Welcome!

@CloudExpo Authors: Elizabeth White, Pat Romanski, Liz McMillan, Jason Bloomberg, Kevin Benedict

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, SDN Journal

@CloudExpo: Article

Mirror Mirror: Difference Between Identity Management & Access Management

And companies need both to maintain a secure environment

One of the biggest misconceptions in cloud security is the perception that identity management (IDaaS) and access management (SSO) are the same thing.

They’re not.

And it took a viewing of the famous Star Trek episode called Mirror Mirror for me to best illustrate and articulate the difference between the creation and management of a user account and credentialed rights and the funneled applications that entity is allowed to see. For those unfamiliar with the episode, it’s the one where Kirk is transported into an alternate universe and meets evil Spock (the one with the beard)...but more about that soon.

Simply, IDaaS is the administrative function that creates and maintains a user’s network identity. It segments their privileges by roles and rules. This is called provisioning. Your starship just hired a new lieutenant to communicate with new life and new civilizations as you boldly go places—in this world we call it inside sales, but you get the idea. In the organizational hierarchy, this officer needs access to certain functions and applications-but not others. So when her “enterprise” identity is created, she is assigned certain access rights. She needs to see the languages database, but not the weapons console. Her identity group, as a junior officer, is similar to others of her job description and rank. Identity management  establishes her credentials, manages her passwords, and the provisioning synchronizes this information instantly so that a specific level of the network is accessible. This works in reverse as well. As soon as she resigns her commission, automatic de-provisioning rescinds those rights and prevents her from accessing information after she’s left the ship. It’s all based on process and workflow.

So how is this different than access management? If Identity Management is about the development of a privilege strata and the source of password details, why does a company need access management? Because it is the difference between authentication and authorization. it's the difference between administrative availability and tightly controlled access. Case in point: our communications officer is standing on the planet Saas and dialing into the Enterprise (BYOD!). Her identity settings allow her to access the ship’s computer, but it is her SSO that channels her access see only certain applications. And because access management is about single sign on, once she is authenticated, all of her applications (including the dozens of unique passwords) are controlled from a single portal (and blocked from seeing/accessing other). The single sign on function also authenticates each individual application, so she doesn't have to do it again once she is within the protection of the portal. And the segmentation of each application is also personalized to her rights automatically. She sees only the slice of the database she is permitted to see.  But what if it wasn’t her? What if it was a Klingon who cloned her tricorder or her body was taken over by a non-corporeal lifeforce? Single sign on enforces multi-factor identification. So if her password is stolen, the nasty Romulan might not know the year she graduated from the Starfleet Academy or the name of her first pet was Cochrane.  Simply put, IDaaS is the intelligence and SSO is the locked doorway-- and they need to seamlessly integrate to create a better security platform. Having one without the other is like transporting into an alternate universe and having to fight an evil Spock. (I told you I’d get to it!)

While looking to acquire dilithium crystals, the Enterprise gets hit by an unexpected ion storm (for our metaphoric purposes, let’s call this a suspicious intrusion resulting in breach!).  This causes a landing party to transport (access management) to an alternate universe. In this world everyone looks the same (except for Spock’s Machiavellian beard!), but their intentions are less than honorable. Conversely evil Kirk is now on the original Enterprise. Allegorically, if this were a fully integrated and unified security Enterprise, the SIEM program would have noted the original suspicious activity and Mr. Scott would have received an immediate alert based on the parameters of what constitutes a breach. But if Evil Kirk gets through nonetheless and tried to log onto the system to arm the photon torpedoes, there are a few security hurdles in his way. His alternate universe password of “UglyKittens6” doesn’t work. In fact after several tries, he is locked out and an alert is sent to Mr. Scott for review and remediation. But Evil Kirk is wily. He clicks “forgot password” because he figures he can self-serve and generate a revised password. However the system asks him how many TekWar novels he's written (or any other personalized information to further verify his identity) and without the correct answer, his evil machinations are again thwarted. However, let’s say the passwords match (“OverActing4#5!”) and he is authorized into the access portal. He may be captain (CEO) of the ship, but his role does not include the direct management of weapons systems, so this application is absent from his portal of available applications.

Silliness aside, the IT moral of this episode is that identities are just a single level of integrated security.  That controls WHO you are. As a partner or employee, the enterprise affords you this amount of visibility within the network. Access controls the applications to which you may connect .As most companies use a wide variety of applications—on premise legacy, cloud-based ASP/SaaS or general web-based programs—the need to channel controls is mission critical. This is Access Management. There simply can’t be a login name and password that provides any user limitless exposure to the network. Best practice, regulatory compliance and strong security demand that these functions work in concert.

But best practices that require investment into two separate solutions, two separate deployments with two separate providers, and the extra eyeballs to continuously monitor activity seems to be counterproductive…right?

The fact that SSO and IDaaS are two different solution sets is tempered by cloud-based security deployment.  As a singularly sourced seamless operation from the cloud, the pairing increases the ability to control who gets to see what across a heterogeneous enterprise with competing priorities, needs and identity types. Just as partners and vendors need certain access that is separate from employees—not all employees are the same; and they too fall into unique roles and rules that can be managed by identity Management and Controlled by Access Management. There are many solutions on the market that address either IDaaS (IDM) or Access (IAM, SSO) in the cloud, but I obviously know of only one that provides both as a multi-tenant (true-cloud) initiative. This mixes the best practice of best-of-breed with the all the cost and productivity benefits promoted by the cloud.

And if my metaphors and wink-and-a-nod sci-fi geek inferences were too obscure, here is a straightforward listing of the differences between IDaaS and SSO:

Standard IDaaS features (Administrative):

  • Provisioning/deprovisioning (add/delete user accounts)
  • Password management
  • Role-based identity groups/individuals for access
  • Automatic Directory (Active, LDAP, etc…) propagation (using data on these infrastructure databases to populate/control IDM)
  • User self-service
  • Multi-lateral password synchronization
  • Access recertification
  • Request management
  • Business process/rules mapping
  • Federated connectors to secure applications
  • Comprehensive  audits, reports for compliance
  • Graphical integrated approval workflow

Standard SSO features: (Active Application of Administrative Controls)

  • Access for both SaaS and Web applications/platforms
  • Authentication by and Access control by IP address
  • Integration with AD, LDAP, SQL, etc.
  • Dynamic Portal grouping users permitted applications
  • User self-service for password reset
  • 2 factor authentication for BYOD
  • Authentication chaining
  • Whitelist, blacklisting of allowed/disallowed sites/apps
  • Risk adaptation (traveling IP’s)
  • Identity gateway enables access to 1000s of websites, on premise and legacy applications

Live long and securely prosper!

Kevin Nikkhoo
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, will address this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of t...
SYS-CON Events announced today that SkyScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SkyScale is a world-class provider of cloud-based, ultra-fast multi-GPU hardware platforms for lease to customers desiring the fastest performance available as a service anywhere in the world. SkyScale builds, configures, and manages dedicated systems strategically located in maximum-security...
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
SYS-CON Events announced today that Akvelon will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Akvelon is a business and technology consulting firm that specializes in applying cutting-edge technology to problems in fields as diverse as mobile technology, sports technology, finance, and healthcare.
Connecting to major cloud service providers is becoming central to doing business. But your cloud provider’s performance is only as good as your connectivity solution. Massive Networks will place you in the driver's seat by exposing how you can extend your LAN from any location to include any cloud platform through an advanced high-performance connection that is secure and dedicated to your business-critical data. In his session at 21st Cloud Expo, Paul Mako, CEO & CIO of Massive Networks, wil...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
As more and more companies are making the shift from on-premises to public cloud, the standard approach to DevOps is evolving. From encryption, compliance and regulations like GDPR, security in the cloud has become a hot topic. Many DevOps-focused companies have hired dedicated staff to fulfill these requirements, often creating further siloes, complexity and cost. This session aims to highlight existing DevOps cultural approaches, tooling and how security can be wrapped in every facet of the bu...
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, d...
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SS...
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.