When Olympic rowers glide across the water’s surface at speeds of more than 25 mph, it’s because all the crew are in synch with one another. It’s a collaborative effort. As appropriate…if you are of a certain age and watched films from in science class and the guy in the lab coat was speaking but his words would burble out a second of two later. Not only is this synch off, but the power of the message of symbiosis is gone too. And in cloud security, the concept of synchronization is as foundational.
Security is not simply about blocking; erect a firewall; create a malware detection protocol. Security is also about transference. And transference is dependent on automated, bi-directional synchronization of user information and other key attributes. This means user provisioning of rights and privileges to those within your sphere of trust who need access to certain slivers of your network; entrée to certain applications. And for this to happen, a cloud security initiative needs to develop and maintain a smooth and automated synchronization process between the source database and the applications (whether SaaS, web or legacy). This includes credentials, authentications, and passwords. It’s not just a productivity issue, but a tactical control methodology. In short, the key control is to ensure the smooth real-time transference of identity information held in an identity management (IDaaS) system with that of access management (SSO).
In many organizations, these permissions are done manually. For example, every time a new hire comes on board, an IT admin adds them to the roles in some database. Most companies use Active Directory, LDAP, and/or MySQL to serve as the basis to create the user account. For many it ends there. They have a user name and password…and ostensibly the keys to root around in any folder; access any application. Some companies build in certain restrictions such as director level and above can open this folder; hierarchical permissions allow superiors to review subordinate email and the like. However, in the modern enterprise where mobility of data is routine, multiple silos segment data, agendas compete and create shadow IT, and network perimeters have all but disappeared, the set-it-and-forget days are long gone and an irresponsible practice.
Managing identities and access is tricky. You want to be able to give employees, suppliers, partners and customers the necessary and unique access to achieve their goals. However, addressing everyone’s needs on an individual basis is resource taxing and terribly inefficient. And you need protect some data and IP from exposure. When it comes to integrating the corporate environment, tools like Active Directory make it easy to authenticate and secure internal applications. It’s a much greater challenge to create secure and seamless access to applications outside its direct control. And as any IT professional can attest, a rising majority of applications and functionality is acquired from the cloud. The good news is that security can be acquired and deployed in a similar fashion…and accomplished in real time.
An integrated identity (IDM) and access management (SSO) initiative removes much of the burden; especially when deployed and managed from the cloud. Typically treated as individual point solutions, identity management handles the credential of an individual user account. Through the process of provisioning, it reads the Active Directory file and sets the rules, but it doesn’t control access to the application. That’s the realm of Access Management (referred to as single sign on or SSO). Together in a unified security bundle from the cloud provide the necessary combination of administration, automation and application. So, now there are all of these rules and attributes that need to communicate with the various applications .
But the key is seamless integration from credential to access control. Many use single sign on (SSO) as the conduit to apply the identity administration across all the applications. This means the synchronization function of an integrated IAM solution allows for the instantaneous authorization and authentication to multiple applications—but specific to the user. A customer only sees the ERP order form; Bob from Accounting gets access to ADP, but not Box.com; and Ann from sales gets to see salesforce but not ADP. But it is more than simply application segmentation.
To better illustrate consider the following scenario. Company X uses Google Apps, Office365, SAP ECC and WebEx. Without Identity management, each user would need to create a profile within each application. Each would log in separately and manually to each application. Even though the credentials are set in AD, the usage of each application is outside Its control…and therefore so is the security of the applications usage.
The integrated identity access management synchronizes the attributes set in AD and automatically pushes them through (based on roles and rules) to a single sign on portal. This portal, individualized to each user’s privileges, displays only the appropriate applications. Because of synchronization, users can open any approved application safely and without further authorization. And synchronization is (must be) multi-directional. If a user changes their password for a certain application, modifies usage in any way (self-service and contextual modification), an integrated access and identity solution synchronizes the new information and updates AD.
But synchronization is not all about streamlining password management and automating productivity. It is about control. It lets IT more easily enforce corporate policy over what applications are permissible. Considering the mobility of the workforce , IT has been steadily losing control over what application a user downloads and uses. And not every application is SAML-federated. As an organization, will you allow employees to access consumer applications like Facebook or Pandora? Neither is federated (nor are a significant majority of legacy applications).
Synchronization is also about internal protection. The deprovisioning process consistent with identity management protocols is instantly synched with access rights. When the employee leaves, their rights are immediately revoked. They can’t go home and log in to any protected application.
Simply, synchronization is the best practice glue that integrates identity and access management. And in that it leverages AD to manage access to cloud apps, not only addresses several security and risk issues, but also works toward meeting the compliance burdens shared by a variety of industries. Data governance policies are key parts of ensuring security and regulatory compliance and knowing who is accessing what, when and how is a chief component of that reporting. Creating the context of who has the rights and what that identity has been doing with those rights is more than showing credential authentication—it’s implementing the necessary controls that channel identity through an access process. Identity management may create the role-based control, but access management is the enforcer of these processes. And seamless, automated and bi-directional synchronization of all these attributes to federated and non-federated application entities is how companies can best oversee and maintain the ever-expanding network perimeter.
But why the cloud? Everything described above could be deployed internally–but for a moment, lets forgo the long phased development, the heavy capital expenditures, the internal expertise to manage it, and the complexity of configuring federation of every application. Of course, if you’re Bank of America or another Fortune 500 company, these concerns don’t hold too much weight. But for most company’s without a billion dollar budgets and an army of dedicated security analysts, the ability to promote enterprise class security, the cloud provides not only a means to the end; but an effective one. But if we take out typical cost arguments from the cloud debate, you are still left with a way to more easily streamline and centralize all security function into a unified view. Automatic and system-wide synchronization is the glue that allows an analyst to recognize issues in real time. Who is logging into the payroll application? Do they have the proper credentials? Why are they logging in at 3 in the morning from an IP address in China and trying to change the password? What can be done now to stop it? Without synchronization across a unified security platform from the cloud, only the wealthiest corporation would know. But the cloud creates an egalitarian access to protection and your unique synchronization protocols create the necessary coordination to act in present…not weeks later after a breach has been discovered.
In the network environment, control is the most important aspect of a security initiative. The ability to synchronize your administrative decisions and protocols across your diverse enterprise strengthens that control. In that it is cloud-based reduces the time, cost and resource burden. Whether federated SAML-based applications or user-name controlled website logins or your own legacy solutions, there are simply too many potholes for users to step in without controls. The integration IDaaS and SSO from the cloud allows you to smooth the road and creates the necessary collaboration for all the moving parts of your enterprise to be in synch.