Identity is the new perimeter

Johannesburg, 26 Sept 2012

Whether an organisation's CISO decides to build the identity service on-premise, or buy it from an identity and access management as a service (IAMaaS) provider, more than architecture must be considered. To provide value to the business, the role of enterprise security must evolve.

The valuable skill is now securely connecting users to distributed business services, with identity as the new perimeter. “If we do it right, we move security function from the back-office to the boardroom,” says Henk van der Heijden, VP EMEA Security Solutions, at CA.

He says enterprises must now take the view that there is no longer a single perimeter around their enterprise applications. “There are multiple perimeters around the traditional enterprise, SaaS applications and other cloud environments. The enterprise does not directly control these perimeters and must manage them via contracts with their service providers.”

According to him, what they can manage, however, is the access control to each of these applications, regardless of which cloud provider controls them. “The enterprise needs to view identity as the new central control point or 'perimeter' of the enterprise. The company needs a single point of authentication that is the only way to enter any of these distributed enterprise applications.”

This central enforcement accomplishes several goals, he explains. Firstly, a 'perimeter' valve is now in place to cut off access to all applications when an employee changes roles or leaves the company. Secondly, you have access records for all applications to fulfil compliance mandates.

Lastly, he says, there are now usage records that help the business identify when it is paying for too many seats. “The centralised identity service provides single sign-on to all their applications (on-premise or SaaS) from any device (PC or mobile). The business users get a much better experience and can adopt applications more rapidly.”

This model can be put in place as an extension of the on-premise environment or can be acquired as a cloud service, adds Van der Heijden. It involves two primary components. The first is a central point of authentication, and all users will validate their identity in the manner specified by the enterprise. Given that the central identity service becomes the main access door for every application, initial authentication of the user is critical.

Risk-based modelling that adjusts authentication modes based on context such as the device, time of day, location, recent history and/or transaction value are required. These technologies are evolving such that much of this activity can be done transparently, keeping customers happy and ensuring business users don't work around corporate controls.

The second component is federation of the user identity to the cloud provider (or enterprise app). “In the past, creating this model has been challenging, given that each application required its own user list and credentials. However, recent advances and growing adoption around standards such as SAML, OpenID Connect and OAuth for authentication and SCIM for user administration are making it possible to centralise authentication and pass a token to each application. Cloud providers should be able to ensure that only users authenticated by the enterprise are allowed access to that enterprise's applications.”

Speaking of governance concerns, he says that, from an enterprise's perspective, it maintains governance over its cloud providers by controlling all the authentication. “This still does not cover how the cloud provider secures the data, but it goes a long way towards placing a solid access control around the distributed enterprise.”

He adds that by centralising the authentication for all applications and ensuring strong identity validation takes place, the enterprise is increasing control of its data. This allows the enterprise to overcome any weak password policies implemented by any of its cloud providers. “It will also allow the enterprise to avoid brute force password attacks.”