Are Network Perimeters the Berlin Walls of Cloud IAM?

Written by

By Ed King

A single enterprise wide identity and access management (IAM) platform is a noble but unattainable goal. The network perimeter is now a metaphorical “Berlin Wall” between the two identity platform domains of Cloud and On-Premise. It is time for enterprises to formalize a strategy of integrating their IAM silos using identity middleware.

Over the last decade, identity access management (IAM) has grown into a well-established product category anchored by the three big vendors: CA, IBM, and Oracle. Despite all the hard work and technologies developed, most customers have implemented just basic web single sign-on (SSO), have provisioned only a handful of core systems, and still have far too many directories. Oh, then there is still that Microsoft problem. The integration of Microsoft technologies such as SharePoint with enterprise IAM is still like mixing oil and water. Microsoft centric customers turn to Microsoft centric vendors such as Quest and Omada, while other customers treat Microsoft integration like a red-haired stepchild. Furthermore, whilst most organizations are still struggling to implement enterprise-wide IAM across on-premise assets, along came Cloud Computing to muddy the water even more.

Cloud based services post a new set of challenges as they are not owned by the enterprise and each service offers its own flavor of IAM integration. Vordel’s CTO Mark O’Neill has written extensively about the different challenges of IAM integration for IaaS, PaaS, and SaaS. Mark affectionately refers to this topic as “covering your *aaS”. As often is the case, leading IAM vendors are slow to address the Cloud integration problems. Seeing opportunities, new IAM vendors have emerged offering Cloud based IAM services. This group of vendors includes startups such as Okta, Symplified, and Tricipher (acquired by VMware), as well as large vendors like Intel/McAfee and Symantec, new to the IAM space. The basic offering of these Cloud based IAM services is a Security Assertion Markup Language (SAML) based security token service (STS) with pre-built SSO integrations to popular Cloud based services, usually referred to as “application catalogs”. There is usually some means of integration with an enterprise directory using an on-premise agent. These services make it very simple to SSO into the most popular Cloud based services, and have gained good traction from enterprises large and small. That is positive progress, right? Not exactly.

Instead of further consolidation and moving towards a true vision of enterprise-wide IAM, enterprises now find themselves with more identity silos than ever. Let me count the ways:

  • “Enterprise IAM” solutions from CA, IBM, Oracle, or one of the smaller vendors. Many large enterprises have more than one of these.
  • Microsoft silo with integrations directly to Active Directory using Integrated Windows Authentication (IWA) and Active Directory Federation Server (ADFS). Each Windows domain or SharePoint instance may be an individual silo.
  • Many point solutions exist specifically to solve the SharePoint mobile access challenge.
  • Mainframe IAM integration is notoriously challenging. Instead of tackling RACF and ACF2 integrations, most companies opt to delay these projects, hoping these legacy applications will be modernized soon.
  • Cloud-based IAM for Cloud-based services. This is often adopted by the business, bypassing enterprise IAM efforts.
  • Large business application vendors such as Oracle and SAP continue to push integrated IAM capabilities. This limited interoperability is by design, leveraging their business application footprint as a mean to push their middleware sales.

This proliferation of IAM silos has led to an explosion of agents, proxies, plug-ins and integration modules. For many enterprises, the management of these integration points consumes the majority of their IAM project resources. For some, they have long lost track of how many of these integrations modules exist in the enterprise.

I think it is time to pronounce that a single enterprise wide IAM platform is just a noble but sadly unachievable idea. While enterprise should strive to reduce the number of IAM silos, at some point the effort becomes prohibitively expensive. However much we wish it to be the case, Cloud based IAM services is not the solution to this problem, it is just compounding the problem. It is time for enterprises to formalize a strategy of integrating their IAM silos. It is time to introduce the concept of “identity middleware”. Identity middleware is a class of technologies that integrates identity silos introduced by different technologies, vendors, standards, network boundaries and business ownerships. Identity middleware does not duplicate capabilities offered by standard IAM products. It does not introduce another identity silo. Identity middleware’s sole purpose is to consolidate IAM silo integrations into a single technology and platform to enhance manageability and scalability. Identity middleware should have these capabilities at a minimum:

  • Exchange standard-based and proprietary tokens (security token service)
  • Authentication scheme that can handle combination of user, device and application identities
  • Encryption and signing
  • SSL termination
  • Certificate and key management, with integration to key stores and certificate authorities (CA), as well as integration to Hardware Security Modules (HSM)
  • Token and session caching and management
  • Add, delete, and modify security artifacts to and from messages and APIs running on HTTP, FTP, TCP, and other popular protocols
  • Configurable orchestration of IAM mediation tasks
  • Route messages and API requests based on policy
  • Out-of-the-box integrations with leading IAM products and services
  • Support leading standards, such as SAML, OAuth, WS-Security, XACML, OpenID… etc.
  • Secure operations at the edge of the enterprise and edge of the Cloud to mediate both Cloud-based and on-premise access
  • High performance and low latency

IAM is not a pure infrastructure technology. IAM technology shares many of the characteristics of business systems. It is closely integrated and often embedded within business systems. It also needs to integrate with other IAM systems from business partners. Just like application integration requires mediation middleware, so does IAM integration.

Where can you find identity middleware technologies? While identity federation technologies handle standard token mediation tasks (mostly SAML based), it lacks the configurable orchestration and message manipulation capabilities required to be a true identity middleware platform. Today your best bet is look to integration technologies such as application gateways and enterprise service buses.

Look for a gateway or service bus that offers:

  • Out-of-the-box integrations with leading IAM products and services
  • Strong support for Microsoft security technologies, namely Integrated Windows Authentication, Kerberos, and SPNEGO
  • Support for mainstream standards such as SAML and OAuth

If your use cases involve integration across network boundaries to Cloud, B2B, and mobile endpoints, then only the gateway will suffice, since enterprise service bus is not suitable for deployment in the DMZ.

Ed King, VP of product marketing at Vordel, has responsibility for product marketing and strategic business alliances. Prior to Vordel, he was VP of product management at Qualys, where he directed the company’s transition to its next-generation product platform. As VP of marketing at Agiliance, King revamped both product strategy and marketing programs to help the company double its revenue in his first year of tenure. King joined Oracle as senior director of product management, where he built Oracle’s identity management business from a niche player to the undisputed market leader in just three years. King also held product management roles at Jamcracker, Softchain and Thor Technologies. He holds an engineering degree from the Massachusetts Institute of Technology and a MBA from the University of California at Berkeley.


What’s hot on Infosecurity Magazine?