I D C T E C H N O L O G Y S P O T L I G H T
T h e I d e n t i t y I m p e r a t i v e i n t h e C l o u d
March 2015
Adapted from Worldwide Identity and Access Management 2014–2018 Forecast by Pete Lindstrom,
IDC #252210
Sponsored by Symantec
Enterprise IT architectures have evolved dramatically from the days of on-premises monolithic and simple client/server architectures with centralized resources. These architectures, once easily protected by firewalls and other "layered" security solutions, have been replaced by highly distributed service-oriented architectures with components deployed in hybrid environments that include public and private clouds. Although these environments have greatly improved flexibility and resilience, they have also increased the attack surface for those with malicious intent. Security needs to adapt to these changing architectures by focusing on protecting what matters: user identity, data, and workloads.
This Technology Spotlight describes how cloud-based enterprise IT architectures have changed the security equation, raising the importance of identity protection — and increasing the opportunity to protect identities — a key component of cloud security. This document also discusses how chief information security officers (CISOs) must focus on identity management to regain control over their disparate computing environments. This Technology Spotlight discusses Symantec's Identity Access Manager platform and provides insight for enterprises looking to keep their cloud-based IT environments secure.
The Growing Complexity of IT Security
IT has always been heavily reliant on network-based security solutions such as firewalls forming a secure perimeter around resources to keep information safe. This approach makes sense in a static, centralized IT environment. But today's enterprise computing is different, with users, applications, and information now dispersed across a heterogeneous architecture that incorporates traditional
enterprise computing, mobile devices, and the cloud.
When monolithic mainframes gave way to two- and three-tier client/server architectures, IT architectures began their journey toward the n-tier, n-peer highly distributed architectures that they are today. These abstracted, service-oriented frameworks provide much-needed flexibility and resilience, but the need for standardized communications and exposed application programming interfaces to support these benefits comes at a cost. Attackers may also be able to subvert an expected application flow by probing these new attack points.
Starting from the End: After the Breach
The aftermath of a breach is never pretty. The damage must be assessed, and affected users and customers must be alerted — all of which is costly in terms of money and reputation. But IT must determine the root cause, which can take weeks or months.
Attribution has become an important part of the root-cause analysis, and every cop will tell you that most crimes are inside jobs. So the first question is, "Who could have done it?" Forensic analysts, if they are lucky, may evaluate the evidence by looking at the compromised resources and tracing activity back to a user account or accounts to focus on. Otherwise, they will need to cast their net more broadly by simply evaluating the access controls in place to create an even larger list of suspects. In any case, when the account or accounts are identified, those users must then be interviewed and evaluated.
At the application layer, the identity of the user is obvious. But across the remaining access points, the concept is less clear. With more distributed applications or cloud-based environments, there is less contextual awareness of users. The result is a loss of user identity as a compute session crosses many architecture elements. Because it is possible to break out of applications and to escape from virtual machines, for example, it is increasingly difficult to discriminate between legitimate activity from legitimate users and illegitimate activity, until something happens.
Tracing activity to an account is hard enough, but then the trail weakens. When successful, forensic analysts often discover that the cause involved compromised user accounts. A user's credentials could be stolen through social engineering, phishing, malware-dropped keyloggers, man-in-the-middle attacks, or other methods. But often, forensic investigations can't get true attribution. What's more, forensic analysis is disruptive, and determination of cause makes everyone miserable. The analysis identifies application owners, data owners, and who had access. No one wants to be held responsible, and often users go into a bunker mentality where they help, but not too much, as that may implicate them. Productivity is hurt as IT security staff tries to decide whether the cause is ignorance, negligence, malice, or an unsecure company policy. And then the second-guessing begins, where executives determine how the organization might have done things better and quickly implement stopgap measures that may be more disruptive.
The Importance of Identity Management
In many ways, identity management is about protecting the innocent.
Security breaches happen and they will continue to happen. As chief information security officers (CISOs) face the daunting task of securing the cloud-based enterprise, they must realize that a good security program involves a combination of preventive and detective controls. For online identity, CISOs should validate the credentials throughout their life cycle — from issuance to disablement — and track how they are used for authentication and access to the many resources that make users more productive. To strengthen the program, CISOs look for efficient ways to provision and deprovision users, strong forms of authentication, single sign-on (SSO) — access management — solutions with central logging, and managing shared and privileged accounts.
But online identity protection has been a thorn in the side of anyone who has ever tried to gain access to an application and forgotten the password — that is to say, everyone. From a usability standpoint, there are two challenges — the first is just making the whole authentication process simpler, and the second is reducing the number of passwords with SSO. Using both simplified authentication and SSO provides access to several applications with a frictionless experience. However, control of this process is difficult.
With mobility a critical part of business today, especially as workers are using their own devices for business purposes, authentication challenges are on the rise. A myriad of different types of devices are often used to access unsanctioned applications, reducing IT control. Data can be uploaded to applications that IT doesn't know about, making it increasingly difficult to track and secure this resource, which in turn makes identity management even more critical.
What We Know About Cloud Identities
As cloud and mobile architectures are built into existing IT infrastructure, we must consider the impact on identities and credentials. Most importantly, we should recognize how management and usage are changing:
Longer sessions: It is common for users to log in to multiple applications at the same time and
keep them open/available for extended periods of time.
Broader access: Mashup architectures, federated credentials, and the general growth of
functionality drive access to a greater set of resources.
Increased number of password stores: Federation notwithstanding, users are creating
accounts at a growing rate, many of which maintain their own separate password stores.
Less control over context: Heterogeneity inside the enterprise pales in comparison to the
disparate availability of applications in the cloud. Each application operates in a separate island.
The CISO's Role in Regaining Control over Identity in the Cloud
CISOs must constantly maintain balance among three different variables: risk, cost, and user experience. Risk levels must be managed to a level of tolerance for an organization. Cost is an ongoing concern for any operating unit of a company that doesn't generate revenue. And finally, user experience drives productivity.
If security measures are too complex, users will struggle to use them — reducing productivity — or, worse, find a way to ignore or circumvent them. For example, passwords that are really hard to break are also hard to remember, so users will write them down for easy access, often placing them in obvious locations. And approaches like keyloggers and hash attacks can compromise even the most complex passwords. Multiple sign-on procedures required to access multiple applications slow workers down and may cause them to sign on once and leave every application open "just in case." So the CISO must find the happy medium of identity management. What is the balance between appropriate security for users and the proper level of risk the CISO is willing to take? Too much security, the CISO is authoritarian; too little, the CISO is lax. But productivity and risk are inherently linked. The value of security includes not only the cost of the solution but also the costs associated with security breaches. So the goal is to provide the most appropriate security for the least cost and least potential exposure. Again, in the cloud, this points to identity management.
These complex solutions still need to be user-friendly. The onboarding process must be automated because users only need to know what their role is in an environment. So the real complexity is at the provisioning level. Automated onboarding makes it easier to grant and restrict access without
involving users but includes knowledge about what resources they require to be productive. This moves the bulk of security from passwords, which are inherently weak, to the system, which can be as strong as the enterprise needs.
Considering Symantec's Identity Access Manager
Symantec offers Identity Access Manager, an identity-based access control platform that provides better visibility, manageability, and security across multiple cloud applications for internal, external, and mobile users. The platform integrates SSO with strong authentication, access control, user management, and other identity and access control solutions and can be deployed as an on-premises solution or a hosted service.
Administrators can define policies based on user identity (e.g., attributes from respective identity source) and session context (e.g., geolocation, browser, device type) to create the appropriate level of security and compliance. Identity Access Manager also provides administrators with visibility into external user directories such as Active Directory, LDAP, and/or a SAML IDP in addition to providing a built-in user directory. Users, including mobile workers, utilize Identity Access Manager's SSO portal for a single log-in to all cloud applications, so the inherent levels of security do not reduce productivity. Integration with strong authentication technology such as Symantec Validation and ID Protection Service and Managed PKI Service enables enterprises to shift applications to the cloud without sacrificing security for convenience.
As enterprise needs change, Identity Access Manager enables IT to change the level of protection for applications to match the evolving requirements. Identity Access Manager enables IT to implement security across multiple cloud applications, essentially providing context for overall enterprise security, without compromising the inherent benefits of mobility and cloud computing.
Symantec Identity Access Manager uses connectors to add new applications that are SAML or Web form based into the user catalogue. The availability of the necessary applications combined with secure SSO reduces the need for workers to utilize non-IT-supported cloud applications from the road or at home. Although log-in to all applications is achieved through one password (passwordless log-in capabilities further improve the convenience), security is ensured because of the inherent context-based policies. To protect data that may be downloaded to mobile devices, Identity Access Manager is integrated with the Symantec Mobility Suite, which offers a data container application that encrypts data; if a device is an unmanaged consumer device, enterprise data is automatically isolated from the personal user environment.
Challenges
Conclusion
Enterprise security is perhaps the biggest IT challenge in today's world of cloud computing. While a distributed, use-resources-only-as-you-need-them environment is a major boost to the
productivity/cost equation, it removes several architecturally secure barriers. Every link, every association, and every access point constitutes a site for potential compromise. But users require easy access that enables them to maintain high productivity. So the CISO must balance risk versus safety while keeping ahead of those with malicious intent or while reacting to the inevitable breach. With mobility and the cloud, enterprises must find critical points that form the basis for overall security that are robust enough to deal with evolving environments. With all the changes in enterprise
computing, context has shifted away from in-house applications or data. The new IT context is the enterprise resource that will always be there: the user. As such, CISOs must use identity
management as the foundation for enterprise security.
IDC sees the new age of enterprise security comprising a five-point process:
Understand the user. Are the people accessing the network employees, customers, or partners,
or a combination of the three? How are they accessing the network, and what constitutes appropriate use for each audience?
Map the user to the application. What types of applications do the various users need to be
productive? How complex are the applications, and what security or compliance issues does each application bring to the table?
Map the application to the data. What data is really needed by the applications and users?
What valuable information is exposed by the applications?
Manage the access. By understanding users and the resources they really need to be
productive, enterprises can understand who should have access to what and when. This enables the enterprise to set up a behind-the-scenes security environment that doesn't appear draconian to the user but limits resources to those who need them.
Manage the activity. Who is logging in to what and when? Does this meet company policies, or
is there unusual activity? This makes it possible for IT to focus on breaches or potential breaches. It also provides a mechanism for forensic analysis when needed.
As a result, IDC recommends the following for enterprises looking to keep their cloud-based IT environments secure: First, conduct an assessment of users and their needs in order to create priorities and determine acceptable risks without compromising productivity. Second, as much as possible, inventory the growing list of applications that authorized users need to access, and set up security policies as necessary. Third, create a security environment that incorporates identity
management integrated with contextual intelligence to verify that the proper personnel are accessing the proper resources at the proper times.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document require an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC Custom Solutions, visit http://www.idc.com/prodserv/custom_solutions/index.jsp.
