cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Identity Management in the Cloud

Level 13

After sharing war stories about passwords, we’re going to take a look at another important part of your internal IT security: identity management. This is the process of maintaining your user database, including who is added to your corporate directory, what happens if they change their name or change their role, how you handle their account if they go on extended leave, and what you do when they leave your organization. There’s a good chance that your organization has some pretty good policies and procedures around all of this already (or should have), and will rely on some input from your HR department.

Access to SaaS applications in the cloud also requires the establishment and management of corporate identities, so this is a really good thing to have sorted out BEFORE you create your first lot of cloud accounts. Note: my options are mostly Microsoft-centric because that’s what I know. Feel free to leave a comment and tell me what else works.

The worst case is that your SaaS application is a completely isolated user directory from your organization. And while there are some cases where that separation might be beneficial, it means that you are going to have to run TWO processes and change things in two systems (in your corporate directory and in the cloud) when identities change. It’s possible, but also annoying. It means your users will have two logins and two passwords to maintain. Last time in the comments, we touched on the pain of different password lengths/qualities and expirations across different systems. The other problem is the risk of things getting out of sync. If your new process is not followed to the letter, you could end up with a disabled account for an ex-employee, who still has access to your corporate information in the SaaS application. I hope they left on good terms.

At the other end of the scale, we have directory integration. In the Microsoft world, that’s either Federation or Directory Synchronization. The concept of Federation is pretty cool. My favorite analogy is a theme park pass. With Federation, the San Diego Zoo AND Knott’s Berry Farm will both let you in with a SoCal Theme Park Pass ticket, even though that ticket wasn’t issued by them. You can continue to do your own identity management internally, and when you suspend an account, it’s not getting access to your SaaS application. Your users enjoy single sign on, passwords never leave your organization, and multi-factor authentication is supported. Azure Active Directory even talks to 3rd-party identity providers like PingFederate and Okta.

The gotcha with Federation is that it requires some resilient infrastructure. If your ADFS server is unavailable, people can’t authenticate. For this reason, it’s generally discouraged for smaller businesses.

Directory Synchronization is another option. This connector manages updates between your on-premises Active Directory and Azure Active Directory, and also lets you filter which internal accounts sync up to the cloud.
You can then use Azure Active Directory Premium to provide single sign-on to many compatible SaaS applications. You can also hide the password to those systems, so, for example, your marketing team can access your corporate social media account and never know the password. In that case, if they leave, they can’t log in because they know the generic account, and you haven’t changed the password, yet.

See Simon May’s extensive list of resources for Active Directory Federation Services (ADFS) and Azure Active Directory Sync (DirSync)...

Outside of the Microsoft world, maybe you’ll take a look at one of the many Identity-as-a-Service players. If you’re interested, Gartner even has a magic quadrant for it. My favorite has to be OneLogin for it’s ease of use and powerful features.

Of course, all of this is useless if the SaaS application you are considering doesn’t support any kind of directory integration. Then you’re back to that manual process. But better to find out during your discovery and pilot process as opposed to after you’ve been asked to provision 300 users.

Share your thoughts on the following: Is identity management a show stopper for SaaS adoption? Is it easy with your current infrastructure? Or do you shudder just thinking about it?

-SCuffy

26 Comments
MVP
MVP

Interesting....

Identity-as-a-service, that's a new one to me. 

Looks like I'll have a chance to interact with Okta pretty soon.  So we shall see.

I am not a Gartner fan.  Just because something is in the magic quadrant doesn't make it appropriate for your needs.  I worked at one company who wouldn't touch any software that wasn't in the magic quadrant.  One time I asked a manager, what if the product is installed and falls out of the magic quadrant...what do you do ?  Replace it with something that was in the magic quadrant that may not fit the requirements/needs of the company  other than being in the magic quadrant ?  I never got a real answer and I suspect it was bragging rights for someone in upper management that all their software was in Gartners magic quadrant.

Level 14

Good read

This kind of identify management never passes my desk, is just one of those regular housekeeping items that sometimes happens well, sometimes happens too slowly.

I agree that to have a great meal, all the courses require excellent ingredients and care.  It's just that this one ends up being H.R.'s baby, and our H.R. department is efficient and good.

Like all components in a smoothly oiled and well maintained machine, I don't notice this one because it stays running nicely.

Kudos, H.R.!

We are in the process of streamlining Identity Mgmt in the Cloud as we move towards O365, Skype for Business, and OneDrive. In the early stages we have found that the organic growth and dishevelment of our existing AD has caused a ripple effect on Identity Mgmt not just in the Cloud. The lesson we learned here... don't build on a weak foundation!

Level 13

Yes, if there's a chance for anything -as-a-Service you'll find it these days. Identity as a Service is generally a Cloud based user directory, usually applicable across multiple SaaS services.

And I hear you re magic quadrants. In the SMB world, they'd go "Magic what?"

-SCuffy

Level 13

Thanks, I appreciate the feedback.

Level 13

Can we clone your HR team?

Do they have to manage any SaaS access?

-SCuffy

Level 13

So much this!!

-SCuffy

Level 11

Thanks for the read!

Our H.R. doesn't deal with SaaS until our Security Team brings something to their attention, or until there's an issue someone asks Security to look into for H.R.

Level 17

Nice insight

Level 13

So your security team manages SaaS access? Hopefully with say a notification from HR that someone 'has left the building'?

Absolutely!  There is a process in place where HR or Managers work with each other to keep track of employees, their necessary or revoked network privileges, etc.  Both of them coordinate with Security to add or remove employees or change access rights.

As we move towards implementing our newly installed ACI, those rights will be more granularly defined; access to systems will no longer be solely through AD groups, and will reflect the type of device connecting to the network (via ISE).  A BYOD environment will provide limited/restricted/secured/isolated access to certain resources, a corporately-owned and managed device will have more rights--but will still be limited by the employee's rights and the machine-type's needs.  And so on and so forth.

No one remains on the rolls with access once they've left.  And incoming employees' access is carefully analyzed to ensure they have no more access than needed to accomplish their defined tasks.

Level 13

Love it! So, next question: are you also securing how information is shared outside of your organisation?

Yes and no. Once someone's made a screen shot or taken a photograph of corporate information, how can one secure it--particularly when Security is unaware of the occurrence?

On the other hand, outbound and inbound mail is analyzed for anything matching various criteria (PCI info, PHI/HIPAA info, etc.) and that's automatically encrypted and sent to a third-party station for secure pickup.  But again, once that data is in someone else's hands, how does one secure it?

Outbound information is "secured" by corporate policy and contracts and NDA's.  But again, if there were a breech or violation, it might be challenging to ascertain the source of the breech.  We haven't gone to the paranoid state (yet) of creating unique typos in documents for every different employee, with the goal of analyzing breached documents to see whose document was stolen, and then assigning responsibility for that breach to that employee.  But I've heard of other companies that do this.

I expect the CISSP's and their peers have methods of accomplishing these challenging tasks.  I'm not in Security, but I do my share by securing the network with best practices, and with managing nearly 70 firewalls, and making certain the knowledge of new processes and products and connections is shared with Security.

We hired a dedicated professional CSO recently, who has expanded the IT Security staff numbers.  I think good things are happening there.  Are they enough?  How does one know until legal papers are served, and one's company is in the newspapers & evening news shows?

A good hacker might never be discovered.  The same with a mole.  Or a "plumber", to use R.M.N.'s pseudonym.

Level 13

Yes, good points. I asked because of Microsoft's efforts with Data Loss Prevention and now Azure Information Protection in the Cloud. Seems they are keen on helping prevent information from being knowlingly sent outside your organization. Though as per my other post on where are you managing risk, I wonder where we draw the line. Maybe the Security department would have a different answer if they could secure all the things.

Thanks for sharing your insights - I appreciate the conversation.

-SCuffy

Perhaps as concerning (or more?) is MS O365.  Prove to me that anything cloud-based is secure.  If I cannot secure it personally, I am forced to trust a stranger who says the solution is safe.  (Head shakes and eye rolls).

If an Edward Snowden can walk into work and walk out with secret Pentagon data without their knowledge, how can anything cloud-based become trusted?

Level 13

i'm with Jfrazier not a Gartner fan either.  

Too many Wizards controlling the strings in the cloud to be save.  Corporate secure is big to us!

Level 12

Its funny you bring up O360. Our partner entity was looking into going to O360 specifically for their outlook/exchange purposes. They scrapped the whole project because they discovered Microsoft cannot guarantee PCI & HIPAA Compliance.

MVP
MVP

Inconceivable !!

MVP
MVP

Infotech are cool, you can tailor it depending on your needs to get specific suggestions - very nice

MVP
MVP

When you're looking at any Identity Management though, knowing what you intend to use it for is really important before starting the onprem/SaS discussion.

If you're using your IDM to connect to internal systems with some external federation then onprem is the way to go.

IDM can be so much more than single signon and authentication. It can extend to managing the authoritative sources for all sorts of different aspects of identity in a huge number of systems.

As with all things, understand your vision and final destination before starting on the path

Level 13

It's interesting to see Gartner has fallen out of favour with a lot of corporates. Or did it just have a reputation of being trusted?

Level 13

Absolutely! The right tool for the right job, implemented the right way. I like hearing of those case studies where companies are using IDM to obscure login details to Cloud services, to retain control. And back in a previous role ( a long time ago) one client embarked on a HUGE corporate identity project with some software from a European company (maybe Siemens?) to even try and tackle identity management and sources of identity truth across multiple on premise systems. Some things haven't changed, and identity management remains an art of its own.

Level 21

I really love the analogy of Federation to the theme park pass, that is a great way to explain it!

With our new heavy focus on our partnership with Microsoft we will be moving forward with Azure Active Directory. 

Level 13

Thanks! I had to convert it to American. Here in Australia it's a MyFun pass for access to Movieworld, Sea world and Wet n Wild.

All the best for your AAD implementation!