“Eternal vigilance is the price of liberty. Let the sentinels on the watch-tower sleep not, and slumber not”
– Wendell Philips
A few weeks ago, a security breach led to the leaking of the 4th episode of HBO’s hit drama Game of Thrones season 7 (last week the 6th episode was also leaked!). Reports indicate that the breach was so extensive that it resulted in hackers accessing nearly 1.5 tera bytes of data, including confidential internal documents. In 2014, an extremely sophisticated cyber-attack on Sony resulted in a massive data leak (nearly 100 terra bytes of data) that included private emails, social security numbers, and unreleased films, which crippled Sony’s worldwide operations for months.
This type of security breaches and unauthorized access of critical IP and confidential user data exposes businesses to significant revenue loss, and could also potentially lead to unwarranted litigation and crippling regulatory sanctions due to breach of privacy. These are nightmarish scenarios dreaded not only by CIOs, but by all stakeholders of a digital business ecosystem. Verizon Data Breach Investigations Report (DBIR) 2017 indicates that 62% of breaches involved hacking, and 81% of hacking-related breaches leveraged either stolen and/or weak passwords. This data highlights the significance of having robust digital security to prevent breaches and safeguard critical IP and user data.
In a platform and cloud environment, where ease of access and interoperability of software applications are prized, digital businesses must strike the right balance with state-of-the-art user access management and IT security. In this blog, I would like to present a broad overview of how Identity and access management as a service (IDaaS) can be a comprehensive framework for IT security in an increasingly cloud-based environment.
Key concepts of Identity and Access Management
Let’s take a brief look at some of the key underlying concepts related to Identity and access management:
Identity and access management (IAM) is a framework that enables enterprises to ensure that the right individuals get access to the right resources at the right time for the right reasons.
Lightweight Directory Access Protocol (LDAP) is an open-standard industry protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play a key role in facilitating sharing of information about users, systems, networks, services, and applications across a network or enterprise. A common use of LDAP is to provide a central place for storing user names and passwords, which allows different applications and services to connect to the LDAP server to validate users.
Active Directory Domain Services or simply AD, is a widely-used compendium of directory-based Identity related services developed by Microsoft, and includes multiple directory services such as Domain Services, Certificate Services, and Rights Management Services. A server running AD authenticates all users and systems across a network, assigns and enforces security policies, and performs software installations and upgrades.
Single Sign-on (SSO) is a feature that enables a user to gain access to multiple connected systems and applications with a single set of user ID and password. SSO makes it easy for a user to seamlessly access and connect to multiple systems without having to use multiple user IDs and passwords, and is typically implemented using LDAP and AD.
IT security needs in a platform and cloud environment
The traditional notion of IT security used to revolve mostly around how user authentication and access are managed. A decade ago, as most enterprise IT applications used to be on-premises based installations, centralized user authentication and identity management services based on AD and LDAP were prevalent.
In a platform and cloud environment, marked by the proliferation of connected products and devices, IT security has undergone a fundamental transformation. In this new environment, the security needs of the enterprise must consider, an increasingly mobile workforce, multiplicity of devices, and a hybrid IT environment with a mix of on-premises and cloud-enabled applications.
In a nutshell, the IT security framework of a modern digital business must, at a minimum, support:
- Cascading, multi-factor user (identity) authentication
- Device validation
- Application (and service) validation, and resource provisioning
- Data security
Further, digital businesses must also adopt bleeding-edge cyber defense mechanisms such as Vulnerability Assessment and Penetrating Testing (VAPT), to proactively identify system/network vulnerabilities, and prevent breaches before they happen.
IDaaS, a comprehensive cloud-based IAM framework
To meet the diverse and increased security needs of the connected enterprise, Identity and access management as a Service (IDaaS) has emerged as a comprehensive IAM framework in the cloud. According to Gartner, a cloud-based IAM framework must have the following critical capabilities:
- Access Certification
- Access Request and Workflow
- Authorization Enforcement
- Cloud Directory
- Mobility Management
- On-Premises Application Integration
- Profile and Password Management
- Reporting and Analytics
- SaaS Application Integration
- Social Identity Integration
As you can see from the above list of critical capabilities, the scope of IDaaS is much more than access management and user authentication. In terms of functionality, IDaaS supports the comprehensive security needs of a digital business, and helps deal with a complex and hybrid IT scenario consisting of legacy, on-premises applicationsand cloud-enabled SaaS applications, with their respective, underlying non-cloud and cloud architectures.
Any digital business that is either modernizing its legacy applications or developing new cloud-enabled applications, must make IDaaS support an integral part of its digital architecture. Successful adoption of a fully-featured IDaaS will enable digital businesses to future proof their IT and application architecture, and seamlessly support IAM in business-to-business (B2B), business-to-employee (B2E), and business-to-consumer (B2C) scenarios, irrespective of mode of service delivery.
Digital security mustn’t be an afterthought
Over the past decade, we have witnessed an unprecedented wave of technology and business disruption, at a breathtaking pace. Not only brick-and-mortar physical businesses, but literally every business is being transformed and reinvented into a digital business to serve the needs of a connected landscape. In this increasingly connected world, it is only natural that complexity will replace simplicity, and openness will give rise to vulnerability.
Digital businesses must strike the right balance between staying simple, and yet not become vulnerable to cyber security threats. The only way to achieve this is by making digital security a centerpiece of an enterprise’s digital strategy, and not treat it as an afterthought.