At the IT Director’s Forum earlier this year, the main issue for directors across all sectors was online security. One aspect of security which is becoming an increasing concern as they move IT services to the cloud, and hence a significant source of risk, cloud-based identity.
For most organisations adopting cloud will be a gradual process, and the majority will find themselves managing a hybrid solution from multiple providers combined with some in-house provision. Each service will have different authentication requirements, and the challenge is to know who is accessing each service and to independently authenticate them, whilst ensuring that security is maintained.
Multiple systems mean, of course, that users will have to work with multiple, more complex passwords. Every individual will have their own way of handling this, but all too frequently the result is passwords on Post-Its stuck on the monitor or office wall, reusing the same passwords, or avoiding logging out completely. Most organisations have implemented policies to try and eliminate this type of behaviour, but it persists, leading to increased security and compliance risks. Other users forget their passwords and have to repeatedly call the HelpDesk for resets. We have carried out surveys which found that some 25% of Help Desk calls logged are due to password problems.
The ideal solution is a secure single sign-on, which would reduce security and compliance risks while increasing productivity and reducing costs. Many organisations have tried and failed to successfully implement such capabilities in the past, mainly due to complexity. However, the cloud now offers a solution, as it can provide an authoritative source of identity to authenticate against almost all IT services available today, including corporate, PSN, N3, web, cloud, internal and hosted systems while providing secure access from any location. This minimises the time and complexity of brokering authentication and access to cloud services, simplifying the user experience while reducing security and compliance risks and user support costs. It makes secure single sign-on to all key corporate systems from any location both possible and affordable.
Cloud identity authentication works by providing a central account or identity and provisioning this into target systems e.g. Active Directory, SAP, SharePoint etc. This identity manages user authentication and entitlement (tailored to each user’s role) and compliance. It allows single sign-on to web service issues and access to on-premise applications from any location and enables the system to act as an IDP for cloud/extranet services and SAML. Multi-factor authentication, such as security tokens or challenge-response systems, can be incorporated for extra security.
A key feature of this type of system is user self-service. All available applications and services are published to a portal and users can then select the applications they need and put them into a ‘shopping basket’ for approval. Configurable workflows through the portal allow authentication and access processes to map to the way an organisation works, streamlining approval. Users can also securely reset passwords without access to any service desk.
Cloud-based identity and authentication management system offers three key benefits.
First, it enhances application security by externalising authentication and authorisation to applications, web resources, web services and data. This protects systems from direct exposure. Multifactor authentication can then be added to provide an additional level of security.
Second, having a single secure login standard and basing access to all systems on established policies and audited practices eliminates non-secure user practices and ensures that all systems have compliant authentication levels. By providing complete visibility into identity and access management and providing a formal audit trail it can also help organisations achieve and maintain compliance.
Thirdly, by providing user self-service for routine issues, single sign-on can increase productivity and reduce costs, freeing up Help Desk staff to work on other issues.
Fordway recently providing a cloud-based identity management service to a Government organisation, who wanted a centralised authentication system to provide secure single sign-on to all corporate systems from any location, facilitating remote and mobile working, whether the systems were hosted internally, in the cloud or by third parties. Our cloud-based Identity and Authentication Management Service (IDAMS) gave them a single integrated system through which they could manage identity, role and IT service management in line with their security policy while providing user self-service for routine issues.
In my opinion, identity and authentication management should be the cornerstone of a hybrid cloud strategy. Organisations need to manage identity across multiple providers and cloud provides them with a secure solution. Clearly, any cloud-based identity authentication solution is only as good as the hosting company’s own cloud security. However, most cloud service providers implement and manage considerably better IT security controls than internal IT departments.
Single sign-in does not, of course, absolve an organisation of responsibility for security and compliance. They still need to maintain an authoritative source of digital identity which can be used as collateral for all generally available web services. However, it offers significant security and productivity benefits, and by using standard SAML protocols can reduce the total cost of integration for new applications.