Welcome!

Cloud Security Authors: Pat Romanski, Ambuj Kumar, Shelly Palmer, XebiaLabs Blog, Liz McMillan

Related Topics: Cloud Security, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo

Cloud Security: Article

The Secret Sauce of User Provisioning

Key lies in integration with other infosec capbilities

If you want the secret to user provisioning and de-provisioning in an enterprise setting, I’ll give you the one word answer, and then you can get on with the rest of your day…

Integration.

However, if you need to know why, how and with what...read on.

The need to credential authorized users to your network and other proprietary assets is clear. You only want those with the proper rights in…and all others out. Complicating matters is that there are so many users these days…employees, channel partners, contract employees, suppliers, vendors, customers, prospects--all needing some sliver of access. Further muddying the water is that each of the mentioned user types are not all equal. Consider employees. Do you want your junior admin assistant to have access to payroll information or other files type specifically aimed at senior executives? The volunteer coordinator at a local branch of a national non-profit may need social media access to spread activity messaging, but probably doesn't need the log in credentials to ServiceNow.

In ancient days, you gave the key to the crown jewels to one trusted sentry. And only death would part this sentinel from his sacred duty of protecting the most precious assets of the kingdom.  However, that ruler never ran a successful multi-national, multi-brand enterprise with thousands of moving parts all needing to access to portions of those precious assets in order to perpetuate that success. The overarching problem is not only maintaining the sanctity of the assets, but providing an enforcement policy that simplifies the complex tangle of provisioning (and de-provisioning) and creates seamless and orderly access for users at a manageable cost.

Too many companies ride the razors edge with overly open networks and permission protocols. Even with firewalls and intrusion detection security, if you give out the keys to the kingdom like candy, you’re bound to suffer high dentist bills!

So you have all these moving parts; all these competing needs; and time, of course, is a premium. Provisioning is the process that creates user identities and gives them access privileges to your network. Best practices (and many compliance regulations) dictate that that access be awarded based on role. This gives IT the control it needs to differentiate predetermined user needs. Each department, division, franchise, partner sees the files and applications it needs to see for the purpose of achieving organization. And that’s it.

To ensure provisioning is streamline, you need to make sure the process is automated. So when a new “account” is created (from Active Directory, LDAP or various native SaaS directories), existing rules push the identity out and regulate access to applications and data quickly and without costly IT intervention. This is especially important when you have an organization with autonomous elements like branch offices, franchises and disparate memberships.

The same goes for de-provisioning. Imagine you buy a house, but you let the previous owners keep a set of keys. De-provisioning makes certain that doesn’t happen. And automatic de-provisioning ensures that happens at the moment of employee termination, contract fulfillment, service cancellation or any other separation. Your HR person or contracts administrator can notate the status change, and through a workflow process engine, the “keys” have been handed in and all privileges to network assets cut off. As data leakage and data theft are some of the biggest threats to an enterprise, this process instantly reduces the risk.

Now what was that about integration?

Up to this point, everything I described is part of most identity management packages. And there are many vendors who can supply it on premise or from the cloud (again based on your organizational need). But, what most identity management packages lack is the ability to automatically integrate with other security pillars; most notably, access management (which controls such things as single sign on). Now there are solution providers and managed service providers that offer both; and in fact, you may have both deployed somewhere on your network. But the secret sauce is unless you have customized your configuration, a unified solution doesn’t really exist.

However, it does currently exist as an out of the box deployment from the cloud. Most enterprises today have a myriad of applications-some based in the cloud, some on premise, some home-grown legacy solutions. And your IT landscape is not static. What is needed is something flexible and scalable to keep up and match the changing demands.

Why? Putting the obvious arguments as cost-savings, and the expansion of immediate and available expert resources aside, let’s concentrate on one that directly impacts security: agility and visibility to respond and protect assets. Separately, identity credentialing and access management control unique-yet-related domains of the security environment. Each requires separate administration with no requirement to leverage information with the other. This leads to potential organizational disconnect (the old chestnut of the right hand doesn't know what the left is doing). The vulnerability gaps created from this oversight can affect everything from compliance to the usage of unsanctioned materials to the unsupervised access of important assets and theft of sensitive information.

However, by centralizing user management under a “single pane of glass,” one create usage context and trackable continuity. If you simply provision to a network, you don’t gain the control over SaaS applications. By incorporating them into single-sign on, IT successfully winnows the possibility of a user moving outside their sphere of security.  Don’t want a user to access Spotify while logged onto your network? If provisioning gives them access to a browser on your IP address, SSO can prevent the usage by removing availability. And user names and passwords for the multiple of SaaS apps (both SAML and non-SAML federated)? An integrated deployment can synchronize and manage all the passwords form any internal or external app or membership-centric web destination (and self-service can reduce direct IT involvement).

In terms of integration, there is one more layer to true unified security. By incorporating SIEM and log management to the mix, you truly increase the strength of your security initiatives. This creates true situational context if monitored in real time. For instance, an alert is generated if an attempt to log-in to a de-provisioned account is tried. Or if a log-in is attempted outside the confines of the approved SSO log-in. Or, for good measure, someone successfully logs in and tries to modify, copy or change a protected asset. This unified approach to security really does enhance the visibility. It won’t stop the attacks from occurring, but should prevent them from doing any damage.

In that I advocate this package of solutions being deployed from the multi-tenant cloud,  I truly believe they are they are not simply affordable by any sized company, but with the benefit of security as a service, extraordinarily manageable. So when I advocate their inclusion I am not trying to create best practices in a vacuum that only Fortune 500 companies can deploy. Cloud security is an egalitarian and effective means to achieve better security based on business and organizational needs, not technology, budget or staff availability.

 

Kevin Nikkhoo

www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, will lead you through the exciting evolution of the cloud. He'll look at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering ...
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TAZMO technology and development capabilities in the semiconductor and LCD-related manufacturing fields are among the best worldwide. For more information, visit https://www.tazmo.co.jp/en/.
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
Amazon is pursuing new markets and disrupting industries at an incredible pace. Almost every industry seems to be in its crosshairs. Companies and industries that once thought they were safe are now worried about being “Amazoned.”. The new watch word should be “Be afraid. Be very afraid.” In his session 21st Cloud Expo, Chris Kocher, a co-founder of Grey Heron, will address questions such as: What new areas is Amazon disrupting? How are they doing this? Where are they likely to go? What are th...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
Organizations do not need a Big Data strategy; they need a business strategy that incorporates Big Data. Most organizations lack a road map for using Big Data to optimize key business processes, deliver a differentiated customer experience, or uncover new business opportunities. They do not understand what’s possible with respect to integrating Big Data into the business model.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they b...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...