Integrated provisioning and access: He said it was too good to be true

superIt’s no covert fact that my secret identity is that of a mild-mannered cloud security executive. And as such, I don’t try to directly promote or discuss any specific solutions my firm offers. However, I was showing a recent upgrade of an access and identity management integration to a CIO of a large medical management company and he offered up the best compliment I could hope for: “This is too good to be true.”

What he was alluding to was the successful demonstration of a key best practice-the ability to seamlessly (one click!) add a user from any Active Directory, LDAP directory—any database, in fact—and have it show up automatically in Google Apps, or any SaaS or legacy application. This is the best practice of user provisioning creating the identity, providing the permissions road map and promoting self-service password management (synchronized bi-directionally) and funnel access via a single sign on portal that can creates controlled gateways to any app, any password-protected website and any legacy tool.

Before you say, I can already do that, where this particular rubber meeinvitets this particular road is that it was done completely in the cloud (no on premise tools or servers). It was done with a single click and centralized all the data shared with other security features such as log archiving (for compliance reporting). I realize there are cloud-based solutions that create and manage identities, solutions that monitor the cloud, and even a few that use the cloud to promote access rules. However, it has been my experience that in most current initiatives, one or both (identity or access) of the solutions are on-premise. The best practice here is that it all be deployed and managed in the cloud…IDaaS or to invent another acronym: IAIaaS (Integrated Access and Identity as a service —okay I’m reaching, but you get the point)

A 100% cloud-based solution, such as the platform Cloud Access offers, some unique and attractive business values, but I have discussed the benefits of a cloud-based security deployment (reducing man hours, compliance burdens and most of all capital expenses) in several past blogs. So let’s move away from the specific technology and discuss why it’s an evolutionary best practice.

Effectively managing individual online user identities while controlling their specific application and data access privileges continue to be a challenge for IT administrators. Considering the issues of complexity, expense and available resources, often time the left hand does not know what the right hand is doing. And that directly impacts visibility, compliance requirements and control over assets.

Every user has a unique relationship to a company’s IT environment. As an employee, Greg has certain needs and responsibilities. As a supplier/partner, Corinne needs her own unique set of permissions; on top of that, there are the customers, patients and service users that also require access to their personal accounts. Many companies use identity management to solve this issue. It creates the credential, the password authorization and provides the proverbial key to the network. Now lay on top of that the various access controls, which are typically the domain of an access management process: one that federates the appropriate applications and divvies up who, in fact, is allowed to access what sliver of data within those applications.

Two issues. And both come down to process. If there are two separate solutions managing two important- yet-related functions, the potential to have segmented capabilities and reporting typically leads to a wider vulnerability gap. Two solutions, two reports (managed by two different people?) create two silos that don’t necessarily collaborate or correlate. It’s like fighting a war on two fronts…and that never ends well. There are simply too many devices, agendas, access opportunities and external and internal threats NOT to share data and leverage one another’s capacity.

Second issue is that access management typically extends to federated applications like, Concur, Yammer, etc. An access initiative doesn’t necessarily incorporate non-SAML  (or other standard protocols like OAuth 2.0, WS-Fed, Liberty). A great many products, including your company’s legacy and proprietary applications, still need to be controlled, but are often incompatible with web access management (WAM) software.  Creating an identity gateway agent bridges access to an unlimited amount of applications and websites.

With the right  strategy deployed, IT can regain (or maintain) a greater amount of control over who gets to see what and how. Not only does this improve visibility, but the benefit chain extends to easier, more streamline compliance reporting, less time administrating and correlating routine requests, reprioritizing higher value tasks, and the one that CFO’s love…it costs less—both in terms of hard and soft costs.

As I said, I don’t often try to make these blogs self-servicing, but I truly want to share how a fully integrated solution works from the cloud. I am hosting a webinar on May 22 and May 28 to review IDaaS and access management best practices and demonstrate this cloud security aligns and leverages current initiatives or expand into new unified capabilities. It’s called One Click…From Directory to Cloud, and I would welcome any of my blog readers to join me.

I would like to show you that CIOs might think it’s too good to be true, but it is true nonetheless! I’m happy to prove it!

You can register here:

Kevin Nikkhoo
Believing the “proof is in the pudding

Tags: , , , , , , , , , , ,