Cloud Security Authors: James Carlini, John Walsh, Kevin Jackson, Pat Romanski, Xenia von Wedel

Related Topics: Cloud Security, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo

Cloud Security: Article

The Secret Sauce of User Provisioning

Key lies in integration with other infosec capbilities

If you want the secret to user provisioning and de-provisioning in an enterprise setting, I’ll give you the one word answer, and then you can get on with the rest of your day…


However, if you need to know why, how and with what...read on.

The need to credential authorized users to your network and other proprietary assets is clear. You only want those with the proper rights in…and all others out. Complicating matters is that there are so many users these days…employees, channel partners, contract employees, suppliers, vendors, customers, prospects--all needing some sliver of access. Further muddying the water is that each of the mentioned user types are not all equal. Consider employees. Do you want your junior admin assistant to have access to payroll information or other files type specifically aimed at senior executives? The volunteer coordinator at a local branch of a national non-profit may need social media access to spread activity messaging, but probably doesn't need the log in credentials to ServiceNow.

In ancient days, you gave the key to the crown jewels to one trusted sentry. And only death would part this sentinel from his sacred duty of protecting the most precious assets of the kingdom.  However, that ruler never ran a successful multi-national, multi-brand enterprise with thousands of moving parts all needing to access to portions of those precious assets in order to perpetuate that success. The overarching problem is not only maintaining the sanctity of the assets, but providing an enforcement policy that simplifies the complex tangle of provisioning (and de-provisioning) and creates seamless and orderly access for users at a manageable cost.

Too many companies ride the razors edge with overly open networks and permission protocols. Even with firewalls and intrusion detection security, if you give out the keys to the kingdom like candy, you’re bound to suffer high dentist bills!

So you have all these moving parts; all these competing needs; and time, of course, is a premium. Provisioning is the process that creates user identities and gives them access privileges to your network. Best practices (and many compliance regulations) dictate that that access be awarded based on role. This gives IT the control it needs to differentiate predetermined user needs. Each department, division, franchise, partner sees the files and applications it needs to see for the purpose of achieving organization. And that’s it.

To ensure provisioning is streamline, you need to make sure the process is automated. So when a new “account” is created (from Active Directory, LDAP or various native SaaS directories), existing rules push the identity out and regulate access to applications and data quickly and without costly IT intervention. This is especially important when you have an organization with autonomous elements like branch offices, franchises and disparate memberships.

The same goes for de-provisioning. Imagine you buy a house, but you let the previous owners keep a set of keys. De-provisioning makes certain that doesn’t happen. And automatic de-provisioning ensures that happens at the moment of employee termination, contract fulfillment, service cancellation or any other separation. Your HR person or contracts administrator can notate the status change, and through a workflow process engine, the “keys” have been handed in and all privileges to network assets cut off. As data leakage and data theft are some of the biggest threats to an enterprise, this process instantly reduces the risk.

Now what was that about integration?

Up to this point, everything I described is part of most identity management packages. And there are many vendors who can supply it on premise or from the cloud (again based on your organizational need). But, what most identity management packages lack is the ability to automatically integrate with other security pillars; most notably, access management (which controls such things as single sign on). Now there are solution providers and managed service providers that offer both; and in fact, you may have both deployed somewhere on your network. But the secret sauce is unless you have customized your configuration, a unified solution doesn’t really exist.

However, it does currently exist as an out of the box deployment from the cloud. Most enterprises today have a myriad of applications-some based in the cloud, some on premise, some home-grown legacy solutions. And your IT landscape is not static. What is needed is something flexible and scalable to keep up and match the changing demands.

Why? Putting the obvious arguments as cost-savings, and the expansion of immediate and available expert resources aside, let’s concentrate on one that directly impacts security: agility and visibility to respond and protect assets. Separately, identity credentialing and access management control unique-yet-related domains of the security environment. Each requires separate administration with no requirement to leverage information with the other. This leads to potential organizational disconnect (the old chestnut of the right hand doesn't know what the left is doing). The vulnerability gaps created from this oversight can affect everything from compliance to the usage of unsanctioned materials to the unsupervised access of important assets and theft of sensitive information.

However, by centralizing user management under a “single pane of glass,” one create usage context and trackable continuity. If you simply provision to a network, you don’t gain the control over SaaS applications. By incorporating them into single-sign on, IT successfully winnows the possibility of a user moving outside their sphere of security.  Don’t want a user to access Spotify while logged onto your network? If provisioning gives them access to a browser on your IP address, SSO can prevent the usage by removing availability. And user names and passwords for the multiple of SaaS apps (both SAML and non-SAML federated)? An integrated deployment can synchronize and manage all the passwords form any internal or external app or membership-centric web destination (and self-service can reduce direct IT involvement).

In terms of integration, there is one more layer to true unified security. By incorporating SIEM and log management to the mix, you truly increase the strength of your security initiatives. This creates true situational context if monitored in real time. For instance, an alert is generated if an attempt to log-in to a de-provisioned account is tried. Or if a log-in is attempted outside the confines of the approved SSO log-in. Or, for good measure, someone successfully logs in and tries to modify, copy or change a protected asset. This unified approach to security really does enhance the visibility. It won’t stop the attacks from occurring, but should prevent them from doing any damage.

In that I advocate this package of solutions being deployed from the multi-tenant cloud,  I truly believe they are they are not simply affordable by any sized company, but with the benefit of security as a service, extraordinarily manageable. So when I advocate their inclusion I am not trying to create best practices in a vacuum that only Fortune 500 companies can deploy. Cloud security is an egalitarian and effective means to achieve better security based on business and organizational needs, not technology, budget or staff availability.


Kevin Nikkhoo


More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...