Cloud Identity and Access Management: Key Issues

mark-interviewed.jpg

Mark is interviewed by Information Security Media Group about the issues and assumptions of Cloud Identity and Access Management (IAM).

Listen

16:21 duration

https://podcasts.apple.com/us/podcast/cloud-iam-integration-issues/id504642809?i=1000445136774

Transcript

Geetha

Hi I'm Geetha Nandikotkur, Managing Editor for Asia and the Middle East with Information Security Media Group. I caught up with Mark Perry, Chief Technology Officer, Asia Pacific, at Ping Identity to discuss how cloud Identity and Access Management (IAM) is evolving in preventing breaches. Mark discusses various scenarios in which cloud IAM is being deployed and helping build new authentication mechanisms. Thanks for joining the conversation today Mark.

Mark

Thank you Geetha. It's great to be here, and hello to your listeners.

Geetha

Mark, in what scenarios do you think with cloud Identity and Access Management is being deployed? Can you explain the scenarios?

Mark

Yes, certainly. Look, there are generally three major scenarios where cloud IAM is being deployed by our customers.

I think the first one is, and this is generally the one that is getting most traction at the moment, it's where large organisations are wanting to manage identities in a much easier fashion, a more cost-effective fashion, and they're generally people — employees or contractors, itinerant workers, business partners, third-party brokers or agents — those people who are not necessarily full-time employees with the company. And cloud IAM can provide a fast and secure means to manage the on-boarding and managing the lifecycle of those identities in much easier way than traditional on-premise identity management systems can. And across that you’ve still got the same ability to integrate into applications via SAML, Open ID Connect and can provide access to the applications through Single Sign On that are needed.

The second way is generally around organisations who need to store customer identity or associated data, and this is been traditionally from startups or new enterprises inside companies — innovation hubs and so on — but even there large organisations are starting to move custom identities to the cloud. There are a number reasons for that — generally cloud IAM is a much more modern architecture, it allows for RESTful APIs to access the identity data, to manage different types of data, from the traditional relational databases or your LDAP hierarchical stores, using (say) JSON attributes, which are used by developers, and you can hook into microservices and mobile apps much easier that way. You're able to do a whole lot more with relationships, around different customer-to-customer or customer-to-business or customer-to-product relationships, and you can store device data and other data which changes rapidly. It gives you a lot of different options that may not be available in traditional systems. And, again, cloud IAM does generally provide the full scope of Multi-Factor Authentication, account recovery, forgotten passwords or forgotten account scenarios and so on.

The third way is really around people wanting to limit their on-premise footprint where that's allowed by regulation and security risk compliance requirements, so we see this with some major banks in Australia where they have a mandate to move workloads into the cloud but they still need to integrate back into on premise systems for regulatory compliance and that enables them to put a certain amount of the identity stack in the cloud, say the access management components, because it's a reverse proxy mechanism, and even the Identity Federation components, so they're not necessarily storing customer identities in the cloud in that case, or employee identities, but they're enabling the access into applications and services through a much more agile ability out of the cloud that they manage themselves. So I think the main thing about all of those is you can outsource this service to third-party vendors and services in the cloud, but you can't outsource the risk to the business, and that’s something that every business has to weigh up to make sure that they’re following the right compliance [model] for their company.

Geetha

So just then you mentioned that cloud IAM can provide a fast and secure means to manage onboarding and ongoing lifecycle management of identity. So, what does it mean to the practitioner?

Mark

So yes, it’s interesting. Traditionally in identity management we've had in a very heavyweight identity management platform which has a workflow engine, and a very large and growing database, and all sorts of capabilities to check who has access to what, and so on. That doesn't go away often that’s still required, especially for employee scenarios. But if you're looking at a consumer identity platform what you need to be able to do is register a user in a way that creates the least amount of friction for that, that customer, that consumer, so they can go ahead and use the service and hopefully sign up to spend money with that service as quickly as possible So for the practitioner who's deciding what capabilities to use there, you have to look at all the security elements obviously: you’re storing customer data — usernames, passwords, device data, and other personal information — so has to be secured properly, but often the major security risks are around account recovery. So if I can trick a service into allowing me to reset a password for someone else then I can get control of that account, which means you have to be very careful about looking at what capabilities there are to identify a user and then enable them to do password resets, or to recover an account that's been forgotten about.

And, like I mentioned before, around that you've got the ability generally to have some form of Multi-Factor Authentication, whether that be One Time Passcode over SMS or via an email link, or what have you, but increasingly companies are moving towards device-based MFA using push notifications and technology such as FIDO, which allow for much more secure capabilities. and again, it really comes down to not only is what is easier for developers to get something up and running, but also what meets the security requirements of the service, because the last thing anybody wants is to be finding out they've been breached and then their tens of thousands, or millions, of customers’ personal information has been stolen. There's a trade-off between getting things done quickly and getting them done securely and that's what cloud IAM tries to bring.

Geetha

So do you think that cloud IAM needs to be considered as a fully integrated component of the enterprise security landscape? To provide that kind of business value or prevent breaches? What’s your opinion?

Mark

Yes it's good question. I really think that in a lot of cases companies just want to get things done. They've got timelines to meet, their executives have said that they need something in market as quickly as possible. It's often the way it works that people just stand up something very quickly and what starts out as a proof-of-concept goes into production and then that has to be managed and maintained, and that’s what creates technology silos in an organisation. That might be fine if you're just setting up one application, but if you have then, say, employees that need to manage things for consumers, say, call centre people need to manage accounts, then you have to allow for your employee identity system to be able to access that application. There are examples where people have taken on new organisations or joint ventures and they have to bring in third party identities to be able to manage or continue to develop the service, and that gets very difficult if the service has just being written in isolation, so generally with most companies of a certain size you have to be thinking about “How does this work in terms of my overall identity strategy?” and that really means that the service that you pick in the cloud needs to be able to support modern Federation protocols like OpenID Connect and SAML, so that you can easily integrate with your existing identity management systems.

Also you have to look at what the impact of integration into existing applications is, whether that's data moving between systems, and that might be having to get data feeds or real-time integration — mashups and so on — through other systems that can be difficult if an identity management system in the cloud has been chosen and it can't integrate easily so it's really important that people look at this as part of an overall strategy and that Enterprise Architecture comes into play here, not just getting something working for the sake of it.

Geetha

What does been the big challenge for the practitioners, the CISOs, when they want to integrate this security with the cloud IAM, Mark?

Mark

I think one of the major misconceptions around cloud IAM, and cloud services in general, is that they’re easy to implement. They’re not necessarily easy, they are generally quicker than going through a procurement cycle for servers and on-premise capabilities and services. The issue still is around IAM, that specialist skills are required, so there are vendors out there will try and sell this as a very pretty easy project take on. However, because it's often integration required and sometimes integration back into on-premise or legacy systems there can be a number of different road blocks that make it considerably harder than what executives might think. This is something where a lot of people want customisation of a service as well and of course the more you go for an off-the-shelf cloud service, generally the less customisation capabilities you have available.

So we're seeing a trend now where people are evaluating the ability to stand up their own identity software in cloud services like an Azure, an AWS, and GCP [Google Cloud Platform] and so on, and there are companies now that provide a managed service around these capabilities and that gives customers the ability to consume it as a service but still have a broad range of customisation capabilities. That generally depends on the budget and the time people have to stand up a service, but if you start looking then again at something as part of providing business value over a long period and not just getting to production in 3 to 6 months, then that can certainly be a valuable way to go.

Geetha

So can you think of a use case in an enterprise which has built a cloud IAM strategy and what kind of solution — how do they approach [this]?

Mark

Yes, there’s one large customer in the United States who use Identity-as-a-Service products, and they have about about 2 million customers. They’re a large supermarket chain and they were going all cloud. They realised that what they had on premise was going to hold them back, their developers were wanting to build new services, very much API-driven, and microservices, a lot of mobile apps for their end customers so that the customers had a great customer experience while they were in the stores or ordering outside the stores, and they really wanted a cloud service that was going to give them they capabilities they needed.

But also in terms of security, so that they weren't going to potentially be in danger of being breed being breached, something that was very modern in architecture, full REST API coverage, that had multi-factor authentication built-in, that enabled them to define different types of authentication flows depending on the risk of the transaction, for example, and that was something they were able to buy off the shelf and then impement with their own people. So it's one example where it's not a highly regulated industry so they can afford to store customer identity information in the cloud and it makes a lot of sense in that case where they have something that buying off the shelf with a large number of capabilities that can be integrated via modern standards like OpenID Connect and REST.

Geetha

You mentioned about architecture, cloud IAM architectures. What could be the ideal framework, IAM framework, for an enterprise?

Mark

It's difficult to make a judgement because of the different requirements around compliance and risk there and I think most people will have a good understanding of what makes sense for their organisation, but I think one of the major things people have to remind themselves of is that the attackers — the bad guys — are looking for all the chinks in the armour, all the small holes that they can get through so you really have to be very careful what you use to store identity data and what's involved in your authentication and authorisation flows there. I think there are various frameworks out in the market at the moment. I think people have to be really aware that it's goes much beyond being able to authenticate and store data and so on, and they have to be looking at the security flows for account recovery, for password reset, allowing for Multi-Factor Authentication as standard, not just as an optional extra or as a cost add-on.

I think we as an industry have to push multi-factor authentication as being no longer optional. And then looking at what the impact on the processes of the organisation are as well. How you integrate that into your CI/CD pipelines. How you're able to push new capabilities and new updates to applications, and data schemas, and so on, such that it provides for 24/7 operation. And that’s certainly something that the newer cloud capabilities provide for. Again, you have to evaluate that pretty carefully so that you're getting the best capabilities for your money.

Geetha

What do you think practitioners need to pay attention to or need to understand when it comes to implementing cloud IAM? What kind of processes, what kind of steps that are required from a security team?

Mark

I think that deciding on a platform like this, obviously there's going to be a security review that happens. You’d want to see penetration test results, you’d want to see the various security standards being met. One of the big things that happens is often there's a question around data sovereignty when you storing data in the cloud and this is something again which is very customer-specific depending on which industry they’re working in. For governments, or for financial services, or whatever, that can be a big no-no — to store data outside of country. Other organisations are quite happy for their data to be stored off offsite, whether that be in the US, or Europe, or in Asia-Pacific. So that's one thing has to be looked at really carefully — what does the identity service [do] in the cloud, where do they store their data and what are their processes for backups and recovery and what standards do they meet as an organisation.

Also you need to look at what the support for developers is like, because that's often driving the deployment of these services so you want something it's fully REST enabled, that supports OpenID Connect, that has your Multi-Factor Authentication built into it, that has a lot of “out of the box” capabilities, so you're not writing your own security code.

And I think definitely there are things to be said about having the right skills in the organisation and trying to bring as much of that in-house as possible because often these services are very mission-critical. They have direct impact on the uptime of the organisation whether that has a financial impact or a regulatory impact, and being able to have the right people in the organisation, who understand how these services work, is becoming more important.

Geetha

Thank you very much Mark, for sharing your thoughts on how cloud IAM is evolving, and it is also helping customers pre-empt breaches.

Mark

Thank you very much. It’s been a pleasure.

Geetha

Thanks. This is Geetha Nandikotkur from ISMG.

VideosAndInterviewsMark Perrycloud, iam