Risk
9/22/2011
05:00 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Exclusive Research: Why Identity Management Is Critical Right Now

Breached partners, mobility, SaaS, consumerization. If you don't know exactly who's doing what on your network, you're cruising for data loss.

InformationWeek Green - Sept. 26, 2011 InformationWeek Green
Download the entire Sept. 26, 2011 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

IdM Sometimes, we're our own worst enemies. A much-publicized 2007 Microsoft study showed the average employee had about seven logins to remember. Now we're piling on SaaS and mobile applications while granting trusted status and network access to partners without fully vetting their security--and just ask one CIO whose organization was breached how that worked out. Yet just 27% of the 438 business technology professionals responding to our 2011 InformationWeek Identity Management Survey say their companies have what we consider comprehensive identity management (IdM) deployments, defined as company-wide internal IdM programs plus cross-domain use for outside vendors and partners. Adoption increases are miniscule since we last surveyed readers on IdM, in 2009.

No wonder people still use sticky notes to manage user names and passwords.

Done right, identity management employs a mix of software and processes to accomplish a single, deceptively simple, goal: make sure people are who they say they are, then give them the right levels of access. IdM encompasses five main pillars: authentication, user provisioning and deprovisioning, role mapping, setting up identity stores and directory services, and auditing and reporting. These, along with cryptographic signatures and other enabling technologies, lay the groundwork for secure interoperability among employees, customers, and partners.

In our 2009 report, the big buzz was around cross-domain federation with external suppliers, where each business acts as both an issuer and a consumer of identity credentials; the holy grail was to give users access via single sign-on to every member of the federation. Today, companies like Facebook and Twitter are advancing this concept by espousing "bring your own identity," or BYOI, which we'll dig into more later. Vendors are finally committing to standards, like OAuth. It's exciting stuff. But at the end of the day, you're still on the hook to verify that people accessing sensitive data are who they say they are. And that remains a challenge.

Worth Doing

The yen for identity management has been around for as long as we've used role-based access control and directories. The idea of a single spot where we define our users, their roles, what they have access to, and their user name and password combinations makes a lot of sense, even to the most nontechnical executive. Everyone likes having a quick and decisive way to cut off access if you find out an employee is leaving to work for a competitor. And in theory, with this repository in place, whenever IT needs a new application, the development team could simply tap into the directory store and use the IdM system to provide authentication and authorization. Done.

One problem though: The world's messy. The ROI from identity management is directly dependent on how strictly an IT organization integrates all applications and services into its IdM program. Every single piece of software that isn't connected, or is only partially so, requires a unique set of authentication and authorization processes, and that means pricey customization. Eventually, you have gaps.

Since it's so difficult to centralize on just one identity management system, companies have looked to federation products that sit on top of disparate IdM systems and promise to provide integration. For example, with federation, you could (in theory) use Active Directory for operating system logins but employ Oracle IdM for databases.

The problem here is that identity management has to be about more than just internal logins and identities. Most companies let suppliers and contractors access sensitive data. However, when you attempt to link your federation technology to that of an external party, you can generally forget having your IdM products communicate using the same language, because of a lack of widely adopted standards.

To make matters worse, most applications and network systems still can't talk to IdM products, period: In our survey, only 18% of those enrolling cloud/SaaS application authentication in their IdM program say these applications integrate with their user directories; 49% do expensive custom development to integrate with their SaaS providers, while 44% provision user access and manage passwords manually.

Even given all this frustration, federation isn't dead--just hibernating. Within the next two years, we expect to see some stronger players, such as Ping Identity, Microsoft, and Oracle (Sun), embrace standards and pull away from the pack.

Meanwhile, of poll respondents who are skipping IdM altogether, 70% say it's because they don't see a need. No other factor even registers double digits. This suggests that vendors busily revamping, repricing, and renaming their products and hammering on low cost and ease of use are missing the point. Just 5% cite complexity, and only 4% say cost is holding them back.

Our message to at least some of that 70%: You're in denial. We understand why IT has a sour outlook on IdM, given the lack of integration and standards support. But we're now facing advanced threats while simultaneously throwing cloud services and personal devices into the mix. Profile your typical employee in terms of using Facebook, Gmail, and a variety of other Web-based applications. They likely have seven to 15 user name/password combos; meanwhile, your company is probably using or considering cloud services that, by definition, aren't playing nice with Active Directory.

To read the rest of the article,
Download the Sept. 26, 2011 issue of InformationWeek

SaaS, Mobility Add Urgency

Download InformationWeek Reports full report on identity management, free with registration.

This report includes 38 pages of action-oriented analysis packed with 23 charts. What you'll find:
  • The Top 3 reasons IdM projects fail, and how to beat the odds
  • Policy guidelines for success
  • Respondents' most-used IdM vendors
  • Rating: 14 critical IdM features
Get This And All Our Reports


Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.