Cloud-Ready Software for Securely Extending Enterprise Investments into the Cloud

Transcription

1 I D C V E N D O R S P O T L I G H T Cloud-Ready Software for Securely Extending Enterprise Investments into the Cloud July 2010 Adapted from Worldwide Identity and Access Management Forecast Update and 2008 Vendor Shares by Sally Hudson, IDC # Sponsored by Novell Corporate responsibility for the security and integrity of IT is increasingly a concern regardless of whether the IT resources are internal or external to the enterprise. As systems have become increasingly open, and remote access is now commonplace, users are continually presented with opportunities to exploit security and policy weaknesses. Misuse and abuse of IT resources is sometimes intentional, but more often than not, it is unintentional. Unfortunately, the result is the same inadequate access controls and excessive user privileges have cost organizations literally millions of dollars in lost or misused data, loss of consumer confidence, and heavy fines for violating compliance regulations. We see these headlines in the news on a daily basis, and no CEO wants notoriety of that sort. A recent IDC survey of IT professionals across large, medium-sized, and small companies revealed that excessive privileges and poorly implemented access control have created more negative financial impact for organizations than any other security-related incident. As a result, organizations are looking to increase security and accountability for everything touching the IT domain. At the same time, organizations are looking to make IT more responsive to business needs. All of this is done with an eye toward cutting costs and achieving efficiency. Fortunately, now is the time for businesses to take advantage of both advanced technology and new delivery models to achieve security and compliance goals and optimize operations. Today, many emerging platforms promise the deployment, management, and efficient use of technology. Cloud computing in all its forms internal to the organization or external to the organization, or a hybrid of both can be implemented to save resources and maximize efficiencies, provided that key questions can be answered with regard to security, privacy, and access control issues. Fortunately, solutions are available, but providing a solid, secure, and flexible framework is central to achieving these goals. This paper examines how the ability to secure the cloud with identity and access management (IAM) technology enables IT organizations to manage and optimize computing resources in a policy-driven, secure, and compliant manner. In addition, this paper discusses the role that Novell plays in the important market of cloud security. Security in the Cloud World-class enterprises have found that identity and access management is a key factor in achieving compliance, increasing security, and streamlining business operations. IAM provides the who, what, when, where, and more recently, why of who has access to which resources within the organization. As businesses evaluate solutions to provide cost savings and increased business agility, larger numbers of companies are contemplating moving their business applications to the cloud or outsourcing IT infrastructure onto cloud-based platforms, or a combination of both. To ensure success, the cloud model must demonstrate the same levels of security and accountability found with on-premise enterprise IT. Transitioning to a cloud platform requires several key assurances, which IAM technology facilitates. IDC 984

2 Ideally, an identity-driven cloud platform should provide the following: Security Agility Risk mitigation Compliance Scalability These attributes must be effectively and dynamically managed. Fortunately, today, products and solutions are available to assist IT professionals and business managers in this continuous process. For IT departments, the ability to intelligently manage workloads across physical, virtual, and cloud environments is critical for delivering business services to end customers. The need for these capabilities will grow as organizations evolve their IT strategies toward cloud delivery models. The ability to control access to applications from the datacenter to the cloud will be vital in order to ensure risk management and compliance. An identity-driven cloud rests on a solid identity management framework, which in turn should be tuned to demonstrate high levels of security and compliance capabilities for traditional as well as new computing models. While only a small percentage of enterprises are computing in the cloud today, that number will grow exponentially in the coming years. Whether an organization is moving to the cloud or maintains an internal cloud, or a combination of both, it is crucial to know who is doing what before going anywhere. Questions surrounding who will own the responsibility for securing the cloud must be answered, and much of this rests on the ability to control how identities and access can/will be managed within the amorphous cloud environment. No single answer exists, but many approaches ultimately will converge in tandem with the growing maturity of the evolving cloud platform models. For enterprises to achieve a truly identity-driven cloud, a favored option would be to extend enterprise-class identity management capabilities into the cloud. This would allow enterprises to retain control of who has access to what throughout their entire resource landscape whether within the firewall or in a hosted environment. A critically important but often overlooked factor when implementing an intelligent identity framework, which is an automated, extensible, standards-based approach to identity design and deployment, is ease of use. An organization cannot benefit from an identity management framework if it requires too much effort and IT integration to work effectively. Ideally, business managers and IT professionals should work together to select the appropriate identity platforms from an ease-of-use and security/compliance effectiveness standpoint. The ease-of-use requirements should span initial deployment through expansion to include (or terminate the use of) new systems and identity services. The desired fluidity of an identity-driven framework demands the use of ongoing policy management and controls that can be readily accessed and understood by the business user. Ideally, an identity platform or ID-driven cloud will eventually consist of multiple security domains across disparate systems. The ability to easily and automatically enforce enterprise policy across all of these systems is crucial to security, compliance, and overall business health. Definitions Identity and access management is a comprehensive set of solutions used to identify users in a system (employees, customers, contractors, etc.) and control their access to resources within that system by associating user rights and restrictions with the established identity IDC

3 According to IDC's Worldwide Identity and Access Management Forecast Update and 2008 Vendor Shares report, IAM generated more than $3 billion in 2008 and is expected to reach almost $5 billion by This is exclusive of managed services. IDC research shows that government and industry compliance regulations are driving 85% of this market momentum. The first step organizations should take to protect today's diversified IT infrastructures is controlling user access. Regulations such as Sarbanes-Oxley (SOX), GLBA, PCI, FFIEC, and HIPAA place strict requirements on information privacy and security. Therefore, managing access to that information is an extremely important part of security and risk mitigation for corporations and government entities today. IDC research suggests that the following are among the most common sources of compliance failures: Unresolved segregation of duties (SoD) that inadvertently enables accounts with excessive access/privilege rights Failure to control the number of users with access to files in production and in network share files Failure to adequately reference and secure data in applications Inability to properly document manual processes and reconcile these processes to the IT systems used Failure to manage and deprovision orphan accounts in a timely manner Inability to adequately secure access to operating systems and databases that support corporate financial applications and transactions Failure to enforce security across various silos (e.g., SaaS, collaboration, business applications) (This is problematic due to different sets of credentials and policies in different organizations. Companies have a proclivity to maintain the silos [if it works, don't fix it mentality], but the need to enforce policy in a seamless, consistent manner is paramount to corporate security hygiene.) Failure to adequately implement access control to business applications running outside the core IAM platform To address the concerns on this list, organizations most often turn to password management, password self-service, and secure single sign-on (SSO) as the initial entry points to IAM. Further, password self-service allows users to set or unlock their own passwords, helping to reduce load and call volumes on the help desk a very significant savings in both time and resources for organizations. As companies successfully implement and derive benefits from the IAM components above, the natural course is to build out and extend the identity infrastructure to achieve a strong and flexible foundation for current and future needs. Vendors offering IAM framework foundations should be vetted for: Reliability Scalability Standards-based, easy interoperability Advanced tools that can simplify development and allow developers to easily create and customize enterprise workflows (e.g., single view, drag-and-drop formats, automation) Automated data cleansing 2010 IDC 3

4 Reporting and auditing Process automation to eliminate time-consuming, error-prone manual processing The ability to extend enterprise-compliant processes such as workflow approvals, identification of (SoD) violations and provisioning/deprovisioning into the cloud (This often involves integration with an enterprise-class security information and event management [SIEM] solution.) Solid network of tested integration partners As organizations move toward cloud platforms and SaaS delivery mechanisms, IDC believes that the same security infrastructure and GRC capabilities offered by IAM technologies will be extended to these next-generation computing platforms. IAM technologies will play a central role in offering security and compliance to cloud environments as they provide solutions to central questions (e.g., "How do I enforce policy across all my applications both traditional on premise and SaaS?") Benefits To be competitive in the 21st century, enterprises need a flowing, automated identity management system that allows for a strong security framework. This type of system must allow for easy implementation of new controls because the compliance landscape and the spectrum of security threats are constantly evolving and expanding. Today, customers in all market segments, including banking, financial, insurance, higher education, healthcare, government, and manufacturing, are looking at identity-driven platforms and frameworks to provide the following: More streamlined business processes Greater business agility Increased security Robust access management Security professionals are looking for solutions that provide preventive rather than reactive security. Because enterprises typically have fewer staff members and less time to deal with repairing security problems, state-of-the-art security solutions, once configured, must provide high levels of assurance with minimal maintenance requirements. In conjunction with this, IAM solutions should be centrally managed and monitored to avoid security/compliance breaches in off-premise or isolated departmental applications and processes. A seamlessly integrated workflow would span all this and allow business owners and senior administrators to approve and document changes in user access according to established provisioning rules and templates all with an enterprisewide view of user access privileges. The need for an enterprisewide view and centralized management approach is demonstrated by organizational downsizing today. Enterprises that are restructuring can take this as an opportunity to embrace leading-edge provisioning technology to ensure that closed accounts are removed as part of the ongoing provisioning/deprovisioning process. This both maintains higher levels of security and assists greatly in meeting compliance demands. In conjunction with this, there is also an increasing demand for role-based access and control (RBAC) software, which is used to group all of the tasks associated with a job function and ensures that administrators are granted only "least required privileges." IDC

5 By adopting this approach, systems architects can simplify provisioning, reconcile roles, do matching, and identify redundancies and anomalies within permissions assignments across the system. Reporting features within the software can be used to equal advantage by both auditors and system architects in support of management access control. Managed service providers (MSPs) also play a pivotal role in the overall IAM ecosystem. With the increasing reliance on these providers to provide identity services for large and potentially enormous pools of users, managing identities, scalability, and fault tolerance is key. Managed service providers today are beginning to implement automated identity-driven frameworks to ensure access control functions and will be using intelligent workload management techniques moving forward to ensure that customers have a continual, centrally managed, secure, and business-optimized service environment. Custom reporting capabilities are also necessary for these organizations to operate effectively on a large and ever-changing scale. Considering Novell's Intelligent Identity Management Novell Inc., headquartered in Waltham, Massachusetts, has been providing IAM technologies for the better part of a decade. The company recently launched its new Novell Identity Manager 4 family of products. This latest release has been architected with both enterprise organizations and cloud/managed service providers in mind. The software is made up of a family of products, each designed to meet the particular needs of the client base. Some specific examples are mentioned below: The Role Mapping Administrator module provides a single-pane view for all permissions, roles, and resources for a target system. This facilitates integration of the system provisioning policy and permissions with the enterprise roles. The integration between business roles and permissions serves to create a unified governing policy. The software includes a visual drag-anddrop approach to linking permissions to enterprise roles designed to simplify the user's ability to implement policy integration at the initial setup, as well as for ongoing maintenance. Novell supplies a modular policy framework called Package Manager that houses various loosely connected policy packets or building blocks. Initially, the content policy provided out of the box is geared more toward providing technical professionals with assistance. For example, Package Manager policies can be used to create new users in Active Directory and determine what they should be called, how they should be placed, etc., all within the Novell Identity Manager policy language. Other questions addressed are things such as determining urgent versus nonurgent application event alerts, password rules, dependency tracking, etc. There is a reporting engine with data warehouse, which can help in examining a user's current state, as well as approvals, to determine who did what, when, and how. For MSPs, ISVs, and large IT organizations, this modular approach aims to simplify change management and subsequently shorten time to value. The baseline policy content provided by Novell is collated from Novell's 10+ years of experience in the identity management market and is tailored to enable modification by third parties, MSPs, ISVs, etc. The automated system provides alerts on unintended effects of a policy change where a policy is deployed across multiple systems. Features include versioning, installation/removal, dependency tracking, meaningful package naming conventions, and other attributes that function together to enable an agile and intuitive approach to policy management throughout the enterprise. Detailed, real-time automated reporting allows for efficient allocation of business resources on an ongoing and as-needed basis IDC 5

6 Managed Service Providers Can Ensure Compliance and Security Within an Identity-Driven Cloud Finally, for those moving toward cloud computing, Novell Identity Manager 4 is available with technology embedded to extend to the virtualized environment. Novell is targeting MSPs with features such as improved scalability and fault tolerance, both of which are required to meet standard service-level compliance mandates such as SAS 70. Specifically, SaaS 70 compliance assertion, which is essential for SOX, HIPAA, GLBA, and other regulations, requires high availability with a backup plan in case of system failure. Novell has made many of these features available with the Identity Manager 4 family, as well as critical functions required for cloud support. Challenges and Opportunities Risk aversion is high across all industries today as organizations balance the need for business flexibility with the need to meet compliance regulations and avoid security breaches. Companies want to leverage their existing systems whenever possible, and they are looking to the cloud as a way of reducing costs and increasing agility. As cloud infrastructure platforms continue to evolve, the ability to deliver and integrate new software functionality into existing IT systems will be both necessary and appealing to IT consumers. Whether an organization is moving to the cloud or implementing an internal cloud, or both, Novell must immediately demonstrate the value of the intelligent workload management approach to meeting these goals. According to Novell, the intelligent workload management market enables IT organizations to manage and optimize computing resources in a policy-driven, secure, and compliant manner across physical, virtual, and cloud environments to deliver business services for end customers. IDC research shows that now more than ever, companies are looking to adopt proven technology solutions. While as an industry we are still in the early days of cloud development and deployment, this is not always easy, but it is increasingly possible to point to success stories. To compete effectively in this area, Novell must provide potential customers with tangible evidence of value-add with its intelligent workload management platform. A significant trend over the past 24 months has been the movement toward integrating traditional IAM technologies with SIEM and data loss prevention (DLP) solutions. This move is driven by customer demand and necessity in order to increase security, manage workloads, and achieve compliance. Novell's ability to provide a complete solution here should serve it well because it has a solid reputation in all three areas. Enterprise Considerations The emerging ecosystems arising from cloud-based platform adoption will result in a greater dependence on trust and identity concepts. This rests on ensuring identities, access management, and control all of which are critical to success in this market. As such, we believe IAM technologies and related services will continue to be adopted as IT enterprise professionals are increasingly looking to centralize their management and administration to eliminate silos and reduce risk. IDC return on investment (ROI) studies over the past several years reveal that IAM deployments can save and have saved thousands to millions of dollars per application deployed while serving to improve business efficiencies. Savings have been realized in lower compliance reporting costs, fewer manual processes, fewer calls to the help desk, and quicker identification and remediation of improper and unauthorized access. As enterprise IT continues to move toward a cloud-driven approach, it's important to note that IAM software inherently has many of the standards and technological requirements for supporting Web services implementations. These include SSO, SAML, LDAP, certificate authority (CA), etc. Enterprise organizations should be critically evaluating their existing identity frameworks now, not later, as failure to do so will result in poorly implemented business processes, increased risk, and potentially failed audits IDC

7 Conclusion Industries are looking to IAM technologies to solve the following issues: Maintain compliance with both government and industry regulations. Increase security, especially to prevent identity fraud and identity theft as well as to protect privacy and systems integrity. Auditability. This refers to who was accessing what information when within the system. Automated auditing and reporting capabilities have become part of the cost of doing business for the majority of organizations worldwide. Accountability. This includes access and permission rights; who granted them, when, and why. The granularity and the flexibility required today go beyond simple directory management; this is increasingly achieved via provisioning and other IAM products. Scalability. With more users accessing systems from different locations on an around-the-clock basis, the ability to scale is a critical function that should be determined prior to selecting an identity framework solution set. Achieve business agility through increased automation and user-friendly design. Novell has a significant customer base and continued to build momentum for its security, identity, and compliance management software in 2009 by expanding its partner ecosystem. IDC believes these are key components for future growth. A B O U T T H I S P U B L I C A T I O N This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC, visit For more information on IDC GMS, visit Global Headquarters: 5 Speen Street Framingham, MA USA P F IDC 7