Welcome!

SDN Journal Authors: Elizabeth White, Yeshim Deniz, Liz McMillan, Pat Romanski, TJ Randall

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Article

Mirror Mirror: Difference Between Identity Management & Access Management

And companies need both to maintain a secure environment

One of the biggest misconceptions in cloud security is the perception that identity management (IDaaS) and access management (SSO) are the same thing.

They’re not.

And it took a viewing of the famous Star Trek episode called Mirror Mirror for me to best illustrate and articulate the difference between the creation and management of a user account and credentialed rights and the funneled applications that entity is allowed to see. For those unfamiliar with the episode, it’s the one where Kirk is transported into an alternate universe and meets evil Spock (the one with the beard)...but more about that soon.

Simply, IDaaS is the administrative function that creates and maintains a user’s network identity. It segments their privileges by roles and rules. This is called provisioning. Your starship just hired a new lieutenant to communicate with new life and new civilizations as you boldly go places—in this world we call it inside sales, but you get the idea. In the organizational hierarchy, this officer needs access to certain functions and applications-but not others. So when her “enterprise” identity is created, she is assigned certain access rights. She needs to see the languages database, but not the weapons console. Her identity group, as a junior officer, is similar to others of her job description and rank. Identity management  establishes her credentials, manages her passwords, and the provisioning synchronizes this information instantly so that a specific level of the network is accessible. This works in reverse as well. As soon as she resigns her commission, automatic de-provisioning rescinds those rights and prevents her from accessing information after she’s left the ship. It’s all based on process and workflow.

So how is this different than access management? If Identity Management is about the development of a privilege strata and the source of password details, why does a company need access management? Because it is the difference between authentication and authorization. it's the difference between administrative availability and tightly controlled access. Case in point: our communications officer is standing on the planet Saas and dialing into the Enterprise (BYOD!). Her identity settings allow her to access the ship’s computer, but it is her SSO that channels her access see only certain applications. And because access management is about single sign on, once she is authenticated, all of her applications (including the dozens of unique passwords) are controlled from a single portal (and blocked from seeing/accessing other). The single sign on function also authenticates each individual application, so she doesn't have to do it again once she is within the protection of the portal. And the segmentation of each application is also personalized to her rights automatically. She sees only the slice of the database she is permitted to see.  But what if it wasn’t her? What if it was a Klingon who cloned her tricorder or her body was taken over by a non-corporeal lifeforce? Single sign on enforces multi-factor identification. So if her password is stolen, the nasty Romulan might not know the year she graduated from the Starfleet Academy or the name of her first pet was Cochrane.  Simply put, IDaaS is the intelligence and SSO is the locked doorway-- and they need to seamlessly integrate to create a better security platform. Having one without the other is like transporting into an alternate universe and having to fight an evil Spock. (I told you I’d get to it!)

While looking to acquire dilithium crystals, the Enterprise gets hit by an unexpected ion storm (for our metaphoric purposes, let’s call this a suspicious intrusion resulting in breach!).  This causes a landing party to transport (access management) to an alternate universe. In this world everyone looks the same (except for Spock’s Machiavellian beard!), but their intentions are less than honorable. Conversely evil Kirk is now on the original Enterprise. Allegorically, if this were a fully integrated and unified security Enterprise, the SIEM program would have noted the original suspicious activity and Mr. Scott would have received an immediate alert based on the parameters of what constitutes a breach. But if Evil Kirk gets through nonetheless and tried to log onto the system to arm the photon torpedoes, there are a few security hurdles in his way. His alternate universe password of “UglyKittens6” doesn’t work. In fact after several tries, he is locked out and an alert is sent to Mr. Scott for review and remediation. But Evil Kirk is wily. He clicks “forgot password” because he figures he can self-serve and generate a revised password. However the system asks him how many TekWar novels he's written (or any other personalized information to further verify his identity) and without the correct answer, his evil machinations are again thwarted. However, let’s say the passwords match (“OverActing4#5!”) and he is authorized into the access portal. He may be captain (CEO) of the ship, but his role does not include the direct management of weapons systems, so this application is absent from his portal of available applications.

Silliness aside, the IT moral of this episode is that identities are just a single level of integrated security.  That controls WHO you are. As a partner or employee, the enterprise affords you this amount of visibility within the network. Access controls the applications to which you may connect .As most companies use a wide variety of applications—on premise legacy, cloud-based ASP/SaaS or general web-based programs—the need to channel controls is mission critical. This is Access Management. There simply can’t be a login name and password that provides any user limitless exposure to the network. Best practice, regulatory compliance and strong security demand that these functions work in concert.

But best practices that require investment into two separate solutions, two separate deployments with two separate providers, and the extra eyeballs to continuously monitor activity seems to be counterproductive…right?

The fact that SSO and IDaaS are two different solution sets is tempered by cloud-based security deployment.  As a singularly sourced seamless operation from the cloud, the pairing increases the ability to control who gets to see what across a heterogeneous enterprise with competing priorities, needs and identity types. Just as partners and vendors need certain access that is separate from employees—not all employees are the same; and they too fall into unique roles and rules that can be managed by identity Management and Controlled by Access Management. There are many solutions on the market that address either IDaaS (IDM) or Access (IAM, SSO) in the cloud, but I obviously know of only one that provides both as a multi-tenant (true-cloud) initiative. This mixes the best practice of best-of-breed with the all the cost and productivity benefits promoted by the cloud.

And if my metaphors and wink-and-a-nod sci-fi geek inferences were too obscure, here is a straightforward listing of the differences between IDaaS and SSO:

Standard IDaaS features (Administrative):

  • Provisioning/deprovisioning (add/delete user accounts)
  • Password management
  • Role-based identity groups/individuals for access
  • Automatic Directory (Active, LDAP, etc…) propagation (using data on these infrastructure databases to populate/control IDM)
  • User self-service
  • Multi-lateral password synchronization
  • Access recertification
  • Request management
  • Business process/rules mapping
  • Federated connectors to secure applications
  • Comprehensive  audits, reports for compliance
  • Graphical integrated approval workflow

Standard SSO features: (Active Application of Administrative Controls)

  • Access for both SaaS and Web applications/platforms
  • Authentication by and Access control by IP address
  • Integration with AD, LDAP, SQL, etc.
  • Dynamic Portal grouping users permitted applications
  • User self-service for password reset
  • 2 factor authentication for BYOD
  • Authentication chaining
  • Whitelist, blacklisting of allowed/disallowed sites/apps
  • Risk adaptation (traveling IP’s)
  • Identity gateway enables access to 1000s of websites, on premise and legacy applications

Live long and securely prosper!

Kevin Nikkhoo
www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

CloudEXPO Stories
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like "How is my application doing" but no idea how to get a proper answer.
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed by some of the world's largest financial institutions. The company develops and applies innovative machine-learning technologies to big data to predict financial, economic, and world events. The team is a group of passionate technologists, mathematicians, data scientists and programmers in Silicon Valley with over 100 patents to their names. Big Data Federation was incorporated in 2015 and is ...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by researching target group and involving users in the designing process.
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments that frequently get lost in the hype. The panel will discuss their perspective on what they see as they key challenges and/or impediments to adoption, and how they see those issues could be resolved or mitigated.
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Learning to one location.