Sign up for our weekly newsletter!
REGISTER NOW |
||
|
||
Cloud-Based Identity Management Systems: What to Look For![]() On the Internet, famously, nobody knows that you're a dog. Fine, you're a dog. But whose dog are you? Are you authorized to use the doggy door? Eat from the food bowl? Sleep in the dog bed? Bark at intruders? Ultimately, are you a good dog? With a real-life dog, you can check the ID tag on the pet collar. What about authorized people or applications to use enterprise applications and networks? Traditionally, that's the realm of server-based identity and access management (IAM) systems such as Microsoft's Active Directory or a Linux-based Lightweight Directory Access Protocol (LDAP) server.In the cloud era, there are new cloud-native IAM packages that work more efficiently. Before we dive into some of the choices, let's look at the features and functions of an IAM system. An IAM package -- on-premises systems such as Active Directory or LDAP server -- does more than say "access permitted" or "access denied."
![]() (Source: iStock)
There are ranges of protection and of access control, governing everything from permission to use a WiFi network to being able to use a single sign-on (SSO) package to gain access to cloud servers, to being granted (or denied) administrative privileges, to being granted (or denied) access to some data fields or functions within applications. For example, take a human-resources database: Most workers might be given limited access, such as to look up contact information for other employees -- but only HR staff might be able to access payroll data. Even there, data access could be constrained on a need-to-know basis. An IAM system should be able to handle broad access -- like to the WiFi or to SSO -- as well as being able to reach deep into applications to govern fine-grained access controls. From cloud to multicloudA small company might be able to work fine with an IAM system that works across a single cloud service -- Amazon Web Services, for example. However, an enterprise-grade IAM should be able to work across multiple network domains, including multiple clouds -- Google Cloud Platform, Microsoft Azure, AWS -- on-premises data center applications, and even hosted software-as-a-service, like Salesforce. Being able to scale to multiple domains is where the concept of federation comes in. Federation can integrate and synchronize several IAM systems together across disparate networks, operating systems, and application platforms. Even simpler, however, are IAM platforms that run natively on multiple clouds and in the data center, so that there's only a single identity platform to install, manage, update and debug. Hard-core Microsoft shops have one key advantage when it comes to IAM, in that on-premise Active Directory and Microsoft's online services are tightly integrated. That includes Microsoft's Identity Manager, Azure Multi-Factor Authentication, and Azure Active Directory. Federating on-premise and cloud-based IAM is probably easier than with any other cloud provider's platform.So, if you're a Microsoft shop, you can stop reading. It's not so easy elsewhere. AWS offers a strong Identity and Access Management system, included at no extra cost with AWS accounts. The AWS system includes federation functions using the Security Assertion Markup Language 2.0 (SAML) standard, as well as tools such as Amazon Cognito to provide IAM options for web and mobile users. For those using Active Directory on-site, but wanting to use AWS in the cloud, Amazon also offers a non-SAML integration tool, called Amazon Directory Service for Microsoft Active Directory. The tools are there, but it's up to you -- or your consultants -- to do the heavy lifting and make sure that everything is working properly.
IAM solutions for Google Cloud Platform are offered in two tiers: free and paid. The Cloud Identity Free Edition provides basic identity and end-point security services. The paid version adds enterprise security, application management, and mobile device management. Frankly, I find Google's implementation of IAM more limited than either AWS or Azure; it's more focused on devices and users, and less on fine-grained access controls than other IAM platforms. Federation with other IAM platforms is through a separate cloud product -- Google Firebase -- but it's really geared around federation with social media SSO platforms, like Twitter and Facebook, as well as mobile platforms like Android and iOS. In other words: Google's IAM isn't out-of-the-box designed to be integrated with other cloud players or enterprise systems. You can do it, but it's a lot of work. Another option for a complete IAM cloud solution is to choose a dedicated third-party provider. The benefit here is that you're not locked into a specific cloud vendor's solution. The drawbacks: You're locked into the IAM vendor's solution, and of course, there's going to be an extra cost. Don't dismiss the aftermarket out-of-hand, however; it's worth looking into the wide range of vendors in this space, from Auth0 to IAM Cloud to IBM to JumpCloud to Oracle Identity Management to Ping Identity. You never know, they might have just the features -- and the doggy-door integrations -- that you're looking for. Related posts:
— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick. |
Today, enterprises are dealing with a proliferation of connected devices that probably aren't dedicated to computing – think video cameras, inventory sensors, machine tools, thermostats and environmental monitors.
Despite their rather innocuous name, ACE vulnerabilities can appear in just about any software. So here's what to do...
Before you select an SD-WAN vendor, read this.
For CISOs, Identity and Access Management, or IAM, is a must-have for the security tool box. However, the technology is rapidly evolving. Here are four important trends to watch this year.
If 2018 turned into a security headache for enterprises, our writers predicts that 2019 won't be much better – maybe even worse.
Information Resources
upcoming Webinars
ARCHIVED
Top Tips for Blocking pwned [email protected]$$wOrds in Your Organization
Tuesday, October 29, 2019
12 p.m. New York/ 4:00 p.m. London Podcasts
Podcast: Infrastructure Hunting – Stopping Bad Actors in Their Tracks
Being able to effectively build a threat intelligence ecosystem or threat-hunting identification response requires both user and systems sophistication and capabilities. Security, orchestration, automation and response (SOAR) is a new technology designed to provide organizations a single comprehensive platform they can use to implement an intelligence driven security strategy.
Podcast: Digital Transformation, SD-WAN & Optimal Security
Dan Reis chats to Cybera's Josh Flynn about how to achieve digital transformation without sacrificing security. ![]() like us on facebook
|
|
![]() |
||
![]() |
Security Now
About Us
Contact Us
Help
Register
Events
Supporting Partners
Twitter
Facebook
RSS
Copyright © 2019 Light Reading, part of Informa Tech, a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use in partnership with
|