPRISE SECURITY TO CLOUD APPLICATIONS

56% 76% 81% 20% 147M
of organizations use 6 or
more SaaS applications1

of network intrusions exploit
weak or stolen credentials2

of employees use SaaS
applications without
IT approval3

of all Americans have
20 password-hungry
online accounts4

cumulative malware
samples captured5

“Among the nine threats identified in the Cloud Security Alliance’s ‘Top Threats to Cloud Computing’ research, account
hijacking is one of the most serious on the list, and abuse of credentials is not far behind.” —SANS Institute
6

Control WHO has access to
cloud applications

Control WHAT they can
do with that access

McAfee Cloud Single Sign On
McAfee One Time Password

McAfee Web Gateway
McAfee Data Loss Prevention
McAfee Global Threat Intelligence

®

Single sign-on for hundreds of popular cloud applications.
Multifactor authentication to reliably verify users’ identities
and prevent account breaches.

Thwart malware infection with zero-day detection.
Block malicious URLs with site reputation and threat intelligence.

Easy user account provisioning and de-provisioning.

Prevent confidential data from leaking with DLP policy control.

Cloud activity monitoring and logging.

Encrypt files stored in the cloud.
Blacklist and whitelist cloud applications.

Cloud Computing Demands Enterprise-class Password Management and Security, Enterprise Strategy Group, April 2013.
2013 Data Breach Investigations Report, Verizon, 2013.
3
Six Things You Need to Know about Shadow IT to Minimize Risks to your Company, Frost & Sullivan report, October 2013.

AP Twitter Hack Shows It’s Time for the Post-Password Era, CNBC.
McAfee Threats Report, Second Quarter 2013, McAfee Labs.
6
Simplifying Cloud Access Without Sacrificing Corporate Control, SANS Institute Analyst Program.

1

FIND OUT HOW McAFEE CAN HELP:
www.mcafee.com/identity
www.mcafee.com/webprotection

4

2

McAfee helps you leverage cloud applications
without compromising security.

5

© 2013 McAfee, Inc.
Register
Previous

COVER STORY

Next

Previous

Next

Previous

Next

Previous

A

Next

Download

Subscribe

Identity Management
In The Cloud
Managing and securing user identities in the cloud is getting complicated.
Here’s how to keep it under control.
By Ericka Chickowski
@ErickaChick

darkreading.com	

s companies add more cloud
services to their IT environments, the process of managing identities is
getting more complex.
When companies use cloud services — services they don’t control themselves — they
still must develop sound policies around rolebased access. They still must grant rights to
users who need information to get work done.
And they must be able to automatically take
away those privileges when people leave a
company or change roles. On top of it all, companies using cloud services are also bound by
any compliance rules that govern their identity
and access management (IAM) initiatives.
With the collection of cloud services now
holding sensitive data, organizations have
to contend with a smorgasbord of new login
November 2013 4
Register
Previous

Next

IDENTITY MANAGEMENT COVER STORY

Previous

Next

Previous

Next

Previous

Next

Download

Subscribe

Who Goes There?
Our Identity and Access
Management Tech Center offers
news and analysis on the latest
developments in managing user
identity in the enterprise.
Click Here

darkreading.com

systems and proprietary connector APIs that often don’t
work well with internal IAM systems. “I bet that not many
IT professionals thought they would look nostalgically
at large, complex, on-premises deployments, but now
many do,” says Julian Lovelock, VP of product marketing
for identity assurance at smart card manufacturer HID
Global.
Managing cloud IAM means “using a complex set of
one-off procedures,” says Nishant Kaushik, chief architect
for cloud IAM provider Identropy. This approach may lead
to “chaos and an inability to audit any of the systems.”
But sound identity management and governance is
core to nearly all IT security functions. That’s why security
experts are advocating that companies improve how
they manage identities in environments that mix cloud
services and enterprise networks. “In this new world, you
have to stitch the identities together,” says Todd McKinnon, CEO of cloud IAM provider Okta.
Building Policies
Ask any enterprise IT administrator if his or her organization has a process for managing new software deployments, and the answer is invariably yes. You’ll also
likely get all hands raised if you ask about password
management and user account management controls,
says Greg Brown, VP and CTO of cloud and data center
solutions for McAfee. But there aren’t nearly as many
raised hands when you ask how many have a procedure for someone to buy infrastructure-as-a-service, or
November 2013 5
Register
Previous

Next

IDENTITY MANAGEMENT COVER STORY

Previous

Next

Previous

Next

Previous

Download

Subscribe

darkreading.com

Next

for on-boarding users in a new software-as-aservice (SaaS) application, he says.
Two of the most fundamental policies of IT
are which software can be used and how the
credentials to use them should be administered, says Brown. These policies govern
which applications, devices and people have
access to which pools of sensitive information. Companies have these policies largely
in place for on-premises systems, but they
often do not know which users are leveraging
SaaS — and whether they’re compliant with
corporate and regulatory policies.
The need for security and compliance is
driving some companies to find better ways
to bridge enterprise IAM and cloud provider
applications, often by provisioning user identity through cloud-capable, federated single
sign-on (SSO). “In a bridge, the enterprise
maintains control of its own identities and its
own authentication,” says Allan Foster, VP of
technology and standards for ForgeRock, an
open platform provider of IAM systems. “And
since the service transaction is initiated by the
enterprise, it can maintain auditing as to who
accessed the service and when, although not
about what was done.”
Many companies are achieving this bridge
through Active Directory (AD) and Light-

weight Directory Access Protocol connections, setting policies that can be enforced
through group membership based on the
users. Enterprises have been pressuring cloud
providers to embrace standards including
SAML, OAuth and OpenID for easier exchange
of authentication information between the
cloud provider and the enterprise.
An employee using a federated single signon system is given one set of credentials to
access multiple cloud accounts. This user is
only authorized to use those cloud accounts
permitted by the group he or she belongs to.
For example, if a user is in the sales group in
Active Directory, he or she would be given
secure access to Salesforce.com as well as the
enterprise’s in-house sales applications. This
approach aids the rapid rollout of new cloud
services to large groups of users. Even more
importantly, using AD to aggregate identities
in cloud environments speeds up the deprovisioning of cloud applications to employees
when they leave the company or change roles.
“Enforcing the use of federated SSO —
and not using passwords with cloud apps
— means that users can only log in to cloud
apps if they have an account in AD,” says Patrick Harding, CTO of cloud IAM company Ping
Identity. “Terminated users are usually imme-

Top 10 Cloud Concerns
When thinking about risks related to cloud services,
what are your top concerns?
2013

2012

Security defects in the technology itself

52%

45%

Unauthorized access to or leak of our proprietary information

50%

55%

Unauthorized access to or leak of our customers’ information

48%

54%

Application or system performance

26%
27%

Unpredictable costs

11%
Vendor lock-in

18%

18%
15%

Difficulty with or inability for data recovery if the cloud provider fails

15%
17%
Business continuity or DR readiness of provider

14%
14%
Difficulty with or inability for data recovery if we cancel the service

14%
14%
Lack of data segregation among the provider’s customers

8%

11%

Data: InformationWeek Cloud Security and Risk Survey of 235 business
technology professionals in June 2013 and 268 in June 2012 using,
planning to use or considering public cloud services
November 2013 6
Register
Previous

Next

IDENTITY MANAGEMENT COVER STORY

Previous

Next

Previous

Next

Previous

Download

Subscribe

darkreading.com

Next

diately disabled in AD by IT and will
Are You Using Single Sign-On With Your Cloud Apps? tion and with cloud data, many companies
not be able to access any cloud apps.”
resort to manually customized controls
This type of single sign-on provides
involving “complicated road mapping” that
more control over the cloud sign-in
can’t easily be audited, Kaushik says.
Yes
process, but it’s only at the first stage of
Much of the blame lies with the cloud
48%
maturity for efficiently getting people
software providers, which haven’t given
onto the system. This initial operational
companies much access to the internal
focus mirrors the maturation that hapsoftware controls that providers use to
48%
4%
4
pened with on-premises IAM years
manage user rights within the system.
Don’t know
No
ago, says Kaushik. “Once the cloud opSimilarly, user provisioning in cloud sererational things are solved, people revices is centered on proprietary APIs, and
alize they have governance problems Data: 2013 State of Cloud Application Access Survey, OneLogin
connectors frequently break and create
and compliance problems,” Kaushik
holes in IAM. Many companies move to
says. “It isn’t simply about being able to
zation at most organizations relies on a role
the cloud as a cost saver and don’t have
create accounts. It’s also how to create an ac- or group member status to determine if a per- the resources to build connectors, Kaushik
count, when to create an account and how to son has access. So the single sign-on system notes. Cloud vendors spend considerable
deprovision an account.”
knows a person has access to, say, a Sales- time developing APIs and connectors around
As companies get accustomed to cloud sin- force account, says Kaushik, but SSO doesn’t business functionality, but most haven’t ingle sign-on, they often find that cloud identity know whether the person can just view or vested in APIs that connect to data feeds that
services lack fine-tuning for authorizing and also access customer information. One risk is enable identity governance, such as informamonitoring a user’s access to cloud resources.
that tracking and monitoring becomes nearly tion about account privileges.
impossible once a user is logged in to the
Some cloud providers and SaaS developers
Cloud Identity Control Gaps
system, and many companies are required are beginning to recognize identity manageEven after companies implement single by internal and regulatory rules to track who ment as an opportunity to differentiate themsign-on, one of the biggest headaches they performs which actions to data, and when. selves. For example, ClickSoftware, a developer
face in managing identity in the cloud is that A cloud system might only track that a com- of mobile workforce management software,
IT managers still can’t control, or even see, pany’s account took a particular action.
has invested heavily in CA IdentityMinder, Site­
what people do with the application after
Right now, to get granular understanding of Minder and SiteMinder Federation for selfthey log on. For example, cloud app authori- what account holders do in a cloud applica- provisioning, which helps enterprises identify
November 2013 7
Register
Previous

Next

IDENTITY MANAGEMENT COVER STORY

Previous

Next

Previous

Next

Previous

Download

Subscribe

darkreading.com

Next

and authorize user access for its cloud-based
software. “One of the main challenges every
cloud company faces is the ability to provide
its customer a way to self-provision services
they are getting over the cloud,” says Udi Keidar, VP of cloud services for ClickSoftware. “A
real cloud or SaaS service should give users the
utmost independence to run and maintain the
service by themselves.”
HID Global’s Lovelock cuts cloud vendors
more slack over not offering customers
greater IAM control: “That’s not entirely the
cloud provider’s fault — good standards have
yet to emerge.”
A new standard called System for Crossdomain Identity Management concentrates
on accounts and attributes and has received
the endorsement of applications vendors
such as Salesforce and Cloud Foundry. But
SCIM is still in its infancy. “The questions with
SCIM is, one, can it be broadly endorsed by
the SaaS application providers themselves?”
McAfee’s Brown says. “And then, two, can we
make sure that we can build in the administrative controls on the corporate side so that
[the applications] are administered through
the same interface?”
Until SCIM or another standard takes root,
organizations must consign themselves to

negotiating with each SaaS provider to get
identity control into contracts. For example,
John Michener, chief scientist at security consulting firm Casaba, says that when it comes
to platform-as-a-service, a typical cloud provider will likely have some kind of authentication and authorization framework that users
can employ to access a specific enterprise’s
instance of a cloud application.
Companies should negotiate that a SaaS vendor provide full knowledge of all actions taken
by users, including authentication attempts,
monitoring alerts on repeated failures, and auditable tracking of problems using a monitoring tool of their choice.
Identity management in SaaS is a little trickier than on-premises software because the
available administrative features are usually
limited by the cloud service’s functionality.
Some SaaS providers may not have features
that are capable of tracking a user’s access
privileges, number of account log-ins, type of
data accessed or downloaded, or amount of
time spent in a system. They also may not let
a company limit how much data or what type
of data users can access through the SaaS application. Finally, cloud services may not have
the API capabilities to connect with existing
on-premises IAM tools.

Companies should check on whether the
cloud vendor is properly managing privileged
access controls for administrative accounts. A
recent survey conducted by CyberArk showed
that 56% of organizations had no idea what
their cloud provider was doing to protect and
monitor privileged accounts.
“The cloud isn’t magical IT,” says Lovelock. “It’s
made of servers, software and all the normal
stuff of any IT service. That means there are
administrative accounts. Someone has those
passwords and access to your important data.”
Adding User Value Through IAM
Sometimes the business need for a cloud
app will outweigh concerns IT has about the
ability to track what a user does inside the app.
In those cases, IT organizations can try workarounds that may offer more insight into user
behavior in the cloud. Brown says organizations
should think about coupling single sign-on
with data enforcement policies to audit SaaS
activity using firewall or gateway logs, and
then monitor user access via data leak prevention (DLP) tools. “Using that data enforcement
policy, you can say, ‘I’m going to look at this
SaaS application for these users,’” he says. “You
can use the enforcement capabilities in DLP to
say what is appropriate or inappropriate to be
November 2013 8
Register
Previous

Next

IDENTITY MANAGEMENT COVER STORY

Previous

Next

Previous

Next

Previous

Download

Subscribe

darkreading.com

Next

published out to an online sharing site.”
As standards evolve and would-be buyers
pressure cloud app providers to let them tap
into the proper identity-related data feeds,
companies should be building cloud identity
portals to track and control user access rights
and SSO projects that enhance the business
case for cloud services. The more value security
adds through IAM, the easier it will be for the IT
department to rope rogue cloud deployments
back under the IT governance umbrella.
IAM can make it easier to shift gears between different cloud applications without
having to log in using different credentials.
Implementing SSO makes it possible to safely
use one set of credentials for everything, with
very little interaction with IT required.
“If you make it highly functional, then users will be glad to use it, and then you’ve
captured the prize,” Lovelock says. “Make the
portal fancy enough to plug into apps from
the on-premises side and the cloud. Make the

Cloud Single Sign-On Vulnerabilities

73
71%
59%
%

of cloud SSO implementations have
visibility of files users download
replicate user data in the cloud and
outside the organization’s control
have experienced unauthorized
access by users

Data: Symplified Survey of 200 US IT pros, February 2013

password reset integrate right into the portal.
Allow access from anywhere, but perhaps apply rules where some apps can be accessed
from the coffee shop and some cannot.”
If IT is seen as an inhibitor, Brown warns,
then business units are more likely to spin up
ad hoc cloud deployments. But if SSO is seen
as an easier way to log in to everything, users
will demand their new deployments work
through the system.

Brown offers the example of an enterprise
customer that reined in deployments of Amazon Web Services by offering single sign-on.
Staff from different business units used multiple AWS accounts, using native AWS sign-in capabilities for each account. IT worked with each
unit to regain control of the cloud contract and
do logins through a corporate SSO system.
This made it easier for IT to track AWS use
and helped users by letting them use their
everyday password through AWS, rather than
having to remember multiple credentials.
And the company had better clout in negotiating with Amazon.
If more groups take this lesson to heart,
they may find that identity management not
only helps IT set up the foundation to make
security improvements to the cloud model,
but it can improve IT operations that are fragmenting across the company.
Write to us at editors@darkreading.com.

November 2013 9
Register
Previous

Next

Online, Newsletters, Events, Research
Next

Previous

Next

Previous

Previous

Download

Next

Tim Wilson Dark Reading Site Editor
timothy.wilson@ubm.com 703-262-0680

Kelly Jackson-Higgins Dark Reading Senior Editor
kelly.jackson.higgins@ubm.com 434-960-9899

Rob Preston VP and Editor In Chief
rob.preston@ubm.com 516-562-5692

Chris Murphy Editor
chris.murphy@ubm.com 414-906-5331

Lorna Garey Content Director, Reports
lorna.garey@ubm.com 978-694-1681

Jim Donahue Managing Editor
james.donahue@ubm.com 516-562-7980

Shane O’Neill Managing Editor
shane.oneill@ubm.com 617-202-3710

Mary Ellen Forte Senior Art Director
maryellen.forte@ubm.com

Subscribe

SALES CONTACTS—WEST

STRATEGIC ACCOUNTS

UBM TECH

Account Director, Jennifer Gambino
(516) 562-5651, jennifer.gambino@ubm.com

Paul Miller CEO

Account Director, Ashley Cohen
(415) 947-6349, ashley.i.cohen@ubm.com
Account Director, Vesna Beso
(415) 947-6104, vesna.beso@ubm.com
Account Director, Matthew Cohen-Meyer
(415) 947-6214, matthew.meyer@ubm.com

SALES CONTACTS—EAST

Events Get the latest on our live events and Net
events at informationweek.com/events

How to Contact Us
darkreading.com/aboutus/editorial

Western U.S. (Pacific and Mountain states)

District Sales Manager, Vanessa Tormey
(805) 252-4357, vanessa.tormey@ubm.com

Electronic Newsletters Subscribe to Dark
R
­ eading’s daily newsletter and other newsletters
at darkreading.com/newsletters/subscribe

Reports reports.informationweek.com
for original research and strategic advice

Business Contacts
VP & National Co-Chair, Business Technology
Media Sales, Sandra Kupiec
(415) 947-6922, sandra.kupiec@ubm.com

READER SERVICES
DarkReading.com The destination for the
latest news on IT security threats, technology,
and best practices

Strategic Account Director, Amanda Oliveri
(212) 600-3106, amanda.oliveri@ubm.com

Marco Pardi President, Events
Scott Mozarsky President, Media and
Partner Solutions

SALES CONTACTS—MARKETING
AS A SERVICE

Kelley Damore Chief Community Officer

Director of Client Marketing Strategy,
Jonathan Vlock
(212) 600-3019, jonathan.vlock@ubm.com

Simon Carless Exec. VP, Game & App Development
and Black Hat

SALES CONTACTS—EVENTS

Angela Scalpello Sr. VP, People & Culture

Senior Director, InformationWeek Events,
Robyn Duda
(212) 600-3046, robyn.duda@ubm.com

Midwest, South, Northeast U.S. and Canada

MARKETING

VP & National Co-Chair, Business Technology
Media Sales, Mary Hyland
(516) 562-5120, mary.hyland@ubm.com

VP, Marketing, Winnie Ng-Schuchman
(631) 406-6507, winnie.ng@ubm.com

Eastern Regional Sales Director, Michael Greenhut
(516) 562-5044, michael.greenhut@ubm.com

Lenny Heymann Exec. VP, New Markets

Back Issues
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
Reprints Wright’s Media, 1-877-652-5295
Web: wrightsmedia.com/reprints/?magid=2196
E-mail: ubmreprints@wrightsmedia.com
List Rentals Specialists Marketing Services Inc.
E-mail: PeterCan@SMS-Inc.com
Phone: (631) 787-3008 x30203
Media Kits and Advertising Contacts
createyournextcustomer.com/contact-us
Letters to the Editor E-mail
editors@darkreading.com. Include name, title,
c
­ ompany, city, and daytime phone number.
Subscriptions
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)

Director of Marketing, Monique Lutrell
(415) 947-6958, monique.luttrell@ubm.com

District Manager, Jenny Hanna
(516) 562-5116, jenny.hanna@ubm.com

David Michael CIO

Editorial Calendar informationweek.com/edcal

Marketing Assistant, Hilary Jansen
(415) 947-6205, hilary.jansen@ubm.com

District Manager, Cori Gordon
(516) 562-5181, cori.gordon@ubm.com

darkreading.com

November 2013 10

Weitere ähnliche Inhalte

Mehr von - Mark - Fullbright

Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business- Mark - Fullbright
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 
Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps - Mark - Fullbright
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014- Mark - Fullbright
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 

Mehr von - Mark - Fullbright (20)

Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 
Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps Identity Theft - Proactive / Reactive First Steps
Identity Theft - Proactive / Reactive First Steps
 
DATA BREACH CHARTS
DATA BREACH CHARTSDATA BREACH CHARTS
DATA BREACH CHARTS
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft
 
Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014Consumer Sentinel Network Report 2014
Consumer Sentinel Network Report 2014
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
 

Kürzlich hochgeladen

AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
How to Filter Blank Lines in Odoo 17 Accounting
How to Filter Blank Lines in Odoo 17 AccountingHow to Filter Blank Lines in Odoo 17 Accounting
How to Filter Blank Lines in Odoo 17 AccountingCeline George
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 

Kürzlich hochgeladen (20)

AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
How to Filter Blank Lines in Odoo 17 Accounting
How to Filter Blank Lines in Odoo 17 AccountingHow to Filter Blank Lines in Odoo 17 Accounting
How to Filter Blank Lines in Odoo 17 Accounting
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 

Identity Management in the Cloud

  • 1. Next >> R Previous Next darkreading.com Previous Next Previous Next NOVEMBER 2013 IDENTITY Management In The CLOUD Managing and securing user identities in the cloud is getting complicated. Here’s how to keep it under control. >> By Ericka Chickowski PLUS Security’s big headache: The evolving user >> Previous Download Subscribe Next
  • 2. Register Previous Next DARK DOMINION Previous Next Previous Next Previous Next Download Subscribe Safe In The Cloud Our Cloud Security Tech Center is your portal to all the news, product information, technical data and other information related to the topic of cloud security. Click Here darkreading.com Security’s Pain In The Neck: Evolving Users Security would be so much easier if users were like lamps. You turn them on, they do what they’re supposed to. You turn them off, they’re no longer something to worry about. You know where a lamp is all the time. You can monitor it to find out its status. Unfortunately, users are not lamps. If you look at the history of security breaches, almost all of them started with an end user mistake: a misplaced laptop, a user falling for a phishing attack, a curious employee downloading the wrong software. And yet even tech-savvy companies like Sony and RSA can’t completely stop breaches. One of the chief reasons is that users aren’t static. They change their locations and are now doing work from homes and coffee shops. But mobility is only one way users change. They change their job responsibilities, their projects and the tools they use. They get promoted. They quit. They get fired. This “evolution” of users has been a problem for businesses since the early days of comput- ing. Most IT organizations want to provision users with everything they need and then be finished. Changes create more work, sometimes forcing IT to reprovision a user who’s already been provisioned. It’s annoying. But failing to monitor a user’s changing responsibilities and access requirements can lead to nightmares. Matthew Keys, who is accused of helping hackers deface the Los Angeles Times website earlier this year, is a former Tribune Co. employee who had a user name and password that still worked two months after he was fired. In 2009, a fired IT employee used his still-active credentials to plant a logic bomb at Fannie Mae. These are just a couple of instances in which an employee’s change in status wasn’t updated quickly enough by IT, and disaster ensued. The problem, in a nutshell, is that there is still not much connection between a user’s identity — as defined under Active Directory or in the corporate system registry — and the user’s real identity, as defined by what he or she does for the organization. Employees TIM WILSON @darkreadingtim get transferred, and nobody tells IT. A user is terminated, but IT never disables his access. A new employee is given too much privilege and taps into the wrong data. As companies begin to tie into cloud services and other outsourced infrastructure, this problem becomes even more acute. In today’s Dark Reading digital issue, we examine the challenges of user provisioning and identity management in the cloud, which adds a new level of complexity to the access management picture. The cover story points out the need for more efficient methods for provisioning new users and changing access privileges as users’ jobs change. Security would be easier if users were like lamps. But they’re pretty complex — they change and evolve, and they get into places they shouldn’t. Enterprises would do well to build access management strategies that recognize these realities — and adapt to them. Tim Wilson is editor of DarkReading.com. Write to him at timothy.wilson@ubm.com. November 2013 2
  • 3. EXTEND ENTERPRISE SECURITY TO CLOUD APPLICATIONS 56% 76% 81% 20% 147M of organizations use 6 or more SaaS applications1 of network intrusions exploit weak or stolen credentials2 of employees use SaaS applications without IT approval3 of all Americans have 20 password-hungry online accounts4 cumulative malware samples captured5 “Among the nine threats identified in the Cloud Security Alliance’s ‘Top Threats to Cloud Computing’ research, account hijacking is one of the most serious on the list, and abuse of credentials is not far behind.” —SANS Institute 6 Control WHO has access to cloud applications Control WHAT they can do with that access McAfee Cloud Single Sign On McAfee One Time Password McAfee Web Gateway McAfee Data Loss Prevention McAfee Global Threat Intelligence ® Single sign-on for hundreds of popular cloud applications. Multifactor authentication to reliably verify users’ identities and prevent account breaches. Thwart malware infection with zero-day detection. Block malicious URLs with site reputation and threat intelligence. Easy user account provisioning and de-provisioning. Prevent confidential data from leaking with DLP policy control. Cloud activity monitoring and logging. Encrypt files stored in the cloud. Blacklist and whitelist cloud applications. Cloud Computing Demands Enterprise-class Password Management and Security, Enterprise Strategy Group, April 2013. 2013 Data Breach Investigations Report, Verizon, 2013. 3 Six Things You Need to Know about Shadow IT to Minimize Risks to your Company, Frost & Sullivan report, October 2013. AP Twitter Hack Shows It’s Time for the Post-Password Era, CNBC. McAfee Threats Report, Second Quarter 2013, McAfee Labs. 6 Simplifying Cloud Access Without Sacrificing Corporate Control, SANS Institute Analyst Program. 1 FIND OUT HOW McAFEE CAN HELP: www.mcafee.com/identity www.mcafee.com/webprotection 4 2 McAfee helps you leverage cloud applications without compromising security. 5 © 2013 McAfee, Inc.
  • 4. Register Previous COVER STORY Next Previous Next Previous Next Previous A Next Download Subscribe Identity Management In The Cloud Managing and securing user identities in the cloud is getting complicated. Here’s how to keep it under control. By Ericka Chickowski @ErickaChick darkreading.com s companies add more cloud services to their IT environments, the process of managing identities is getting more complex. When companies use cloud services — services they don’t control themselves — they still must develop sound policies around rolebased access. They still must grant rights to users who need information to get work done. And they must be able to automatically take away those privileges when people leave a company or change roles. On top of it all, companies using cloud services are also bound by any compliance rules that govern their identity and access management (IAM) initiatives. With the collection of cloud services now holding sensitive data, organizations have to contend with a smorgasbord of new login November 2013 4
  • 5. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Next Download Subscribe Who Goes There? Our Identity and Access Management Tech Center offers news and analysis on the latest developments in managing user identity in the enterprise. Click Here darkreading.com systems and proprietary connector APIs that often don’t work well with internal IAM systems. “I bet that not many IT professionals thought they would look nostalgically at large, complex, on-premises deployments, but now many do,” says Julian Lovelock, VP of product marketing for identity assurance at smart card manufacturer HID Global. Managing cloud IAM means “using a complex set of one-off procedures,” says Nishant Kaushik, chief architect for cloud IAM provider Identropy. This approach may lead to “chaos and an inability to audit any of the systems.” But sound identity management and governance is core to nearly all IT security functions. That’s why security experts are advocating that companies improve how they manage identities in environments that mix cloud services and enterprise networks. “In this new world, you have to stitch the identities together,” says Todd McKinnon, CEO of cloud IAM provider Okta. Building Policies Ask any enterprise IT administrator if his or her organization has a process for managing new software deployments, and the answer is invariably yes. You’ll also likely get all hands raised if you ask about password management and user account management controls, says Greg Brown, VP and CTO of cloud and data center solutions for McAfee. But there aren’t nearly as many raised hands when you ask how many have a procedure for someone to buy infrastructure-as-a-service, or November 2013 5
  • 6. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next for on-boarding users in a new software-as-aservice (SaaS) application, he says. Two of the most fundamental policies of IT are which software can be used and how the credentials to use them should be administered, says Brown. These policies govern which applications, devices and people have access to which pools of sensitive information. Companies have these policies largely in place for on-premises systems, but they often do not know which users are leveraging SaaS — and whether they’re compliant with corporate and regulatory policies. The need for security and compliance is driving some companies to find better ways to bridge enterprise IAM and cloud provider applications, often by provisioning user identity through cloud-capable, federated single sign-on (SSO). “In a bridge, the enterprise maintains control of its own identities and its own authentication,” says Allan Foster, VP of technology and standards for ForgeRock, an open platform provider of IAM systems. “And since the service transaction is initiated by the enterprise, it can maintain auditing as to who accessed the service and when, although not about what was done.” Many companies are achieving this bridge through Active Directory (AD) and Light- weight Directory Access Protocol connections, setting policies that can be enforced through group membership based on the users. Enterprises have been pressuring cloud providers to embrace standards including SAML, OAuth and OpenID for easier exchange of authentication information between the cloud provider and the enterprise. An employee using a federated single signon system is given one set of credentials to access multiple cloud accounts. This user is only authorized to use those cloud accounts permitted by the group he or she belongs to. For example, if a user is in the sales group in Active Directory, he or she would be given secure access to Salesforce.com as well as the enterprise’s in-house sales applications. This approach aids the rapid rollout of new cloud services to large groups of users. Even more importantly, using AD to aggregate identities in cloud environments speeds up the deprovisioning of cloud applications to employees when they leave the company or change roles. “Enforcing the use of federated SSO — and not using passwords with cloud apps — means that users can only log in to cloud apps if they have an account in AD,” says Patrick Harding, CTO of cloud IAM company Ping Identity. “Terminated users are usually imme- Top 10 Cloud Concerns When thinking about risks related to cloud services, what are your top concerns? 2013 2012 Security defects in the technology itself 52% 45% Unauthorized access to or leak of our proprietary information 50% 55% Unauthorized access to or leak of our customers’ information 48% 54% Application or system performance 26% 27% Unpredictable costs 11% Vendor lock-in 18% 18% 15% Difficulty with or inability for data recovery if the cloud provider fails 15% 17% Business continuity or DR readiness of provider 14% 14% Difficulty with or inability for data recovery if we cancel the service 14% 14% Lack of data segregation among the provider’s customers 8% 11% Data: InformationWeek Cloud Security and Risk Survey of 235 business technology professionals in June 2013 and 268 in June 2012 using, planning to use or considering public cloud services November 2013 6
  • 7. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next diately disabled in AD by IT and will Are You Using Single Sign-On With Your Cloud Apps? tion and with cloud data, many companies not be able to access any cloud apps.” resort to manually customized controls This type of single sign-on provides involving “complicated road mapping” that more control over the cloud sign-in can’t easily be audited, Kaushik says. Yes process, but it’s only at the first stage of Much of the blame lies with the cloud 48% maturity for efficiently getting people software providers, which haven’t given onto the system. This initial operational companies much access to the internal focus mirrors the maturation that hapsoftware controls that providers use to 48% 4% 4 pened with on-premises IAM years manage user rights within the system. Don’t know No ago, says Kaushik. “Once the cloud opSimilarly, user provisioning in cloud sererational things are solved, people revices is centered on proprietary APIs, and alize they have governance problems Data: 2013 State of Cloud Application Access Survey, OneLogin connectors frequently break and create and compliance problems,” Kaushik holes in IAM. Many companies move to says. “It isn’t simply about being able to zation at most organizations relies on a role the cloud as a cost saver and don’t have create accounts. It’s also how to create an ac- or group member status to determine if a per- the resources to build connectors, Kaushik count, when to create an account and how to son has access. So the single sign-on system notes. Cloud vendors spend considerable deprovision an account.” knows a person has access to, say, a Sales- time developing APIs and connectors around As companies get accustomed to cloud sin- force account, says Kaushik, but SSO doesn’t business functionality, but most haven’t ingle sign-on, they often find that cloud identity know whether the person can just view or vested in APIs that connect to data feeds that services lack fine-tuning for authorizing and also access customer information. One risk is enable identity governance, such as informamonitoring a user’s access to cloud resources. that tracking and monitoring becomes nearly tion about account privileges. impossible once a user is logged in to the Some cloud providers and SaaS developers Cloud Identity Control Gaps system, and many companies are required are beginning to recognize identity manageEven after companies implement single by internal and regulatory rules to track who ment as an opportunity to differentiate themsign-on, one of the biggest headaches they performs which actions to data, and when. selves. For example, ClickSoftware, a developer face in managing identity in the cloud is that A cloud system might only track that a com- of mobile workforce management software, IT managers still can’t control, or even see, pany’s account took a particular action. has invested heavily in CA IdentityMinder, Site­ what people do with the application after Right now, to get granular understanding of Minder and SiteMinder Federation for selfthey log on. For example, cloud app authori- what account holders do in a cloud applica- provisioning, which helps enterprises identify November 2013 7
  • 8. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next and authorize user access for its cloud-based software. “One of the main challenges every cloud company faces is the ability to provide its customer a way to self-provision services they are getting over the cloud,” says Udi Keidar, VP of cloud services for ClickSoftware. “A real cloud or SaaS service should give users the utmost independence to run and maintain the service by themselves.” HID Global’s Lovelock cuts cloud vendors more slack over not offering customers greater IAM control: “That’s not entirely the cloud provider’s fault — good standards have yet to emerge.” A new standard called System for Crossdomain Identity Management concentrates on accounts and attributes and has received the endorsement of applications vendors such as Salesforce and Cloud Foundry. But SCIM is still in its infancy. “The questions with SCIM is, one, can it be broadly endorsed by the SaaS application providers themselves?” McAfee’s Brown says. “And then, two, can we make sure that we can build in the administrative controls on the corporate side so that [the applications] are administered through the same interface?” Until SCIM or another standard takes root, organizations must consign themselves to negotiating with each SaaS provider to get identity control into contracts. For example, John Michener, chief scientist at security consulting firm Casaba, says that when it comes to platform-as-a-service, a typical cloud provider will likely have some kind of authentication and authorization framework that users can employ to access a specific enterprise’s instance of a cloud application. Companies should negotiate that a SaaS vendor provide full knowledge of all actions taken by users, including authentication attempts, monitoring alerts on repeated failures, and auditable tracking of problems using a monitoring tool of their choice. Identity management in SaaS is a little trickier than on-premises software because the available administrative features are usually limited by the cloud service’s functionality. Some SaaS providers may not have features that are capable of tracking a user’s access privileges, number of account log-ins, type of data accessed or downloaded, or amount of time spent in a system. They also may not let a company limit how much data or what type of data users can access through the SaaS application. Finally, cloud services may not have the API capabilities to connect with existing on-premises IAM tools. Companies should check on whether the cloud vendor is properly managing privileged access controls for administrative accounts. A recent survey conducted by CyberArk showed that 56% of organizations had no idea what their cloud provider was doing to protect and monitor privileged accounts. “The cloud isn’t magical IT,” says Lovelock. “It’s made of servers, software and all the normal stuff of any IT service. That means there are administrative accounts. Someone has those passwords and access to your important data.” Adding User Value Through IAM Sometimes the business need for a cloud app will outweigh concerns IT has about the ability to track what a user does inside the app. In those cases, IT organizations can try workarounds that may offer more insight into user behavior in the cloud. Brown says organizations should think about coupling single sign-on with data enforcement policies to audit SaaS activity using firewall or gateway logs, and then monitor user access via data leak prevention (DLP) tools. “Using that data enforcement policy, you can say, ‘I’m going to look at this SaaS application for these users,’” he says. “You can use the enforcement capabilities in DLP to say what is appropriate or inappropriate to be November 2013 8
  • 9. Register Previous Next IDENTITY MANAGEMENT COVER STORY Previous Next Previous Next Previous Download Subscribe darkreading.com Next published out to an online sharing site.” As standards evolve and would-be buyers pressure cloud app providers to let them tap into the proper identity-related data feeds, companies should be building cloud identity portals to track and control user access rights and SSO projects that enhance the business case for cloud services. The more value security adds through IAM, the easier it will be for the IT department to rope rogue cloud deployments back under the IT governance umbrella. IAM can make it easier to shift gears between different cloud applications without having to log in using different credentials. Implementing SSO makes it possible to safely use one set of credentials for everything, with very little interaction with IT required. “If you make it highly functional, then users will be glad to use it, and then you’ve captured the prize,” Lovelock says. “Make the portal fancy enough to plug into apps from the on-premises side and the cloud. Make the Cloud Single Sign-On Vulnerabilities 73 71% 59% % of cloud SSO implementations have visibility of files users download replicate user data in the cloud and outside the organization’s control have experienced unauthorized access by users Data: Symplified Survey of 200 US IT pros, February 2013 password reset integrate right into the portal. Allow access from anywhere, but perhaps apply rules where some apps can be accessed from the coffee shop and some cannot.” If IT is seen as an inhibitor, Brown warns, then business units are more likely to spin up ad hoc cloud deployments. But if SSO is seen as an easier way to log in to everything, users will demand their new deployments work through the system. Brown offers the example of an enterprise customer that reined in deployments of Amazon Web Services by offering single sign-on. Staff from different business units used multiple AWS accounts, using native AWS sign-in capabilities for each account. IT worked with each unit to regain control of the cloud contract and do logins through a corporate SSO system. This made it easier for IT to track AWS use and helped users by letting them use their everyday password through AWS, rather than having to remember multiple credentials. And the company had better clout in negotiating with Amazon. If more groups take this lesson to heart, they may find that identity management not only helps IT set up the foundation to make security improvements to the cloud model, but it can improve IT operations that are fragmenting across the company. Write to us at editors@darkreading.com. November 2013 9
  • 10. Register Previous Next Online, Newsletters, Events, Research Next Previous Next Previous Previous Download Next Tim Wilson Dark Reading Site Editor timothy.wilson@ubm.com 703-262-0680 Kelly Jackson-Higgins Dark Reading Senior Editor kelly.jackson.higgins@ubm.com 434-960-9899 Rob Preston VP and Editor In Chief rob.preston@ubm.com 516-562-5692 Chris Murphy Editor chris.murphy@ubm.com 414-906-5331 Lorna Garey Content Director, Reports lorna.garey@ubm.com 978-694-1681 Jim Donahue Managing Editor james.donahue@ubm.com 516-562-7980 Shane O’Neill Managing Editor shane.oneill@ubm.com 617-202-3710 Mary Ellen Forte Senior Art Director maryellen.forte@ubm.com Subscribe SALES CONTACTS—WEST STRATEGIC ACCOUNTS UBM TECH Account Director, Jennifer Gambino (516) 562-5651, jennifer.gambino@ubm.com Paul Miller CEO Account Director, Ashley Cohen (415) 947-6349, ashley.i.cohen@ubm.com Account Director, Vesna Beso (415) 947-6104, vesna.beso@ubm.com Account Director, Matthew Cohen-Meyer (415) 947-6214, matthew.meyer@ubm.com SALES CONTACTS—EAST Events Get the latest on our live events and Net events at informationweek.com/events How to Contact Us darkreading.com/aboutus/editorial Western U.S. (Pacific and Mountain states) District Sales Manager, Vanessa Tormey (805) 252-4357, vanessa.tormey@ubm.com Electronic Newsletters Subscribe to Dark R ­ eading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe Reports reports.informationweek.com for original research and strategic advice Business Contacts VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (415) 947-6922, sandra.kupiec@ubm.com READER SERVICES DarkReading.com The destination for the latest news on IT security threats, technology, and best practices Strategic Account Director, Amanda Oliveri (212) 600-3106, amanda.oliveri@ubm.com Marco Pardi President, Events Scott Mozarsky President, Media and Partner Solutions SALES CONTACTS—MARKETING AS A SERVICE Kelley Damore Chief Community Officer Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, jonathan.vlock@ubm.com Simon Carless Exec. VP, Game & App Development and Black Hat SALES CONTACTS—EVENTS Angela Scalpello Sr. VP, People & Culture Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, robyn.duda@ubm.com Midwest, South, Northeast U.S. and Canada MARKETING VP & National Co-Chair, Business Technology Media Sales, Mary Hyland (516) 562-5120, mary.hyland@ubm.com VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, winnie.ng@ubm.com Eastern Regional Sales Director, Michael Greenhut (516) 562-5044, michael.greenhut@ubm.com Lenny Heymann Exec. VP, New Markets Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com List Rentals Specialists Marketing Services Inc. E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x30203 Media Kits and Advertising Contacts createyournextcustomer.com/contact-us Letters to the Editor E-mail editors@darkreading.com. Include name, title, c ­ ompany, city, and daytime phone number. Subscriptions E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Director of Marketing, Monique Lutrell (415) 947-6958, monique.luttrell@ubm.com District Manager, Jenny Hanna (516) 562-5116, jenny.hanna@ubm.com David Michael CIO Editorial Calendar informationweek.com/edcal Marketing Assistant, Hilary Jansen (415) 947-6205, hilary.jansen@ubm.com District Manager, Cori Gordon (516) 562-5181, cori.gordon@ubm.com darkreading.com November 2013 10