Risk
9/22/2011
05:00 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Exclusive Research: Why Identity Management Is Critical Right Now

Breached partners, mobility, SaaS, consumerization. If you don't know exactly who's doing what on your network, you're cruising for data loss.

InformationWeek Green - Sept. 26, 2011 InformationWeek Green
Download the entire Sept. 26, 2011 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

IdM Sometimes, we're our own worst enemies. A much-publicized 2007 Microsoft study showed the average employee had about seven logins to remember. Now we're piling on SaaS and mobile applications while granting trusted status and network access to partners without fully vetting their security--and just ask one CIO whose organization was breached how that worked out. Yet just 27% of the 438 business technology professionals responding to our 2011 InformationWeek Identity Management Survey say their companies have what we consider comprehensive identity management (IdM) deployments, defined as company-wide internal IdM programs plus cross-domain use for outside vendors and partners. Adoption increases are miniscule since we last surveyed readers on IdM, in 2009.

No wonder people still use sticky notes to manage user names and passwords.

Done right, identity management employs a mix of software and processes to accomplish a single, deceptively simple, goal: make sure people are who they say they are, then give them the right levels of access. IdM encompasses five main pillars: authentication, user provisioning and deprovisioning, role mapping, setting up identity stores and directory services, and auditing and reporting. These, along with cryptographic signatures and other enabling technologies, lay the groundwork for secure interoperability among employees, customers, and partners.

In our 2009 report, the big buzz was around cross-domain federation with external suppliers, where each business acts as both an issuer and a consumer of identity credentials; the holy grail was to give users access via single sign-on to every member of the federation. Today, companies like Facebook and Twitter are advancing this concept by espousing "bring your own identity," or BYOI, which we'll dig into more later. Vendors are finally committing to standards, like OAuth. It's exciting stuff. But at the end of the day, you're still on the hook to verify that people accessing sensitive data are who they say they are. And that remains a challenge.

Worth Doing

The yen for identity management has been around for as long as we've used role-based access control and directories. The idea of a single spot where we define our users, their roles, what they have access to, and their user name and password combinations makes a lot of sense, even to the most nontechnical executive. Everyone likes having a quick and decisive way to cut off access if you find out an employee is leaving to work for a competitor. And in theory, with this repository in place, whenever IT needs a new application, the development team could simply tap into the directory store and use the IdM system to provide authentication and authorization. Done.

One problem though: The world's messy. The ROI from identity management is directly dependent on how strictly an IT organization integrates all applications and services into its IdM program. Every single piece of software that isn't connected, or is only partially so, requires a unique set of authentication and authorization processes, and that means pricey customization. Eventually, you have gaps.

Since it's so difficult to centralize on just one identity management system, companies have looked to federation products that sit on top of disparate IdM systems and promise to provide integration. For example, with federation, you could (in theory) use Active Directory for operating system logins but employ Oracle IdM for databases.

The problem here is that identity management has to be about more than just internal logins and identities. Most companies let suppliers and contractors access sensitive data. However, when you attempt to link your federation technology to that of an external party, you can generally forget having your IdM products communicate using the same language, because of a lack of widely adopted standards.

To make matters worse, most applications and network systems still can't talk to IdM products, period: In our survey, only 18% of those enrolling cloud/SaaS application authentication in their IdM program say these applications integrate with their user directories; 49% do expensive custom development to integrate with their SaaS providers, while 44% provision user access and manage passwords manually.

Even given all this frustration, federation isn't dead--just hibernating. Within the next two years, we expect to see some stronger players, such as Ping Identity, Microsoft, and Oracle (Sun), embrace standards and pull away from the pack.

Meanwhile, of poll respondents who are skipping IdM altogether, 70% say it's because they don't see a need. No other factor even registers double digits. This suggests that vendors busily revamping, repricing, and renaming their products and hammering on low cost and ease of use are missing the point. Just 5% cite complexity, and only 4% say cost is holding them back.

Our message to at least some of that 70%: You're in denial. We understand why IT has a sour outlook on IdM, given the lack of integration and standards support. But we're now facing advanced threats while simultaneously throwing cloud services and personal devices into the mix. Profile your typical employee in terms of using Facebook, Gmail, and a variety of other Web-based applications. They likely have seven to 15 user name/password combos; meanwhile, your company is probably using or considering cloud services that, by definition, aren't playing nice with Active Directory.

To read the rest of the article,
Download the Sept. 26, 2011 issue of InformationWeek

SaaS, Mobility Add Urgency

Download InformationWeek Reports full report on identity management, free with registration.

This report includes 38 pages of action-oriented analysis packed with 23 charts. What you'll find:
  • The Top 3 reasons IdM projects fail, and how to beat the odds
  • Policy guidelines for success
  • Respondents' most-used IdM vendors
  • Rating: 14 critical IdM features
Get This And All Our Reports


Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.