02:11 AM
Connect Directly

Facebook vs. Salesforce: An Identity Smackdown?

Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider

Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers' online identities. These days it's hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system.

"It's pretty much a fact that it's becoming a de facto identity source," says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space.

The thought is that the ubiquity of Facebook login and the existing enrollment would make it a natural fit within the enterprise, as would Facebook's investment in the OAuth authentication protocol. But Pingree's predictions are fighting words for some, who believe Facebook's consumer roots, its questionable reputation for privacy, and its historical infrastructure insecurities will keep it from ever taking hold in the enterprise.

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

"The biggest concern that people have is Facebook already has this reputation for promiscuity and changing its privacy policies. The way that it implements these changes so routinely, it's difficult for ordinary users to determine if what they're doing is not, in fact, clicking on a link to read a news story, but actually granting permissions to some third-party application to access their data," says Scott Crawford, an analyst for Enterprise Management Associates. "That would be a serious problem in the enterprise."

On top of that, says Phil Lieberman, CEO of privileged identity management company Lieberman Software, Facebook is missing a big ingredient to be a credible play within the enterprise.

"There's no question that Facebook can authenticate you, but where I think the breakdown will occur is not the authentication, but the authorization model," he says. "And if you can't provide authorization, what's the point?"

Lieberman says he and Pingree have been going back and forth on these issues to the point where the two placed a $1 bet with one another at RSA about Facebook's long-term potential as an enterprise IAM play. For his part, Lieberman says Facebook simply can't handle the hierarchical, group-based nature of enterprise identity environments.

"It has a richness to it," says Lieberman, of enterprise identity infrastructure. "With Facebook authentication, you don't have group memberships, you don't have all of the other things you need."

Some security experts believe that even without Facebook, there's still room for a non-traditional identity provider to take the wind out of the sails of the burgeoning niche of cloud identity services. According to Jackson Shaw, senior director of identity management for Quest Software, a Dell company, these services don't have enough "groundswell" behind them to sustain widespread success. If an alternative did take root, his money would be on Salesforce to prevail. "There's credibility for Salesforce being an enterprise identity provider," Shaw says. "They have a legitimate claim for being an identity provider because so many people use salesforce.com. It's hard not to run into an enterprise that's not using Salesforce to some degree. Even small companies."

What's more, with Salesforce, some of the authorization questions would be better answered.

"If you think of something like Salesforce, as an extension of the enterprise, I could probably be pretty assured that if Jackson leaves Dell, they're going to get rid of his Salesforce account in Salesforce," Shaw says. "Which would mean that I could trust it. If I know that it's there, I know he's with Dell, and if it's not there, he's no longer with Dell."

But Pingree says that as prevalent as Salesforce may be in the enterprise, it can't match Facebook's base of stored identities.

"What I would say to that is that Salesforce isn't already widely used as an authentication mechanism across the Internet," he says.

As for authorization, he doesn't think it’s a stretch that with a little effort, motivated enterprises could make it work through Facebook.

"Most enterprise apps reside inside of an enterprise and they could potentially use an OAuth gateway or SOA gateway to be able to transmit the messages for assertion out to Facebook and get a response back that says, 'Yeah, that's the user,'" he says. As he puts it, the authorization process is a workflow, so it wouldn't be unfeasible for Facebook to build the means for "workflowing authorization out of their service," he says. Te believes that enterprises will have to hold Facebook's feet to the fire to 'grow up' and better support the enterprise with this kind of integration and also a more mature attitude toward internal security. At the same time, enterprises themselves need to recognize the world is changing.

"I just think that consumerization and software as a service is driving us to extend our trust boundaries outside of the enterprise," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Strategist
4/18/2013 | 1:52:04 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
This is a provocative topic and very interesting. While the security industry is mostly FB-averse for obvious reasons, it would be interesting to see if enterprises that are social networking-heavy end up using FB as an ID tool.

Kelly Jackson Higgins, Senior Editor, Dark Reading
User Rank: Apprentice
4/18/2013 | 11:29:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
I agree it's an interesting topic and think both companies will be major players going forward. -One perspective that wasn't touched upon in the article is that an identity on Facebook is owned by the individual, and thus will persist over time. -But a Salesforce identity is owned by the employer, and thus ends with termination of employment.
Ericka Chickowski
Ericka Chickowski,
User Rank: Moderator
4/18/2013 | 11:49:17 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
Agreed, Bpiwonka, that's one of many sub-issues still left to be explored in the context of these alternative IAM service provider relationships. And along with that ownership issue, enterprises will have to contend with plenty of employees crying foul about the privacy of their- Facebook accounts. When I asked Pingree of Gartner about it, he mentioned that organizations could offer the ability to opt out. But at that point I wonder if you start losing some of the benefits of scale/ubiquity. I'd think the law of diminishing returns would start to come to bear as employees are given greater options.

Ericka Chickowski, Contributing Writer, Dark Reading
User Rank: Guru
4/19/2013 | 5:16:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
F definitely has the ubiquitous presence to serve as an identity service, but (more or less leaning away from F) has nothing that indicates any pedigree as to authentication. Secondly, unless one has duplicate (and therefore schizophrenic) F identities - one for personal, one for professional - then both user and enterprise are never going to agree on F for identity let alone authentication.-

Salesforce (or better yet, LinkedIn) would be a better choice for universal identity as long as they beat the silliness out of F on authentication - maybe default to OAuth or some similarly high pedigree authentication and authenticity mechanisms. Salesforce's only other issue might be that it doesnt have a name that says ubiquitous.-

LinkedIn might be the best choice, especially for job search, placement, etc. The only thinkg uncertain is vetting identities. Maybe one of these should partner with TSA (which I detest, so forgive the suggestion) PreCheck|CPB Global Entry in order to vet persons. Global Entry is a $100 for 5 years to bypass the TSA at airports (and other stuff) based on a background/criminal check. (These obviously would not be desirable for non-US persons). -I would guess some one of these (LinkedIn, Salesforce) could induce a comparably acceptable vetting program (and therefore avoid the whole Homeland security mess, especially for non-US persons).
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.