Facebook vs. Salesforce: An Identity Smackdown?
Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider
Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers' online identities. These days it's hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system.
"It's pretty much a fact that it's becoming a de facto identity source," says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
The thought is that the ubiquity of Facebook login and the existing enrollment would make it a natural fit within the enterprise, as would Facebook's investment in the OAuth authentication protocol. But Pingree's predictions are fighting words for some, who believe Facebook's consumer roots, its questionable reputation for privacy, and its historical infrastructure insecurities will keep it from ever taking hold in the enterprise.
[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]
"The biggest concern that people have is Facebook already has this reputation for promiscuity and changing its privacy policies. The way that it implements these changes so routinely, it's difficult for ordinary users to determine if what they're doing is not, in fact, clicking on a link to read a news story, but actually granting permissions to some third-party application to access their data," says Scott Crawford, an analyst for Enterprise Management Associates. "That would be a serious problem in the enterprise."
On top of that, says Phil Lieberman, CEO of privileged identity management company Lieberman Software, Facebook is missing a big ingredient to be a credible play within the enterprise.
"There's no question that Facebook can authenticate you, but where I think the breakdown will occur is not the authentication, but the authorization model," he says. "And if you can't provide authorization, what's the point?"
Lieberman says he and Pingree have been going back and forth on these issues to the point where the two placed a $1 bet with one another at RSA about Facebook's long-term potential as an enterprise IAM play. For his part, Lieberman says Facebook simply can't handle the hierarchical, group-based nature of enterprise identity environments.
"It has a richness to it," says Lieberman, of enterprise identity infrastructure. "With Facebook authentication, you don't have group memberships, you don't have all of the other things you need."
Some security experts believe that even without Facebook, there's still room for a non-traditional identity provider to take the wind out of the sails of the burgeoning niche of cloud identity services. According to Jackson Shaw, senior director of identity management for Quest Software, a Dell company, these services don't have enough "groundswell" behind them to sustain widespread success. If an alternative did take root, his money would be on Salesforce to prevail. "There's credibility for Salesforce being an enterprise identity provider," Shaw says. "They have a legitimate claim for being an identity provider because so many people use salesforce.com. It's hard not to run into an enterprise that's not using Salesforce to some degree. Even small companies."
What's more, with Salesforce, some of the authorization questions would be better answered.
"If you think of something like Salesforce, as an extension of the enterprise, I could probably be pretty assured that if Jackson leaves Dell, they're going to get rid of his Salesforce account in Salesforce," Shaw says. "Which would mean that I could trust it. If I know that it's there, I know he's with Dell, and if it's not there, he's no longer with Dell."
But Pingree says that as prevalent as Salesforce may be in the enterprise, it can't match Facebook's base of stored identities.
"What I would say to that is that Salesforce isn't already widely used as an authentication mechanism across the Internet," he says.
As for authorization, he doesn't think it’s a stretch that with a little effort, motivated enterprises could make it work through Facebook.
"Most enterprise apps reside inside of an enterprise and they could potentially use an OAuth gateway or SOA gateway to be able to transmit the messages for assertion out to Facebook and get a response back that says, 'Yeah, that's the user,'" he says. As he puts it, the authorization process is a workflow, so it wouldn't be unfeasible for Facebook to build the means for "workflowing authorization out of their service," he says. Te believes that enterprises will have to hold Facebook's feet to the fire to 'grow up' and better support the enterprise with this kind of integration and also a more mature attitude toward internal security. At the same time, enterprises themselves need to recognize the world is changing.
"I just think that consumerization and software as a service is driving us to extend our trust boundaries outside of the enterprise," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message