E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

Transcription

1 I D C T E C H N O L O G Y S P O T L I G H T E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s M a nagement November 2013 Adapted from Worldwide Identity and Access Management Forecast: Growth Driven by Security, Cloud and Compliance, by Sally Hudson and John Grady, IDC # Sponsored by F5 Networks As enterprises continue to depend on the cloud for delivery of applications and more workers are using multiple types of devices to access those applications, the need to control who has access to what will grow. Too often, users suffer from password fatigue, having to create and remember many log-on procedures in today s siloed, multi-modal computing world. Critical to keeping company assets secure is a strong approach to identity and access management, often using a software-as-a-service (SaaS) delivery model. This Technology Spotlight discusses the growing need for security in today s cloud-based, mobile world of IT, and the rise of SaaS-based solutions. In particular, this document describes cloud IAM and its challenges. After discussing F5 Network s Cloud Federation IAM architecture, this Technology Spotlight offers some guidance for enterprises looking for SaaS IAM solutions. Introduction In today s intelligent economy, digital identity has become the foundation for business transactions in virtually all industries. As smartphones replace wallets, credit cards, PCs, boarding passes, and other paper-based documents and technologies, the need to provide secure credentials is more important than ever. In addition, enterprises increasingly are using less-secure social networking sites as a way to bring consumers to corporate portals and services. From a security perspective, this combination is a growing nightmare for businesses. The need to keep corporate assets and identities secure has never been greater. Hackers and others continue to find ways to attack enterprises and consumers. Attack vectors continue to increase in number and are becoming more difficult to discover. The constant arms race between attacker and defender means that enterprises must continue to expand their security spending to defend against sophisticated attacks. And there is a time lag between the emergence of new threats and the deployment of new counteracting products. Similarly, enterprises continue to increase their dependence on Enterprise 2.0 tools, which is fueling the BYOD (bring your own device) and consumerization of IT trends in business. Not only are workers more self-sufficient, but these tools typically are less secure than enterprise-level tools. In addition, the growing reliance on mobile and Web apps make it harder for organizations to provide system-wide security. IDC believes that cloud computing will continue to rise as the enterprise IT paradigm. Shared access to virtualized resources over the Internet will continue to account for a larger portion of IT spending, and keeping this access secure will be increasingly job number one for IT. As organizations look for cost-effective ways to keep data and identities secure, they will increasingly turn to security softwareas-a-service (SaaS) to shift security spending from a capital expense to an operational expense. IDC 1602

2 Many enterprises use security SaaS technology in conjunction with on-premise security products, such as Web and messaging security, as well as security and vulnerability management. This trend will continue, as few enterprises are ready to go to a complete SaaS model for security and give up complete control of on-premise technologies. In some cases, regulatory requirements mandate this. Security SaaS will be a key enabler to enterprise mobility and cloud computing efforts. The technology can provide endpoint control, secure content, and authorize mobile users accessing corporate systems with an array of company-owned and personally owned endpoint devices. As for cloud computing, security SaaS will become an inherent component of cloud technology from both security vendors and cloud computing providers. Identity and access management (IAM) will be a critical technology for maintaining security and control of data and IT systems as they transition to cloud computing. In particular, the integration, or federation, of internal IAM systems with cloud-based identity and access platforms will allow enterprises to more easily leverage public and private cloud architectures. As such, IDC forecasts that the worldwide IAM market will account for over $6.6 billion in license, maintenance, and SaaS revenue by Identity and Access Management in the Cloud IDC defines IAM as a comprehensive set of solutions used to identify users of a system and control their access to resources by associating user rights and restrictions with an established identity. Solutions enable the administration of users and access rights, and provide for a complete set of identity and access management life-cycle activities, including authentication, access control, administration, and auditing. To meet the challenges brought about by the overall consumerization of IT, cloud computing, social business, big data, and a more mobile workforce, IAM software is more likely to be delivered as a service. This is because there is a limited supply of trained security professionals. The need for easier solutions will drive the shift from standalone products to SaaS. Moreover, IAM can be broken down into subcategories, creating an even greater need for expertise or easy-to-implement solutions. These include Web single sign-on (WSSO) and federated single sign-on (FSSO); host/enterprise single sign-on (ESSO); personal portable security devices (PPSDs); user provisioning, including roles-based access control, privileged identity management, and finegrained entitlements; advanced authentication; legacy authorization; and software licensing authentication tokens (SLATs). The IAM technology stack is common to all enterprise solutions, including SaaS offerings, and serves both internal and external applications and users. In particular, the authentication layer provides the functionality to authenticate users to established identities. The identity and policy administration layer defines and applies the IAM policies of the enterprise, including policies established to identity and vet entities and provide, change, and remove credentials used throughout the IAM life cycle. The access management layer provides the functionality and services necessary to provision resources to established identities, store and maintain these provisions, and provide access to provisioned resources. The reporting layer provides reporting on IAM administrative activities, including additions, changes, and deletions to directory entries and access rights. Finally, the analytics layer provides the ability to analyze IAM activities using current and historical data for determining resource usage trends and authentication and access violation patterns. Adding to the challenge of enterprise security is the increasingly broad range of structured and unstructured data that is moving across the network and the many types of devices used to access the network. Security solutions must now handle access from smartphones, tablets, PCs, and other IDC

3 form factors, often with different operating environments. Provisioning once access is granted now includes enterprise applications, mobile apps, social media, streaming video, and traditional data. This creates a highly complex environment in which the enterprise must control who has access to what and when. IDC sees six key trends further driving adoption of IAM solutions. These include 1) an increasing amount of digital information, 2) the continued rise of cybercrime, 3) continued economic pressure, 4) virtualization of the datacenter, 5) continued growth of the mobile workforce, and 6) the rise in industry and government regulations. The Challenges of Cloud-Based IAM The cost of compliance and the efficiency of IAM solutions are difficult to measure, and this will continue to be a problem with SaaS delivery. In recent IDC studies, nearly all enterprises interviewed stated that operating costs and lack of budget are the most significant challenges to effective and efficient IAM operation. But there still is a need for stronger access management and better performance across the organization, as well as heavy pressure in many industries to meet regulatory challenges. On top of that is the fact that IAM in a virtualized, employee-owned, mobile world is complicated. Perhaps the biggest challenge with SaaS-based IAM is the creation of separate IT silos that need to be kept secure. Most SaaS applications, mobile apps, and enterprise solutions have their own procedures for username, password, and access control enforcement. As a result, these procedures must be coordinated, or better yet, integrated. They also introduce potential lapses in security and can reduce productivity. Risks increase when users suffer from the resulting password fatigue stemming from too many login requirements. New-account creation is more time consuming, but worse are the risks caused by delayed account deletion. But the need for organizations to connect a significant number of different systems, from enterprise applications to third-party apps hosted in other environments, continues to grow. Provisioning them for access is a difficult process that demands some sort of automated workflow across these silos. Typically adds, changes, and provisioning of users are done manually, so decentralization of access management can be a nightmare because many organizations lack the right tools. Redundancies in identity stores across the enterprise also are a challenge. The biggest issue many organizations have is coordinating access in a changing environment. As projects and the personnel involved change, the need to automate becomes imperative. In addition, reporting and auditing can be a problem, particularly in industries that require proof of compliance. Regulations such as PCI DSS, SOX, FFIEC, FISMA, NIST Special Publication , HIPAA, and NERC CIP are creating a greater need for integration of IAM. Coupled with this is the move toward adopting public, private, and hybrid cloud, as well as incorporating mobile devices within IT infrastructures in a secure fashion. It's imperative, therefore, that providers of IAM solutions, particularly SaaS-based solutions, provide proof points that best measure value based on the overall strength of the core security solution. This includes the degree of automation and life-cycle management, simplicity in administration, and the ability for the solution to scale across access devices and internal, external, and hybrid IT environments. Considering F5 Networks F5 Networks newest foray into cloud-based security solutions is its Cloud Federation architecture, which provides enterprises with an alternative to adopting and managing SaaS providers IAM solutions. With Cloud Federation, F5 Networks provides unified access management and high IDC 3

4 performance application delivery for users wherever they are, and on any device. It provides a single policy management solution to manage users as part of the entire application delivery life cycle. Cloud Federation architecture differs from multi-factor authentication in that it does not add another security silo that needs to be managed by IT. While multi-factor authentication is a separate solution that manages different authentication processes in its own silo, F5 s architecture creates a federation between SaaS providers and the datacenter to create a silo-less system for IAM. F5 s Cloud Federation architecture uses Security Assertion Markup Language (SAML) -- an XMLbased open standard data format for exchanging authentication and authorization data between parties. As a result, the architecture eliminates the need to separately manage independent user accounts across SaaS and internal solutions, and enables single sign-on (SSO), particularly in Webbased environments. Essentially, Cloud Federation inserts a layer of dynamic access and identity management services that provides federation and unification of credentials across cloud and datacenter resources based on enterprise authority. This approach is less disruptive than adding another siloed tool or service for authentication. This layer also provides single-sign on capabilities, mitigating security and efficiency concerns caused by password fatigue. IT can govern all policies for sign-on credentials, such as password length, history, interval of change, and composition. This federation of identity and access management can alleviate loss of control and resulting security threats. It's designed to improve the overall experience for end users by reducing the number of credentials they must manage to conduct business. Most important, in today s multidevice world, the architecture provides a consistent method for IAM. The Cloud Federation architecture enables enterprises to provide stronger authorization solutions to end users, including two-factor authentication, geo-ip location enforcement, and device inspection. By adding F5 s Local Traffic Manager (LTM) and Access Policy Manager (APM), the architecture provides a platform for: SAML integration between organizations' private IAM systems and external SaaS providers Consistent, multi-factor authentication for all users across all systems accessed via the F5 LTM + APM devices A single point of management for all services accessed A unified application delivery tier that enables enterprises to control and enforce security and access policies regardless of application deployment or user location Challenges But F5 Networks does face some challenges. The company has already sold its solution based on the architecture providing the needed federation and integration while delivering simplification. However, established vendors with competing solutions will try and persuade enterprises otherwise. Similarly, the company will face challenges from the SaaS solutions vendors, who will tout their own IAM approaches. Conclusion and Essential Guidance IDC estimates that cloud services spending will ultimately account for a large proportion of all IT spending. The key advantage of cloud services will be the ability of IT organizations to shift resources from maintenance to new initiatives. But when this trend is added to the growing reliance on Web applications and social media, and associated multiple form factors and data types, it makes it harder for organizations to provide system-wide security IDC

5 As organizations move to the cloud and associated SaaS offerings, they will look at security SaaS as a way to shift the growing cost of security from a capital expense to an operational expense. Critical to the success of security as a service is identity and access management to manage who can access what and when. But IAM as a service creates challenges for enterprises, most notably that these technologies can create silos of sign-on and authentication procedures, creating inefficiencies and potential security leaks as users take it upon themselves to avoid password fatigue by reusing the same password for multiple applications. Enterprises looking for expanded IAM in cloud-based networks need a way to automate the integration, or federation, of multiple internal and external systems. For organizations looking for comprehensive IAM solutions for their cloud-based networks, IDC recommends asking themselves the following questions: Does the organization have access and authorization policies that are consistent with SaaS and cloud-based solutions? What are the regulatory issues facing the organization and how must IAM support compliance? What traditional and SaaS applications need to be linked together, and who needs access? How will the organization measure performance and benefits of IAM? Which IAM approach will be most effective in helping the organization ensure appropriate security without increasing end-user complexity? What IAM options do the existing SaaS providers offer, and what third-party solutions are available? Because SaaS and security vendors will claim that their solutions will meet organizational needs, it's imperative that any enterprise work with a trusted partner who will help assess what is really needed. IDC recommends that businesses look for IAM providers with broad industry experience providing solutions for internal and external networks, and in public/private clouds. In addition, enterprises should look for standards-based IAM solutions to ensure compatibility and the ability to create secure application federations. To the extent that F5 Networks can meet the challenges described earlier, the company s Cloud Federation architecture has a significant opportunity for success in this strategically important market. A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests contact the Custom Solutions information line at or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC visit For more information on IDC Custom Solutions visit Global Headquarters: 5 Speen Street Framingham, MA USA P F IDC 5