Cloud Security Authors: Lisa Calkins, Liz McMillan, Mamoon Yunus, Pat Romanski, Elizabeth White

Related Topics: Cloud Security, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo

Cloud Security: Article

The Secret Sauce of User Provisioning

Key lies in integration with other infosec capbilities

If you want the secret to user provisioning and de-provisioning in an enterprise setting, I’ll give you the one word answer, and then you can get on with the rest of your day…


However, if you need to know why, how and with what...read on.

The need to credential authorized users to your network and other proprietary assets is clear. You only want those with the proper rights in…and all others out. Complicating matters is that there are so many users these days…employees, channel partners, contract employees, suppliers, vendors, customers, prospects--all needing some sliver of access. Further muddying the water is that each of the mentioned user types are not all equal. Consider employees. Do you want your junior admin assistant to have access to payroll information or other files type specifically aimed at senior executives? The volunteer coordinator at a local branch of a national non-profit may need social media access to spread activity messaging, but probably doesn't need the log in credentials to ServiceNow.

In ancient days, you gave the key to the crown jewels to one trusted sentry. And only death would part this sentinel from his sacred duty of protecting the most precious assets of the kingdom.  However, that ruler never ran a successful multi-national, multi-brand enterprise with thousands of moving parts all needing to access to portions of those precious assets in order to perpetuate that success. The overarching problem is not only maintaining the sanctity of the assets, but providing an enforcement policy that simplifies the complex tangle of provisioning (and de-provisioning) and creates seamless and orderly access for users at a manageable cost.

Too many companies ride the razors edge with overly open networks and permission protocols. Even with firewalls and intrusion detection security, if you give out the keys to the kingdom like candy, you’re bound to suffer high dentist bills!

So you have all these moving parts; all these competing needs; and time, of course, is a premium. Provisioning is the process that creates user identities and gives them access privileges to your network. Best practices (and many compliance regulations) dictate that that access be awarded based on role. This gives IT the control it needs to differentiate predetermined user needs. Each department, division, franchise, partner sees the files and applications it needs to see for the purpose of achieving organization. And that’s it.

To ensure provisioning is streamline, you need to make sure the process is automated. So when a new “account” is created (from Active Directory, LDAP or various native SaaS directories), existing rules push the identity out and regulate access to applications and data quickly and without costly IT intervention. This is especially important when you have an organization with autonomous elements like branch offices, franchises and disparate memberships.

The same goes for de-provisioning. Imagine you buy a house, but you let the previous owners keep a set of keys. De-provisioning makes certain that doesn’t happen. And automatic de-provisioning ensures that happens at the moment of employee termination, contract fulfillment, service cancellation or any other separation. Your HR person or contracts administrator can notate the status change, and through a workflow process engine, the “keys” have been handed in and all privileges to network assets cut off. As data leakage and data theft are some of the biggest threats to an enterprise, this process instantly reduces the risk.

Now what was that about integration?

Up to this point, everything I described is part of most identity management packages. And there are many vendors who can supply it on premise or from the cloud (again based on your organizational need). But, what most identity management packages lack is the ability to automatically integrate with other security pillars; most notably, access management (which controls such things as single sign on). Now there are solution providers and managed service providers that offer both; and in fact, you may have both deployed somewhere on your network. But the secret sauce is unless you have customized your configuration, a unified solution doesn’t really exist.

However, it does currently exist as an out of the box deployment from the cloud. Most enterprises today have a myriad of applications-some based in the cloud, some on premise, some home-grown legacy solutions. And your IT landscape is not static. What is needed is something flexible and scalable to keep up and match the changing demands.

Why? Putting the obvious arguments as cost-savings, and the expansion of immediate and available expert resources aside, let’s concentrate on one that directly impacts security: agility and visibility to respond and protect assets. Separately, identity credentialing and access management control unique-yet-related domains of the security environment. Each requires separate administration with no requirement to leverage information with the other. This leads to potential organizational disconnect (the old chestnut of the right hand doesn't know what the left is doing). The vulnerability gaps created from this oversight can affect everything from compliance to the usage of unsanctioned materials to the unsupervised access of important assets and theft of sensitive information.

However, by centralizing user management under a “single pane of glass,” one create usage context and trackable continuity. If you simply provision to a network, you don’t gain the control over SaaS applications. By incorporating them into single-sign on, IT successfully winnows the possibility of a user moving outside their sphere of security.  Don’t want a user to access Spotify while logged onto your network? If provisioning gives them access to a browser on your IP address, SSO can prevent the usage by removing availability. And user names and passwords for the multiple of SaaS apps (both SAML and non-SAML federated)? An integrated deployment can synchronize and manage all the passwords form any internal or external app or membership-centric web destination (and self-service can reduce direct IT involvement).

In terms of integration, there is one more layer to true unified security. By incorporating SIEM and log management to the mix, you truly increase the strength of your security initiatives. This creates true situational context if monitored in real time. For instance, an alert is generated if an attempt to log-in to a de-provisioned account is tried. Or if a log-in is attempted outside the confines of the approved SSO log-in. Or, for good measure, someone successfully logs in and tries to modify, copy or change a protected asset. This unified approach to security really does enhance the visibility. It won’t stop the attacks from occurring, but should prevent them from doing any damage.

In that I advocate this package of solutions being deployed from the multi-tenant cloud,  I truly believe they are they are not simply affordable by any sized company, but with the benefit of security as a service, extraordinarily manageable. So when I advocate their inclusion I am not trying to create best practices in a vacuum that only Fortune 500 companies can deploy. Cloud security is an egalitarian and effective means to achieve better security based on business and organizational needs, not technology, budget or staff availability.


Kevin Nikkhoo


More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, will introduce two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a...
In his session at @ThingsExpo, Arvind Radhakrishnen discussed how IoT offers new business models in banking and financial services organizations with the capability to revolutionize products, payments, channels, business processes and asset management built on strong architectural foundation. The following topics were covered: How IoT stands to impact various business parameters including customer experience, cost and risk management within BFS organizations.
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
In his session at @ThingsExpo, Sudarshan Krishnamurthi, a Senior Manager, Business Strategy, at Cisco Systems, discussed how IT and operational technology (OT) work together, as opposed to being in separate siloes as once was traditional. Attendees learned how to fully leverage the power of IoT in their organization by bringing the two sides together and bridging the communication gap. He also looked at what good leadership must entail in order to accomplish this, and how IT managers can be the ...
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, discussed the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information.
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).