This feature first appeared in the Spring 2018 issue of Certification Magazine. Click here to get your own print or digital copy.
It seems that lately everyone is talking about online anonymity. But what about the other side of that equation? What about “proving” that you are who you say you are. One of the best ways of doing that is the technology at the lies at the heart of the emerging field of “cloud identity” management.
Cloud identity refers to your username, password, and usually an additional security item, like a secret question, all bundled into one package and tracked across different environments. It’s how secure organizations like banks and retail outlets recognize and interact with you online.
Identity management across cloud or hybrid environments is called Identity as a Service (IDaaS) or Identity and Access Management (IAM). A lot of vendors are looking to capitalize on it and a lot of companies see it as a robust, scalable solution for managing all their users’ cloud identities. Currently, most services offer Single-SignOn (SSO) using the same multifactor authentication (MFA) login IDs for all their systems.
How did we get here?
Say you manage an environment with 500 users. You run a large Windows network with approximately 200 servers, some in the cloud and some on-site. You’re running between eight and 10 SaaS applications, like S/4 Hana, AWS, and so forth. It’s a Windows shop, so you run Microsoft’s Active Directory and every user has a username and password to access the computer and the network.
You hire a consultant to beef up your security and, because of all the reports in the news, he recommends multifactor authentication. MFA works by adding a layer of security to a username and password, such as a text to your phone with a code you need to enter, or a secret question to answer after entering your username and password. MFA is the base item you need to start on your road to a cloud identity service.
SSO uses a single username, password, and MFA for everything and is what most people associate with cloud identity. SSO permits a user to use one set of login credentials to access multiple applications. The service authenticates the end user for all applications. It grants users rights on all systems, so it passes all the way through. On the provider’s side, SSO is helpful for logging user activities as well as monitoring business accounts.
Although many organizations may understand what cloud identity is — sort of — some still find it hard to see where it fits with their current environment. It’s much more than SSO or MFA; it is the complete management of your virtual persona across your public facing landscape.
Understanding the new environment
In today’s workplace, and with the distribution of systems everywhere, the need for MFA and a central cloud identity is paramount. You cannot expect to remain unhacked if you do not have a service managing your MFA and your cloud identity.
I will talk more about the available services in a bit, but remember that you have some SaaS environments. Your business is probably running S/4 Hana, SAP’s cloud offering. Business personnel have remote access to the services via a virtual private network (VPN). There are all these varied applications and tons of open gateways easily accessible with just a username and password.
The top vector of attack right now is through username and password access. Most users know the length trick, to make your password very long, and complexity trick, to load up your password with funky characters or random numbers. Very few, however, know or understand how a cloud identity management system works or why you would need one.
If you want to kick off a project or effort to get this service into your organization, you need to start with education. The bosses, the users, the engineers all need to know what you intend to do and why it’s being done. Since cybersecurity is for everyone, this should not require a lengthy learning curve or in-depth justification.
Ready, set … IDaaS
This is where an IDaaS really shines. Once you sign up with the service, there will be a setup to attach their cloud to your on-premises active directory, and then you can use the username, password, and MFA functionality to sign onto ANYTHING you own. It forwards your credentials to anything, whether in the Cloud or on-premises.
Many companies ask whether managing cloud identity is generally viewed as being the responsibility of a cloud services provider, or the responsibility of the business or organization that is using cloud services? Traditionally, each cloud application and the provider had a separate cloud identity for each application offering.
With the services now on the market, however, you no longer have to have separate cloud identities. A single cloud provider holds all the users’ credentials and is integrated into each of your other cloud providers. This is a marked change from the traditional view of responsibility being on each cloud provider to the business organization to responsibly manage their own cloud identity.
Know your options
Managing your and/or everyone in your company’s cloud identity is no light task. Fortunately, most Windows engineers can understand the setup and operation of an IDaaS. Many IDaaS applications will handhold you through the setup.
There are plenty of service providers that, for a fee, will completely integrate your environment. Okta’s “always on” tag line is perfect. It touts a single sign-on and MFA for as many cloud environments, such as Jira, Slack, GitHub, and Webx, as you need to integrate. I’ve seen Okta in action and it is everything that it claims to be.
For those who want to wade out into deeper waters, Okta even has a certification program, with three certifications:
Okta Certified Professional covers hands-on day-to-day professional support.
Okta Certified Administrator encompasses the complete life-cycle management of Okta and its services.
Okta Certified Consultant certifies that recipients are ready to fully integrate all services in any organization.
Another company that offers a full range of IDaaS Services is Centrify. I’ve worked with this product and can say that its designers give every indication of being experts in the cloud identity space. Centrify offers a wide range of products including IDaaS, SSO, and Mobile Device Management (MDM).
MDM is a way to ensure that employees stay productive and in compliance with corporate policies. Many organizations control the activities of company phones issued to their employees. Using MDM products and services, an employer can secure e-mails, approve apps, and dictate the overall functionality of company-issued devices.
Some companies permit their employees to “Bring Your Own Device” (BYOD) and connect to the organizational network. Centrify’s MDM functionality can include over-the-air distribution of applications, as well as data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, and so forth. The possibilities are endless.
Centrify also has options for certification that are self-directed and offer a really nice change of pace from exams where you have a physical observer and 12 cameras on you during testing. Several topics related to IDaaS are also covered in the Mother of All Security Certifications, (ISC)²’s CISSP. Preparing for the CISSP exam is not specific to IDaaS, but it will help you learn some crucial security functions.
A new frontier
It is important to understand all the challenges facing IT managers when it comes to managing cloud identity. With the exponential growth of virtualization, SaaS architectures, and cloud computing in general, everyone who wants to stay relevant will have to adopt these new technologies in this area.
Security and compliance issues exist in every facet of business today, and choosing the correct vendor, service, and direction is the key to success. Start small, with services that won’t upset users or cause them to balk, before you move into a fullblown cloud identity solution.
No matter what solution, service, program, or approach you take, everyone agrees that the need to manage your cloud identity, your public-facing credentials, is one of the most important challenges every business must confront.
Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)