Welcome!

@CloudExpo Authors: Elizabeth White, William Schmarzo, Liz McMillan, Stefan Bernbo, Yeshim Deniz

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, SDN Journal

@CloudExpo: Article

Mirror Mirror: Difference Between Identity Management & Access Management

And companies need both to maintain a secure environment

One of the biggest misconceptions in cloud security is the perception that identity management (IDaaS) and access management (SSO) are the same thing.

They’re not.

And it took a viewing of the famous Star Trek episode called Mirror Mirror for me to best illustrate and articulate the difference between the creation and management of a user account and credentialed rights and the funneled applications that entity is allowed to see. For those unfamiliar with the episode, it’s the one where Kirk is transported into an alternate universe and meets evil Spock (the one with the beard)...but more about that soon.

Simply, IDaaS is the administrative function that creates and maintains a user’s network identity. It segments their privileges by roles and rules. This is called provisioning. Your starship just hired a new lieutenant to communicate with new life and new civilizations as you boldly go places—in this world we call it inside sales, but you get the idea. In the organizational hierarchy, this officer needs access to certain functions and applications-but not others. So when her “enterprise” identity is created, she is assigned certain access rights. She needs to see the languages database, but not the weapons console. Her identity group, as a junior officer, is similar to others of her job description and rank. Identity management  establishes her credentials, manages her passwords, and the provisioning synchronizes this information instantly so that a specific level of the network is accessible. This works in reverse as well. As soon as she resigns her commission, automatic de-provisioning rescinds those rights and prevents her from accessing information after she’s left the ship. It’s all based on process and workflow.

So how is this different than access management? If Identity Management is about the development of a privilege strata and the source of password details, why does a company need access management? Because it is the difference between authentication and authorization. it's the difference between administrative availability and tightly controlled access. Case in point: our communications officer is standing on the planet Saas and dialing into the Enterprise (BYOD!). Her identity settings allow her to access the ship’s computer, but it is her SSO that channels her access see only certain applications. And because access management is about single sign on, once she is authenticated, all of her applications (including the dozens of unique passwords) are controlled from a single portal (and blocked from seeing/accessing other). The single sign on function also authenticates each individual application, so she doesn't have to do it again once she is within the protection of the portal. And the segmentation of each application is also personalized to her rights automatically. She sees only the slice of the database she is permitted to see.  But what if it wasn’t her? What if it was a Klingon who cloned her tricorder or her body was taken over by a non-corporeal lifeforce? Single sign on enforces multi-factor identification. So if her password is stolen, the nasty Romulan might not know the year she graduated from the Starfleet Academy or the name of her first pet was Cochrane.  Simply put, IDaaS is the intelligence and SSO is the locked doorway-- and they need to seamlessly integrate to create a better security platform. Having one without the other is like transporting into an alternate universe and having to fight an evil Spock. (I told you I’d get to it!)

While looking to acquire dilithium crystals, the Enterprise gets hit by an unexpected ion storm (for our metaphoric purposes, let’s call this a suspicious intrusion resulting in breach!).  This causes a landing party to transport (access management) to an alternate universe. In this world everyone looks the same (except for Spock’s Machiavellian beard!), but their intentions are less than honorable. Conversely evil Kirk is now on the original Enterprise. Allegorically, if this were a fully integrated and unified security Enterprise, the SIEM program would have noted the original suspicious activity and Mr. Scott would have received an immediate alert based on the parameters of what constitutes a breach. But if Evil Kirk gets through nonetheless and tried to log onto the system to arm the photon torpedoes, there are a few security hurdles in his way. His alternate universe password of “UglyKittens6” doesn’t work. In fact after several tries, he is locked out and an alert is sent to Mr. Scott for review and remediation. But Evil Kirk is wily. He clicks “forgot password” because he figures he can self-serve and generate a revised password. However the system asks him how many TekWar novels he's written (or any other personalized information to further verify his identity) and without the correct answer, his evil machinations are again thwarted. However, let’s say the passwords match (“OverActing4#5!”) and he is authorized into the access portal. He may be captain (CEO) of the ship, but his role does not include the direct management of weapons systems, so this application is absent from his portal of available applications.

Silliness aside, the IT moral of this episode is that identities are just a single level of integrated security.  That controls WHO you are. As a partner or employee, the enterprise affords you this amount of visibility within the network. Access controls the applications to which you may connect .As most companies use a wide variety of applications—on premise legacy, cloud-based ASP/SaaS or general web-based programs—the need to channel controls is mission critical. This is Access Management. There simply can’t be a login name and password that provides any user limitless exposure to the network. Best practice, regulatory compliance and strong security demand that these functions work in concert.

But best practices that require investment into two separate solutions, two separate deployments with two separate providers, and the extra eyeballs to continuously monitor activity seems to be counterproductive…right?

The fact that SSO and IDaaS are two different solution sets is tempered by cloud-based security deployment.  As a singularly sourced seamless operation from the cloud, the pairing increases the ability to control who gets to see what across a heterogeneous enterprise with competing priorities, needs and identity types. Just as partners and vendors need certain access that is separate from employees—not all employees are the same; and they too fall into unique roles and rules that can be managed by identity Management and Controlled by Access Management. There are many solutions on the market that address either IDaaS (IDM) or Access (IAM, SSO) in the cloud, but I obviously know of only one that provides both as a multi-tenant (true-cloud) initiative. This mixes the best practice of best-of-breed with the all the cost and productivity benefits promoted by the cloud.

And if my metaphors and wink-and-a-nod sci-fi geek inferences were too obscure, here is a straightforward listing of the differences between IDaaS and SSO:

Standard IDaaS features (Administrative):

  • Provisioning/deprovisioning (add/delete user accounts)
  • Password management
  • Role-based identity groups/individuals for access
  • Automatic Directory (Active, LDAP, etc…) propagation (using data on these infrastructure databases to populate/control IDM)
  • User self-service
  • Multi-lateral password synchronization
  • Access recertification
  • Request management
  • Business process/rules mapping
  • Federated connectors to secure applications
  • Comprehensive  audits, reports for compliance
  • Graphical integrated approval workflow

Standard SSO features: (Active Application of Administrative Controls)

  • Access for both SaaS and Web applications/platforms
  • Authentication by and Access control by IP address
  • Integration with AD, LDAP, SQL, etc.
  • Dynamic Portal grouping users permitted applications
  • User self-service for password reset
  • 2 factor authentication for BYOD
  • Authentication chaining
  • Whitelist, blacklisting of allowed/disallowed sites/apps
  • Risk adaptation (traveling IP’s)
  • Identity gateway enables access to 1000s of websites, on premise and legacy applications

Live long and securely prosper!

Kevin Nikkhoo
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
"Loom is applying artificial intelligence and machine learning into the entire log analysis process, from start to finish and at the end you will get a human touch,” explained Sabo Taylor Diab, Vice President, Marketing at Loom Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Join us at Cloud Expo June 6-8 to find out how to securely connect your cloud app to any cloud or on-premises data source – without complex firewall changes. More users are demanding access to on-premises data from their cloud applications. It’s no longer a “nice-to-have” but an important differentiator that drives competitive advantages. It’s the new “must have” in the hybrid era. Users want capabilities that give them a unified view of the data to get closer to customers and grow business. The...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...