Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:11 AM
Connect Directly

Facebook vs. Salesforce: An Identity Smackdown?

Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider

Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers' online identities. These days it's hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system.

"It's pretty much a fact that it's becoming a de facto identity source," says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space.

The thought is that the ubiquity of Facebook login and the existing enrollment would make it a natural fit within the enterprise, as would Facebook's investment in the OAuth authentication protocol. But Pingree's predictions are fighting words for some, who believe Facebook's consumer roots, its questionable reputation for privacy, and its historical infrastructure insecurities will keep it from ever taking hold in the enterprise.

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

"The biggest concern that people have is Facebook already has this reputation for promiscuity and changing its privacy policies. The way that it implements these changes so routinely, it's difficult for ordinary users to determine if what they're doing is not, in fact, clicking on a link to read a news story, but actually granting permissions to some third-party application to access their data," says Scott Crawford, an analyst for Enterprise Management Associates. "That would be a serious problem in the enterprise."

On top of that, says Phil Lieberman, CEO of privileged identity management company Lieberman Software, Facebook is missing a big ingredient to be a credible play within the enterprise.

"There's no question that Facebook can authenticate you, but where I think the breakdown will occur is not the authentication, but the authorization model," he says. "And if you can't provide authorization, what's the point?"

Lieberman says he and Pingree have been going back and forth on these issues to the point where the two placed a $1 bet with one another at RSA about Facebook's long-term potential as an enterprise IAM play. For his part, Lieberman says Facebook simply can't handle the hierarchical, group-based nature of enterprise identity environments.

"It has a richness to it," says Lieberman, of enterprise identity infrastructure. "With Facebook authentication, you don't have group memberships, you don't have all of the other things you need."

Some security experts believe that even without Facebook, there's still room for a non-traditional identity provider to take the wind out of the sails of the burgeoning niche of cloud identity services. According to Jackson Shaw, senior director of identity management for Quest Software, a Dell company, these services don't have enough "groundswell" behind them to sustain widespread success. If an alternative did take root, his money would be on Salesforce to prevail. "There's credibility for Salesforce being an enterprise identity provider," Shaw says. "They have a legitimate claim for being an identity provider because so many people use salesforce.com. It's hard not to run into an enterprise that's not using Salesforce to some degree. Even small companies."

What's more, with Salesforce, some of the authorization questions would be better answered.

"If you think of something like Salesforce, as an extension of the enterprise, I could probably be pretty assured that if Jackson leaves Dell, they're going to get rid of his Salesforce account in Salesforce," Shaw says. "Which would mean that I could trust it. If I know that it's there, I know he's with Dell, and if it's not there, he's no longer with Dell."

But Pingree says that as prevalent as Salesforce may be in the enterprise, it can't match Facebook's base of stored identities.

"What I would say to that is that Salesforce isn't already widely used as an authentication mechanism across the Internet," he says.

As for authorization, he doesn't think it’s a stretch that with a little effort, motivated enterprises could make it work through Facebook.

"Most enterprise apps reside inside of an enterprise and they could potentially use an OAuth gateway or SOA gateway to be able to transmit the messages for assertion out to Facebook and get a response back that says, 'Yeah, that's the user,'" he says. As he puts it, the authorization process is a workflow, so it wouldn't be unfeasible for Facebook to build the means for "workflowing authorization out of their service," he says. Te believes that enterprises will have to hold Facebook's feet to the fire to 'grow up' and better support the enterprise with this kind of integration and also a more mature attitude toward internal security. At the same time, enterprises themselves need to recognize the world is changing.

"I just think that consumerization and software as a service is driving us to extend our trust boundaries outside of the enterprise," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/19/2013 | 5:16:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
F definitely has the ubiquitous presence to serve as an identity service, but (more or less leaning away from F) has nothing that indicates any pedigree as to authentication. Secondly, unless one has duplicate (and therefore schizophrenic) F identities - one for personal, one for professional - then both user and enterprise are never going to agree on F for identity let alone authentication.-

Salesforce (or better yet, LinkedIn) would be a better choice for universal identity as long as they beat the silliness out of F on authentication - maybe default to OAuth or some similarly high pedigree authentication and authenticity mechanisms. Salesforce's only other issue might be that it doesnt have a name that says ubiquitous.-

LinkedIn might be the best choice, especially for job search, placement, etc. The only thinkg uncertain is vetting identities. Maybe one of these should partner with TSA (which I detest, so forgive the suggestion) PreCheck|CPB Global Entry in order to vet persons. Global Entry is a $100 for 5 years to bypass the TSA at airports (and other stuff) based on a background/criminal check. (These obviously would not be desirable for non-US persons). -I would guess some one of these (LinkedIn, Salesforce) could induce a comparably acceptable vetting program (and therefore avoid the whole Homeland security mess, especially for non-US persons).
Ericka Chickowski
Ericka Chickowski,
User Rank: Moderator
4/18/2013 | 11:49:17 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
Agreed, Bpiwonka, that's one of many sub-issues still left to be explored in the context of these alternative IAM service provider relationships. And along with that ownership issue, enterprises will have to contend with plenty of employees crying foul about the privacy of their- Facebook accounts. When I asked Pingree of Gartner about it, he mentioned that organizations could offer the ability to opt out. But at that point I wonder if you start losing some of the benefits of scale/ubiquity. I'd think the law of diminishing returns would start to come to bear as employees are given greater options.

Ericka Chickowski, Contributing Writer, Dark Reading
User Rank: Apprentice
4/18/2013 | 11:29:45 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
I agree it's an interesting topic and think both companies will be major players going forward. -One perspective that wasn't touched upon in the article is that an identity on Facebook is owned by the individual, and thus will persist over time. -But a Salesforce identity is owned by the employer, and thus ends with termination of employment.
User Rank: Strategist
4/18/2013 | 1:52:04 PM
re: Facebook vs. Salesforce: An Identity Smackdown?
This is a provocative topic and very interesting. While the security industry is mostly FB-averse for obvious reasons, it would be interesting to see if enterprises that are social networking-heavy end up using FB as an ID tool.

Kelly Jackson Higgins, Senior Editor, Dark Reading
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.