Risk
4/18/2013
02:11 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Facebook vs. Salesforce: An Identity Smackdown?

Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider

Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers' online identities. These days it's hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system.

"It's pretty much a fact that it's becoming a de facto identity source," says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space.

The thought is that the ubiquity of Facebook login and the existing enrollment would make it a natural fit within the enterprise, as would Facebook's investment in the OAuth authentication protocol. But Pingree's predictions are fighting words for some, who believe Facebook's consumer roots, its questionable reputation for privacy, and its historical infrastructure insecurities will keep it from ever taking hold in the enterprise.

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

"The biggest concern that people have is Facebook already has this reputation for promiscuity and changing its privacy policies. The way that it implements these changes so routinely, it's difficult for ordinary users to determine if what they're doing is not, in fact, clicking on a link to read a news story, but actually granting permissions to some third-party application to access their data," says Scott Crawford, an analyst for Enterprise Management Associates. "That would be a serious problem in the enterprise."

On top of that, says Phil Lieberman, CEO of privileged identity management company Lieberman Software, Facebook is missing a big ingredient to be a credible play within the enterprise.

"There's no question that Facebook can authenticate you, but where I think the breakdown will occur is not the authentication, but the authorization model," he says. "And if you can't provide authorization, what's the point?"

Lieberman says he and Pingree have been going back and forth on these issues to the point where the two placed a $1 bet with one another at RSA about Facebook's long-term potential as an enterprise IAM play. For his part, Lieberman says Facebook simply can't handle the hierarchical, group-based nature of enterprise identity environments.

"It has a richness to it," says Lieberman, of enterprise identity infrastructure. "With Facebook authentication, you don't have group memberships, you don't have all of the other things you need."

Some security experts believe that even without Facebook, there's still room for a non-traditional identity provider to take the wind out of the sails of the burgeoning niche of cloud identity services. According to Jackson Shaw, senior director of identity management for Quest Software, a Dell company, these services don't have enough "groundswell" behind them to sustain widespread success. If an alternative did take root, his money would be on Salesforce to prevail. "There's credibility for Salesforce being an enterprise identity provider," Shaw says. "They have a legitimate claim for being an identity provider because so many people use salesforce.com. It's hard not to run into an enterprise that's not using Salesforce to some degree. Even small companies."

What's more, with Salesforce, some of the authorization questions would be better answered.

"If you think of something like Salesforce, as an extension of the enterprise, I could probably be pretty assured that if Jackson leaves Dell, they're going to get rid of his Salesforce account in Salesforce," Shaw says. "Which would mean that I could trust it. If I know that it's there, I know he's with Dell, and if it's not there, he's no longer with Dell."

But Pingree says that as prevalent as Salesforce may be in the enterprise, it can't match Facebook's base of stored identities.

"What I would say to that is that Salesforce isn't already widely used as an authentication mechanism across the Internet," he says.

As for authorization, he doesn't think it’s a stretch that with a little effort, motivated enterprises could make it work through Facebook.

"Most enterprise apps reside inside of an enterprise and they could potentially use an OAuth gateway or SOA gateway to be able to transmit the messages for assertion out to Facebook and get a response back that says, 'Yeah, that's the user,'" he says. As he puts it, the authorization process is a workflow, so it wouldn't be unfeasible for Facebook to build the means for "workflowing authorization out of their service," he says. Te believes that enterprises will have to hold Facebook's feet to the fire to 'grow up' and better support the enterprise with this kind of integration and also a more mature attitude toward internal security. At the same time, enterprises themselves need to recognize the world is changing.

"I just think that consumerization and software as a service is driving us to extend our trust boundaries outside of the enterprise," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
InfoSecurityMaster
50%
50%
InfoSecurityMaster,
User Rank: Apprentice
4/19/2013 | 5:16:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
F definitely has the ubiquitous presence to serve as an identity service, but (more or less leaning away from F) has nothing that indicates any pedigree as to authentication. Secondly, unless one has duplicate (and therefore schizophrenic) F identities - one for personal, one for professional - then both user and enterprise are never going to agree on F for identity let alone authentication.-á

Salesforce (or better yet, LinkedIn) would be a better choice for universal identity as long as they beat the silliness out of F on authentication - maybe default to OAuth or some similarly high pedigree authentication and authenticity mechanisms. Salesforce's only other issue might be that it doesnt have a name that says ubiquitous.-á

LinkedIn might be the best choice, especially for job search, placement, etc. The only thinkg uncertain is vetting identities. Maybe one of these should partner with TSA (which I detest, so forgive the suggestion) PreCheck|CPB Global Entry in order to vet persons. Global Entry is a $100 for 5 years to bypass the TSA at airports (and other stuff) based on a background/criminal check. (These obviously would not be desirable for non-US persons). -áI would guess some one of these (LinkedIn, Salesforce) could induce a comparably acceptable vetting program (and therefore avoid the whole Homeland security mess, especially for non-US persons).
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
4/18/2013 | 11:49:17 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
Agreed, Bpiwonka, that's one of many sub-issues still left to be explored in the context of these alternative IAM service provider relationships. And along with that ownership issue, enterprises will have to contend with plenty of employees crying foul about the privacy of their-á Facebook accounts. When I asked Pingree of Gartner about it, he mentioned that organizations could offer the ability to opt out. But at that point I wonder if you start losing some of the benefits of scale/ubiquity. I'd think the law of diminishing returns would start to come to bear as employees are given greater options.

Ericka Chickowski, Contributing Writer, Dark Reading
Bpiwonka
50%
50%
Bpiwonka,
User Rank: Apprentice
4/18/2013 | 11:29:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
I agree it's an interesting topic and think both companies will be major players going forward. -áOne perspective that wasn't touched upon in the article is that an identity on Facebook is owned by the individual, and thus will persist over time. -áBut a Salesforce identity is owned by the employer, and thus ends with termination of employment.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
4/18/2013 | 1:52:04 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
This is a provocative topic and very interesting. While the security industry is mostly FB-averse for obvious reasons, it would be interesting to see if enterprises that are social networking-heavy end up using FB as an ID tool.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.