Historically, information security risks and high total ownership costs were directly related to the size and complexity of an organisation.
Identity management, the discipline of providing relevant user access across a complex infrastructure, has long been a concern for large organisations. The greater the number of disparate systems which people log on to on a daily basis, the more complex the problem of managing access and ensuring security compliance.
In order to mitigate the security, usability, and support issues associated with people logging on to multiple systems with different usernames or passwords, many large organisations chose to implement an identity management solution to keep the various systems in step with each other. This simplified the login process for end-users, and removed the support burden from the IT department. It had a direct impact on the total cost of ownership, helping reduce mundane support activities and allowing the IT department to focus on more value adding tasks.
A more recent trend shows that these same challenges are now emerging for smaller organisations who, driven by a low total cost of ownership agenda, are moving to cloud-based platforms.
Once upon a time you needed a sufficiently complex architecture with many systems before this problem became apparent. Now organisations with fewer IT requirements are opting for cloud services, and as a result they are inheriting the problems of multiple disparate (cloud-based) systems. Like the larger organisations before them, smaller companies must now consider the challenge of maintaining identities across multiple platforms.
There are a number of common problems facing these organisations:
When a person leaves an organisation, their access to the organisation’s systems and data is typically revoked by disabling their account. If they have multiple accounts in multiple systems, then every one of these must be individually disabled to prevent a backdoor being left open – either to an ex-employee or an attacker who may take advantage of stale accounts.
Having to remember multiple login accounts can be a problem for people. It’s confusing and leads to a frustrating experience and lost productivity. The more accounts each person has to remember, the bigger the problem becomes.
Studies show that the direct labour cost of maintaining passwords is approximately $100 to $350 per user, per year. This includes the administrative overhead of setting up passwords, and processing password reset requests. The more passwords that need to be managed, the greater the cost of doing so.
Quality of Information
Identity systems frequently store a lot of information about people, including names, office locations, email addresses, and phone numbers. As the number of systems grows, so does the potential for this information to become outdated in one or more systems, causing all sorts of problems.
The challenge is not insurmountable, and does not have to be expensive, but it does need to be a design consideration for any cloud solution.
There are two common solutions to the identity management problem. They may be deployed individually or in tandem, depending on requirements and what the external systems will support.
Identity synchronisation solutions match identities between multiple systems and ensure that each is kept up-to-date with changes as they occur. If a person changes their job role, surname, password, phone number, etc. the identity synchronisation solution ensures the change is reflected everywhere.
Identity synchronisation solutions incorporate user provisioning and deprovisioning workflows, which allow user accounts to be automatically created in the appropriate systems with the appropriate permissions when a new person arrives, and for access to be automatically revoked across all systems when they leave.
Identity federation systems work a bit like passport admission at an airline, with your identity federation system acting as HM Passport Office, and the external system being the equivalent of the airline check-in staff. The check-in staff don’t need to do a background check to verify your identity, and they don’t need access to lots of personal information. They know who you are because they can trust the passport issued by HM Passport Office.
With identity federation you don’t need to copy lots of user information to cloud services. Once they’ve been set up to trust your federation system it can issue electronic 'passports' with which your users log in. This allows much tighter security controls and you don’t need to worry about information getting out of sync. It also means that if you want to implement multifactor authentication you can do so on your federation system, and effectively gain the benefit of improved security across all systems which make use of your federation – whether the external system itself supports multifactor authentication natively or not.
The benefits of moving to the cloud are well understood, and as a maturing market some of the risks that existed for early adopters are slowly being eradicated. It is important however that a pragmatic view of the end-to-end benefits and risks of cloud services are understood and built into the final solution design. This will allow IT managers to best leverage the investment they have made, and to avoid the hidden costs that result from complex administration and the security intricacies which accompany cloud services.