Welcome!

Cloud Security Authors: Yeshim Deniz, Mark Ross-Smith, Liz McMillan, Pat Romanski, Allwyn Sequeira

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security

@CloudExpo: Article

Identity and Access Management in the Cloud

Many companies are beginning to realize that cloud services can often be more secure than in-house data centers

In today's business world, data is the lifeblood of most organizations. As such, it has become a prime target for both external and internal threats. Data breaches made plenty of headlines in 2011 and don't show any signs of slowing down. In fact, a recent report from Privacy Rights Clearinghouse found that there were 535 data breaches reported last year alone. Whether it is for a Fortune 500 business, a university or a midmarket company, the protection of sensitive information is not only important for daily business functions, but is now a security measure required by law. As organizations of all sizes - not just large enterprises - struggle to keep up with evolving security and compliance requirements, many are turning to identity and access management (IAM) solutions to meet their needs.

Unlike traditional IT security technologies, which focus on perimeter and end-point threats, IAM solutions focus on identity lifecycles and access controls, as well as provisioning, authentication, certification and other identity-based processes. Previously seen as a luxury only available to the largest of organizations, cloud computing has increased the accessibility of IAM solutions for businesses of all sizes at a time when they are needed most. In addition, cloud computing provides the opportunity for security vendors to bring mature IAM technology to smaller businesses via a new deployment model - without starting from scratch and losing years of successful development.

Bringing SaaS into the IAM Fold
Originally hesitant to put sensitive data in the cloud, many companies are beginning to realize that cloud services can often be more secure than in-house data centers, as they are held to service level agreements (SLAs) and other third-party regulations. As such, more organizations are now readily adopting Software-as-a-Service (SaaS) and cloud solutions to maximize efficiencies, lower total cost of ownership and ultimately "do more with less." How? Cloud-based IAM solutions can be deployed at a fraction of the time and cost of on-premise infrastructure. In addition, because cloud-based solutions are often much easier to use and manage, IT managers can focus on tasks that are more central to business goals rather than spending their resources trying to manage complex on-premise infrastructure.

For many organizations, the strategy for growth over the next couple of years will be heavily focused on expanding and optimizing their extranet community - SaaS providers, cloud service providers, supply chain partners, resellers, integrators and other business partners. The question now becomes how to secure these SaaS-based applications, cloud services and other third-party systems. Having a strategy for external audiences' identities and entitlements - in addition to internal employees - as well as visibility into all identity data is critical to a business's future success. Enter federation.

Federation, which enables companies to extend IAM capabilities to third-party applications and securely share identity information with external audiences, is becoming an increasingly strategic business tool. Two of the most common federated IAM capabilities are Federated Single Sign-On (FSSO) and federated user provisioning.

  • Federated Single Sign-On (FSSO): FSSO capabilities allow a company's user base to access applications while avoiding the need to transmit shared secrets, such as passwords, to third parties - mitigating the risk of important credentials being compromised. FSSO also allows the user to log in to all applications in a uniform way regardless of whether they are housed internally or hosted by an external partner. The flip side of this capability is that the business can also safely provide authorized third parties with access to their applications. Using an industry-proven means of providing SSO capabilities to third parties - rather than using an in-house grown solution that hasn't been vetted or tested - can help companies strengthen security and increase compliance while improving productivity by eliminating password reset requests and other associated help desk calls.
  • Federated User Provisioning: Federated user provisioning allows third-party applications to be included in the same identity and lifecycle process as internal applications. With the use of secure and open-standard protocols, organizations can seamlessly exchange identity data with partners and SaaS providers as well as provision users, roles and entitlements to external applications. Equally as important, using federated user provisioning, companies can also ensure that user role and entitlement information found on third-party systems is timely and accurate, mitigating the risk of important data being accessed by unauthorized users.

At the onset of widespread SaaS adoption, many companies did not consider external applications part of their network infrastructure - and so provisioning and other IAM capabilities were focused on on-premise systems only. As more and more critical data and applications become housed in the cloud, eschewing security liability for systems and information residing outside a company's four walls is a critical and common mistake.

Provisioning encompasses managing role data and access rights throughout a user's life cycle - from onboarding, transfers and promotions to the day they leave the company - and must be applied to both on- and off-premise systems in a timely and accurate manner in order to ensure proper access to important data. Otherwise, companies open themselves up to a variety of dangers, including data breaches, increased IT costs and compliance risks.

For example, effectively deprovisioning a user when they are no longer authorized to access certain resources is just as important as giving them access at the start of an identity life cycle. Failure to deprovision users who have left a company can result in orphan accounts, opening the organization up to a number of potential issues. Compliance requirements aside, ex-employees who still have access to SaaS or on-premise applications can potentially harvest corporate and client information for nefarious purposes. In other cases, it's important to have up-to-date entitlement information when users simply change position or are given different responsibilities. Otherwise, these events can lead to "entitlement sprawl" wherein users accumulate privileges that are no longer necessary for their jobs. In the age of the data breach, IAM solutions are more than just another add-on for a business's security infrastructure. An effective IAM solution will protect sensitive data, help to avoid complications in daily business operations, minimize potential legal woes and ensure a strong reputation among customers.

Conclusion
As technologies, such as mobile devices and social networking sites, continue to further convolute the security landscape, more and more critical assets are being placed outside a company's four walls. In order to put their security measures closer to these assets, many companies are implementing cloud-based solutions. Proficient cloud-based IAM tools can help companies strengthen security and increase compliance while benefiting from unparalleled savings, quick time-to-deployment and greater business efficiencies - a win-win for all involved.

More Stories By Eric Z. Maass

Eric Maass is the chief technology officer at Lighthouse Security Group, where he’s responsible for the roadmap and technology vision for the company’s flagship product, Lighthouse Gateway, a cloud-based identity and access management platform. Maass was formerly the chief security architect for the U.S. Air Force’s Global Combat Support System, where he was responsible for the architecture and design of its net-centric IAM infrastructure.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that Hitrons Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Hitrons Solutions Inc. is distributor in the North American market for unique products and services of small and medium-size businesses, including cloud services and solutions, SEO marketing platforms, and mobile applications.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and G...
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Onalytica. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Manufacturers are embracing the Industrial Internet the same way consumers are leveraging Fitbits – to improve overall health and wellness. Both can provide consistent measurement, visibility, and suggest performance improvements customized to help reach goals. Fitbit users can view real-time data and make adjustments to increase their activity. In his session at @ThingsExpo, Mark Bernardo Professional Services Leader, Americas, at GE Digital, discussed how leveraging the Industrial Internet and...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
The security needs of IoT environments require a strong, proven approach to maintain security, trust and privacy in their ecosystem. Assurance and protection of device identity, secure data encryption and authentication are the key security challenges organizations are trying to address when integrating IoT devices. This holds true for IoT applications in a wide range of industries, for example, healthcare, consumer devices, and manufacturing. In his session at @ThingsExpo, Lancen LaChance, vic...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that IoT Now has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SSL, peer-to-peer, mob...
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, discussed the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports.
Big Data, cloud, analytics, contextual information, wearable tech, sensors, mobility, and WebRTC: together, these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at @ThingsExpo, Erik Perotti, Senior Manager of New Ventures on Plantronics’ Innovation team, provided an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it m...