We filmed a fascinating Data Security roundtable discussion with Rashmi Knowles from RSA, Charles Race from OneLogin, William Culbert from Bomgar, Paul Ferron from CA Technologies, Jason Goode from Ping Identity and Jackson Shaw from Dell Security
How has the adoption of ‘cloud’, including SaaS applications, changed the security landscape?
William: In short, I think the adoption of the move to cloud-based platforms has actually complicated things for our security teams and policy makers. There are definitely certain aspects that we can put into cloud-based or SaaS-based applications without any issue at all, with the understanding that we need to perhaps just encrypt that data. But there are other types of applications, perhaps business critical applications, that need to have some form of orchestration within our infrastructures and within out networks. So, what we are being forced to do now is actually associate or link our internal corporate networks with a third party. Today we are relying on things like third party policies, SLAs, service agreements, as opposed to having rigid governance and security policies, and best practices, which we have internally, perhaps even compromising on what our security best practices might be.
Paul: So, it has changed the security landscape in two ways, I think, two important ways. Most important thing is that first of all it gave the ability to business people to buy IT outside of IT. So, it liberated business people and set them free from the traditional IT constraints. But in doing so, it also made them aware about the security question and about how risk related to business processes needs to be taken care of. But more importantly, it also made clear that as part of a company we are part of a larger eco system. It’s not just companies themselves, it is companies you know in a wider eco system of partners’, consumers’ employees, joint ventures and everything. Because of that, we have realised that the traditional security model of the past where we have a hard edge on the network, and then very fragile inside the network, is no longer is relevant and doesn’t work anymore. It has really driven us to understand that we need more robust security profile.
Jackson: Well, I think the security landscape around cloud and SaaS applications has changed fairly dramatically. The introduction of cloud applications has led to shadow IT, which I hope people have heard about. The other big problem that I see is a lot of customers have infrastructure that’s been around prior to cloud and SaaS becoming popular and what that means is that their traditional identity management infrastructure can’t handle provisioning and deprovisioning of these cloud and SaaS properties. The other problem is there is no capability to affect compliance and understand what documents, what spreadsheets, what files have been put on the cloud, on Dropbox, or in Amazon or in Azure, and that makes compliance for a company extremely difficult.
Charles: To answer that question I think that’s it’s useful to set some context. The average employee now has access to 28 unique cloud-based services as part of their day job, and the average organisation has over 1,000 different cloud services being used across the business. Traditionally for a lot of companies we work with, security has always been at the perimeter; so, that includes the premises, the building, the firewall; but the proliferation of cloud services has meant that we’re now seeing that challenge grow exponentially for organisations. There is also a lot traditional thinking that suggests identity and security management is something we needs to sit inside the infrastructure on-premise. Because data is in the cloud, the ability or the requirement to manage identities has become more and more prevalent. An Identity Access Management platform is fundamentally the best way to solve that for the organisations that we work with.
Jason: The adoption of cloud in all of its various different flavours - SaaS, private, public - has really changed fundamentally the security landscape. The applications are literally now leaving the building. If you look at the devices upon which those applications are consumed, they will also start to leave the building. But if you look at the traditional security paradigm, that dictates that what’s inside the corporate network is good what’s outside the corporate network is bad. The problem that organisations have is by treating what’s inside is good and what’s outside is bad is that they need to build multiple security policy based on the user, the application and the device they are using. And as you can imagine, the permutations and combinations of user application and location just create a huge headache for the enterprise. The cloud also increases the attack surface area for an organisation.
What are the benefits of an Identity Access Management solution, why should it be implemented, and would you recommend an on-premise, cloud or hybrid solution?
Paul: Before I can answer that, we first have to realise that everything we do today, every task that we undertake, is actually somebody trying to do something to some piece of information. So, it centres around somebody trying to do something to information and that means identity is a fundamental part of that whole process. If the door rings at eleven o clock at night, you are first going to try and establish who is at the door and the context of why he is there before you open up the door, and that’s exactly the same in the digital world. So, identity is the fundamental piece that makes the decision whether you want to allow that action to happen or whether you don’t want to allow that to happen. You can actually see that identity becomes fundamental and is a key driver towards having a better, more robust security profile. As to cloud, on-premise or hybrid, really there is no right or wrong. It’s just the matter of what you want to accomplish, who you want to accomplish it for, what’s the scope of the goals and the eco system that you want to address, and then you make the decision based on that, and you pick one or both.
Jackson: The benefits of an identity and access management system are varied; they include things like being able to provision and deprovision people in a timely fashion, and that’s important from a security perspective. Other things like compliance, reporting, ensuring that the security across your identity store and across all of your different file systems, and even your cloud systems, are set up correctly is pretty important. Now, which kind of a system would I look at? Would l look at an on-premise system or a hybrid system, or a cloud-based system? I think part of the answer depends on where you are in time. If you already have an established identity infrastructure, you’re probably going to have an in-house identity system and if you think that’s going to be capable to manage your cloud properties, then you would just stick with the in-house. If you are a smaller company, you could probably start with cloud directly. Or if you want to separate things so that you’re traditional identity management system handles the internal part of the company and a cloud-based identity management system handles the cloud and SaS properties, you could do that, too, as long as you have a good connection between those two systems. So, it depends a little bit on where you are in your own lifecycle of an identity management company.
Charles: When we talk to our clients and our prospects about the benefits of identity access management, we’re finding it’s solving key business issues across the organisation. At the heart of an identity access management solution is a single sign-on capability. Single sign-on tends to deliver in three key areas. The first is helping the service delivery organisation drive down the costs of dealing with password resets. For the information security department it’s reducing the risk associated with poor, insecure passwords and credentials created by users; and from the user perspective, there is the increase in the productivity by not having to deal with multiple passwords and comes down when it comes from forgotten passwords as well. Although we would be big advocates for a lot of organisations to see real benefits in rolling out an entire cloud-based infrastructure program, these days there are still a lot of organisations that would have made a significant investment in our on-premise architectures and services. For that reason, we find that a hybrid model for a lot of organisations will be the best solution today, but ultimately with a view to moving to a dedicated cloud-based IAM solution in the future.
Jason: The term identity access management has been around for such a long time that it’s come to mean something different to whoever you are asking the question of. At Ping Identity, we feel it’s time to talk about identity defined security, which puts the user’s identity at the absolute core of the security policy and authorisation process. The benefits of an identity defined security solution from a user’s perspective is that they get access to the applications that they need from the devices that they want to use, regardless of location. The benefit to the business is flexibility of deployment, the ability to leverage existing investment and gain visibility from an auditing and compliance perspective. Whether we would recommend a hybrid, on-premise or cloud solution would depend on the client and their ‘use cases’. The beauty of working with Ping is that all three deployment options are available today.
Rashmi: I think identity is really key and if you think about what we do in our lives every day, if you think about all the transactions that we do either in our personal lives or in our business lives, it includes identity accessing some form of information over some form of infrastructure. Really, from a security perspective, that’s what we should be aiming to secure. So, identity is key and an identity access management solution actually gives you a profile so that you can have access to all your resources, whether it’s on-premise, in the cloud, different applications, different services, and also it ensures that you have the correct policies and procedures in place so that as an identity, you are given the right level of entitlement and have the right level of access to those resources.
How does a single sign-on policy help to improve productivity and save costs, and what are the principle differences between SSO and federated identity?
Jackson: Single sign-on is a huge productivity saver for a company that has multiple different systems. One of the things that really hurts productivity for anybody is coming in and sitting down to start the day, logging in and having to log in to every single application that you need through the day; it’s just a time sucker. So, having a single sign-on system allows you to sign in once and have your credentials played into all those other systems. The difference between federation and single sign-on is federation is a sub-set of single sign-on. Federation has been built fairly recently, its standards are fairly new and not a lot of applications support federation. So, most companies, looking at a solution want look at a blended solution that supports both traditional single sign-on and federated single sign-on. Federated single sign-on is definitely the way to go, but you will never get 100% coverage with a federated single sign-on solution.
Paul: So, single sign-on is not just a matter of convenience. It really helps people become more productive and there’s tremendous cost savings that we can accomplish by introducing an identity-centric, digital workspace that leverages single sign-on to those business processes that the users need to get access to. I have seen a lot of companies that are actually trying to approach this with a single sign-on only mentality, but just single sign-on is not enough and therefore approaching the identity and making sure that you have the right identity context is going to be very fundamental, and the reality is that on top of it being a single sign-on and federated access management problem, it’s also a provisioning and identity management problem.
Charles: The biggest drivers for employee satisfaction are related to something that is referred to as password fatigue, especially as users have to remember lots and lots of passwords and have secure credentials. Forrester suggest that the average cost of a single password reset can be as much as $70 per incident. All of these things contribute to a massive cost to the business that a lot of organisations aren’t necessarily aware of. The difference between something like single sign-on, which has been around in the market for many years, and federation is simply the fact that federation allows you to extend that traditional security profile that’s behind the firewall out to the third party cloud services. As these services are more rapidly adopted, that requirement becomes ever-more crucial for the organisations we work with.
Jason: Federation is the SMTP of identity. It allows user information to be shared across the internet in a secure and scalable way. Federation unlocks the power of identity. Single sign-on solutions that don’t leverage federation are proprietary and fragile and should be avoided. Organisations should also avoid using password replay, as well as replicating user data to the cloud. We’d all agree that those types of solutions are not enterprise scaled.
Rashmi: Single sign-on is typically used by large organisations like ours that have global reach and want to give their employees very simple and secure access from wherever they are. So, in terms of improving productivity, it makes it a lot easier for employees because they don’t have to remember lots of complicated passwords to access all the services that they need. Also, when you do forget your credentials, then self-service is much easier. There’s lots of security functions typically included in single sign-on so, for example, if a credential is stolen, which incidentally is one of the most common types we see in organisations. Cyber criminals always want to steal credentials because that’s really powerful; if you have somebody’s credentials, you can login to an organisation’s network. The principle differences between a single sign-on and federated identity are actually where the lines are really blurred but with single sign-on, you typically have your credentials or you have your access to multiple resources via single credentials, whereas with federated ID your credentials are actually stored by that solution.
William: It’s a little bit controversial on this one - I think it does save costs. If I split my arguments into two points; the first one is around if I don’t have a single sign-on solution in place, what I’m going to do is perhaps put a thin line of security by creating complex passwords in my organisation which is good, but that then leads to a couple of disadvantages. Secondly, with complex passwords, by their nature, they are more complicated and harder to remember and so what we find is that people write down these passwords and that’s terrible for situations such as data leakage, which we hear about in the press as well. So, I think that there’s definitely a case to be made for a multi-factor single sign-on solution being implemented in the enterprise. Now when it comes to a federated identity, personally, I think this is absolutely crucial to how an organisation should operate.
How should businesses and organisations leverage provisioning and deprovisioning for cloud applications, and what impact will this have?
Charles: A degree of automisation with the on-boarding process is becoming ever-more critical for organisations using cloud services. Because these services don’t sit behind the firewall, it’s a new challenge for organisations that are trying to streamline this employment activity. Often when users start with an organisation, there can be considerable delay between the date they begin work and when they have access to all the services that they need to use within their job. Equally we probably all have stories of employees that have left organisations and still have access to services weeks, sometimes even months, after their employment has been terminated. Single sign-on and the provisioning capabilities that come with an identity access management solution make these fairly simple. When you on-board a new user into your directory, they can be automatically enabled in multiple cloud services almost simultaneously. Equally, when that employee leaves the organisation, you can remove them from the directory and their access is severed to all those services at the same time. The benefits or return on investment for something like an IAM solution that can do provisioning and deprovisioning is really simple to calculate and can often be a simple factor of the cost and labour associated with manually adding and removing users from your services.
Jason: We would absolutely agree and it speaks directly to our vision of making identity core to security. We would argue that whilst provisioning is obviously very important because it’s the means by which accounts are created, it doesn’t solve the password proliferation problem. Provisioning is only one element of an identity security defined model. Businesses should look at leveraging a solution that bridges the inside and the outside world in a secure and scalable way.
Rashmi: So, I think visibility is going to be key, then everything starts with the identity and being able to see who and what is on your network is going to be key. And it’s actually not going to be just who and what, but what they’re doing within some of those key applications and is that behaviour appropriate for that identity. Also, if you have visibility you can actually understand or create a baseline either for that identity or for that particular service, so, if anything different happens then that will show you some anomalies so that you can investigate those and try and minimise the damage. In terms of provisioning and deprovisioning for the cloud, I think a good identity and access management solution shouldn’t really separate the cloud out. So, from a security prospective, you shouldn’t change them or treat them any differently as long as you have unified view and you have good visibility of what’s happening in the environment.
William: I think that the ability to quickly provision computational resources in the cloud is a fantastic asset to an organisation’s fluctuating needs. That said, as soon as we increase footprint, whether it’s on-premise or in the cloud, we are also increasing the attack surface of our organisation. So, we just need to manage that. Now, an element such as cloud access control can help eliminate some of those threat practices by shutting down services, shutting down ports and even applications that are creating hardened resources within the cloud. Which then brings me on to the deprovisioning of these resources, which is just as important as provisioning them in order to respond to the organisation’s requirements. Deprovisioning ultimately reduces the attack surface of our organisation and therefore and can protect us against the possible risks, and therefore against the costs that can be incurred.