A stubborn speed bump continues to hobble the digital economy. We’re referring to the outdated use of passwords and limited identity-management solutions that hamper getting all of our devices, cloud services, enterprise applications, and needed data to work together in anything approaching harmony.
The past three years have seen a huge uptick in the number and types of mobile devices, online services, and media. Yet, we’re seemingly stuck with 20-year-old authentication and identity-management mechanisms — mostly based on passwords.
The resulting chasm between what we have and what we need for access control and governance spells ongoing security lapses, privacy worries, and a detrimental lack of interoperability among cross-domain cloud services. So, while a new generation of standards and technologies has emerged, a new vision is also required to move beyond the precarious passel of passwords that each of us seems to use all the time.
The fast approaching Cloud Identity Summit 2014 this July gives us a chance to recheck some identity-management premises — and perhaps step beyond the conventional to a more functional mobile future. To help us define these new best ways to manage identities and access control in the cloud and mobile era, please join me in welcoming our guest, Andre Durand, CEO of Ping Identity. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
Here are some excerpts:
Gardner: The Cloud Identity Summit is coming up, and at the same time, we’re finding that this digital economy is not really reaching its potential. There seems to be this ongoing challenge, as we have more devices, varieties of service and this need for this cross-domain interaction capability. It’s almost as if we’re stymied. So why is this problem so intractable? Why are we still dealing with passwords and outdated authentication?
Durand: Believe it or not, you have to go back 30 years to when the problem originated, when the Internet was actually born. Vint Cerf, one of the founders and creators of the Internet, was interviewed by a reporter two or three years back. He was asked if he could go back 30 years, when he was creating the Internet, what would he do differently? And he thought about it for a minute and said, “I would have tackled the identity problem.”
He continued, “We never expected the Internet to become the Internet. We were simply trying to route packets between two trusted computers through a standardized networking protocol. We knew that the second we started networking computers, you needed to know who the user was that was making the request, but we also knew that it was a complicated problem.” So, in essence, they punted.
Roll forward 30 years, and the bulk of the security industry and the challenges we now face in identity management at scale, Internet or cloud scale, all result from not having tackled identity 30 years ago. Every application, every device, every network that touches the Internet has to ask you who you are. The easiest way to do that is via user name and password, because there was no concept of who the user was on the network at a more fundamental universal layer.
So all this password proliferation comes as a result of the fact that identity is not infrastructure today in the Internet, and it’s a hard problem to retrofit the Internet for a more universal notion of who you are, after 30 years of proliferating these identity silos.
Internet of things
Gardner: It certainly seems like it’s time, because we’re not only dealing with people and devices. We’re now going into the Internet of Things, including sensors. We have multiple networks and more and more application programming interfaces (APIs) and software-as-a-service (SaaS) applications and services coming online. It seems like we have to move pretty quickly. [See more on identity standards and APIs.]
Durand: We do. The shift that began to exacerbate, or at least highlight, the underlying problem of identity started with cloud and SaaS adoption, somewhere around 2007-2008 time frame. With that, it moved some of the applications outside of the data center. Then, starting around 2010 or 2011, when we started to really get into the smartphone era, the user followed the smartphone off the corporate network and the corporate-issued computer and onto AT and T’s network.
So you have the application outside of the data center. You have the user off the network. The entire notion of how to protect users and data broke. It used to be that you put your user on your network with a company-issued computer accessing software in the data center. It was all behind the firewall.
Those two shifts changed where the assets were, the applications, data, and the user. The paradigm of security and how to manage the user and what they have access to also had to shift and it just brought to light the larger problem in identity.
Gardner: And the stakes here are fairly high. We’re looking at a tremendously inefficient healthcare system here in the United States, for example. One of the ways that could be ameliorated and productivity could be increased is for more interactions across boundaries, more standards applied to how very sensitive data can be shared. If we can solve this problem, it seems to me there is really a flood of improvement in productivity to come behind it.
Durand: It’s enormous and fundamental. Someone shared with me several years ago a simple concept that captures the essence of how much friction we have in the system today in and around identity and users in their browsers going places. The comment was simply this: In your browser you’re no longer limited to one domain. You’re moving between different applications, different websites, different companies, and different partners with every single click.
What we need is the ability for your identity to follow your browser session, as you’re moving between all these security domains, and not have to re-authenticate yourself every single time you click and are off to a new part of the Internet.
We need that whether that means employees sitting at their desktop on a corporate network, opening their browser and going to Salesforce.com, Office 365, Gmail, or Box, or whether it means a partner going into another partner’s application, say to manage inventory as part of their supply chain.
We have to have an ability for the identity to follow the user, and fundamentally that represents this next-gen notion of identity.
Gardner: I want to go back to that next-gen identity definition in a moment, but I notice you didn’t mention authenticate through biometrics to a phone or to a PC. You’re talking, I think, at a higher abstraction, aren’t you? At software or even the services level for this identity. Or did I read it wrong?
Durand: No, you read it absolutely correctly. I was definitely speaking at 100,000 feet there. Part of the solution that I play out is what’s coming in the future will be stronger authentication to fewer places, say stronger authentication to your corporate network or to your corporate identity. Then, it’s a seamless ability to access all the corporate resources, no matter if they’re business applications that are proprietary in the data center or whether or not the applications are in the cloud or even in the private cloud.
So, stronger user authentication is likely through the mobile phone, since the phones have become such a phenomenal platform for authentication. Then, once you authenticate to that phone, there will be a seamless ability to access everything, irrespective of where it resides.
Gardner: Then, when you elevate to that degree, it allows for more policy-driven and intelligence-driven automated and standardized approaches that more and more participants and processes can then adopt and implement. Is that correct?
Durand: That’s exactly correct. We had a notion of who was accessing what, the policy, governance, and the audit trail inside of the enterprise, and that was through the ’80s, ’90s, and the early 2000s. There was a lot of identity management infrastructure that was built to do exactly that within the enterprise.
Gardner: With directories.
Durand: Right, directories and all the identity management, Web access management, identity-management provisioning software, and all the governance software that came after that. I refer to all of those systems as Identity and Access Management 1.0.
It was all designed to manage this, as long as all the applications, user, and data were behind the firewall on the company network. Then, the data and the users moved, and now even the business applications are moving outside the data center to the public and private cloud.
We now live in this much more federated scenario, and there is a new generation of identity management that we have to install to enable the security, auditability, and governance of that new highly distributed or federated scenario.
Gardner: Andre, let’s go back to that “next-generation level” of identity management. What did you mean by that?
Durand: There are few tenets that fall into the next-generation category. For me, businesses are no longer a silo. Businesses are today fundamentally federated. They’re integrating with their supply chain. They’re engaging with social identities, hitting their consumer and customer portals. They’re integrating with their clients and allowing their clients to gain easier access to their systems. Their employees are going out to the cloud.
All of these are scenarios where the IT infrastructure in the business itself is fundamentally integrated with its customers, partners, and clients. So that would be the first tenet. They’re no longer a silo.
The second thing is that in order to achieve the scale of security around identity management in this new world, we can no longer install proprietary identity and access management software. Every interface for how security and identity is managed in this federated world needs to be standardized.
So we need open identity standards such as SAML, OAuth, and OpenID Connect, in order to scale these use cases between companies. It’s not dissimilar to an era of email, before we had Internet e-mail and the SMTP standard.
Companies had email, but it was enterprise email. It wouldn’t communicate with other companies’ proprietary email. Then, we standardized email through SMTP and instantly we had Internet-scaled email.
I predict that the same thing is occurring, and will occur, with identity. We’ll standardize all of these cases to open identity standards and that will allow us to scale the identity use cases into this federated world.
The third tenet is that, for many years, we really focused on the browser and web infrastructure. But now, you have users on mobile devices and applications accessing APIs. You have as many, if not most, transactions occurring through the API mobile channel than you do through the web.
So whatever infrastructure we develop needs to normalize the API and mobile access the same way that it does the web access. You don’t want two infrastructures for those two different channels of communication. Those are some of the big tenets of this new world that define an architecture for next-gen identity that’s very different from everything that came before it.
Gardner: To your last tenet, how do we start to combine without gaps and without security issues the ability to exercise a federated authentication and identity management capability for the web activities, as well as for those specific APIs and specific mobile apps and platforms?
Durand: I’ll give you a Ping product specific example, but it’s for exactly that reason that we kind of chose the path that we did for this new product. We have a product called PingAccess, which is a next-gen access control product that provides both web access management for the web browsers and users using web application. It provides API access management when companies want to expose their APIs to developers for mobile applications and to other web services.
Prior to PingAccess in a single product, allowing you to enable policy for both the API channel and the web channel, those two realms typically were served by independent products. You’d buy one product to protect your APIs and you’d buy another product to do your web-access management.
Now with this next-gen product, PingAccess, you can do both with the same product. It’s based upon OAuth, an emerging standard for identity security for web services, and it’s based upon OpenID Connect, which is a new standard for single sign-on and authentication and authorization in the web tier. [See more on identity standards and APIs.]
We built the product to cross the chasm, between API and web, and also built it based upon open standards, so we could really scale the use cases.
Gardner: Whenever you bring out the words “new” and “standard,” you’ll get folks who might say, “Well, I’m going to stick with the tried and true.” Is there any sense of the level of security, privacy control management, and governance control with these new approaches, as you describe them, that would rebut that instinct to stick with what you have?
Durand: As far as the instinct to stick with what you have, keep in mind that the alternative is proprietary, and there is nothing about proprietary that necessarily means you have better control or more privacy.
The standards are really defining secure mechanisms to pursue a use case between two different entities. You want a common interface, a common language to communicate. There’s a tremendous amount of the work that goes into it by the entire industry to make sure that those standards are secure and privacy enabling.
I’d argue that it’s more secure and privacy enabling than the one-off proprietary systems and/or the homegrown systems that many companies developed in the absence of these open standards.
Gardner: Of course, with standards, it’s often a larger community, where people can have feedback and inputs to have those standards evolve. That can be a very powerful force when it comes to making sure that things remain stable and safe. Any thoughts about the community approach to this and where these standards are being managed?
Durand: A number of the standards are being managed now by the Internet Engineering Task Force (IETF), and as you know, they’re well-regarded, well-known, and certainly well-recognized for their community involvement and having a cycle of improvement that deals with threats, as they emerge, as the community sees them, as a mechanism to improve the standards over time to close those security issues.
Gardner: Going back to the Cloud Identity Summit 2014, is this a coming-out party of sorts for this vision of yours? How do you view the timing right now? Are we at a tipping point, and how important is it to get the word out properly and effectively?
Durand: This is our fifth annual Cloud Identity Summit. We’ve been working toward this combination of where identity and the cloud and mobile ultimately intersect. All of the trends that I described earlier today — cloud adoption, mobile adoption, moving the application and the user and the device off the network — is driving more and more awareness towards a new approach to identity management that is disruptive and fundamentally different than the traditional way of managing identity.
On the cusp
We’re right on the cusp where the adoption across both cloud and mobile is irrefutable. Many companies now are moving all in in their strategies to make adoption by their enterprises across those two dimensions a cloud-first and mobile-first posture.
So it is at a tipping point. It’s the last nail in the coffin for enterprises to get them to realize that they’re now in a new landscape and need to reassess their strategies for identity, when the business applications, the ones that did not convert to SaaS, move to Amazon Web Services, Equinix, or to Rackspace and the private-cloud providers.
That, all of a sudden, would be the last shift where applications have left the data center and all of the old paradigms for managing identity will now need to be re-evaluated from the ground up. That’s just about to happen.
Gardner: Another part of this, of course, is the user themselves. If we can bring to the table doing away with passwords, that itself might encourage a lot of organic adoption and calls for this sort of a capability. Any sense of what we can do in terms of behavior at the user level and what would incentivize them to knock on the door of their developers or IT organization and ask for this sort of capability and vision that we described.
Durand: Now you’re highlighting my kick-off speech at PingCon, which is Ping’s Customer and Partner Conference the day after the Cloud Identity Summit. We acquired a company and a technology last year in mobile authentication to make your mobile phone the second factor, strong authentication for corporations, effectively replacing the one-time tokens that have been issued by traditional vendors for strong authentication.
It’s an application you load on your smartphone and it enables you an ability to simply swipe across the screen to authenticate when requested. We’ll be demonstrating the mobile phone as a second-factor authentication. What I mean there is that you would type in your username and password and then be asked to swipe the phone, just to verify your identity before getting into the company.
We’ll also demonstrate how you can use the phone as a single-factor authentication. As an example, let’s say I want to go to some cloud service, Dropbox, Box, or Salesforce. Before that, I’m asked to authenticate to the company. I’d get a notification on my phone that simply says, “Swipe.” I do the swipe, it already knows who I am, and it just takes me directly to the cloud. That user experience is phenomenal.
When you experience an ability to get to the cloud, authenticating to the corporation first, and simply swipe with your mobile phone, it just changes how we think about authentication and how we think about the utility of having a smartphone with us all the time.
Gardner: This aligns really well, and the timing is awesome for what both Google with Android and Apple with iOS are doing in terms of being able to move from screen to screen seamlessly. Is that something that’s built in this as well?
If I authenticate through my mobile phone, but then I end up working through a PC, a laptop, or any other number of interfaces, is this is something that carries through, so that I’m authenticated throughout my activity?
Durand: That’s the entire vision of identity federation. Authenticate once, strongly to the network, and have an ability to go everywhere you want — data center, private cloud, public SaaS applications, native mobile applications — and never have to re-authenticate.
Gardner: Sounds good to me, Andre. I’m all for it. Before we sign off, do we have an example? It’s been an interesting vision and we’ve talked about the what and how, but is there a way to illustrate to show that when this works well perhaps in an enterprise, perhaps across boundaries, what do you get and how does it work in practice?
Durand: There are three primary use cases in our business for next-generation identity, and we break them up into workforce, partner, and customer identity use cases. I’ll give you quick examples of all three.
In the workforce use case, what we see most is a desire for enterprises to enable single sign-on to the corporation, to the corporate network, or the corporate active directory, and then single-click access to all the applications, whether they’re in the cloud or in the data center. It presents employees in the workforce with a nice menu of all their application options. They authenticate once to see that menu and then, when they click, they can go anywhere without having to re-authenticate.
That’s primarily the workforce use case. It’s an ability for IT to control what applications, where they’re going in the cloud, what they can do in the cloud to have an audit trail of that, or have full control over the use of the employee accessing cloud applications. The next-gen solutions that we provide accommodate that use case.
The second use case is what we call a customer portal or a customer experience use case. This is a scenario where customers are hitting a customer portal. Many of the major banks in the US and even around the world use Ping to secure their customer website. When you log into your bank to do online banking, you’re logging into the bank, but then, when you click on any number of the links, whether to order checks, to get check fulfillment, that goes out to Harland Clarke or to Wealth Management.
That goes to a separate application. That banking application is actually a collection of many applications, some run by partners, some by run by different divisions of the bank. The seamless customer experience, where the user never sees another login or registration screen, is all secured through Ping infrastructure. That’s the second use case.
The third use case is what we call a traditional supply chain or partner use case. The world’s largest retailer is our customer. They have some 100,000 suppliers that access inventory applications to manage inventory at all the warehouses and distribution centers.
Prior to having Ping technology, they would have to maintain the username and password of the employees of all those 100,000 suppliers. With our technology they allow single sign-on to that application, so they no longer have to manage who is an employee of all of those suppliers. They’ve off-loaded the identity management back to the partner by enabling single sign-on.
If you’re a Comcast customer and you log into comcast.net and click on any one of the content links or email, that customer experience is secured though Ping. If you log into Marriott, you’re going through Ping. The list goes on and on.
In the future
Gardner: This all comes to a head as we’re approaching the July Cloud Identity Summit 2014 in Monterey, Calif., which should provide an excellent forum for keeping the transition from passwords to a federated, network-based intelligent capability on track.
Before we sign-off, any idea of where we would be in a year from now? Is this a stake in the ground for the future or something that we could extend our vision toward in terms of what might come next, if we make some strides and a lot of what we have been talking about today gets into a significant uptake and use.
Durand: We’re right on the cusp of the smartphone becoming a platform for strong, multi-factor authentication. That adoption is going to be fairly quick. I expect that, and you’re going to see enterprises adopting en masse stronger authentication using the smartphone.
Gardner: I suppose that is an accelerant to the bring-your-own-device (BYOD) trend. Is that how you see it as well?
Durand: It’s a little bit orthogonal to BYOD. The fact that corporations have to deal with that phenomenon brings its own IT headaches, but also its own opportunities in terms of the reality of where people want to get work done.
But the fact that we can assume that all of the devices out there now are essentially smartphone platforms, very powerful computers with lots of capabilities, is going to allow the enterprises now to leverage that device for really strong multi-factor authentication to know who the user is that’s making that request, irrespective of where they are — if they’re on the network, off the network, on a company-issued computer or on their BYOD.
You may also be interested in:
- Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and Security
- The Open Group and MIT Experts Detail New Advances in Identity Management to Help Reduce Cyber Risk
- Effective Enterprise Security Begins and Ends with Architectural Best Practices Approach
- BYOD Brings New Challenges for IT: Allowing Greater Access while Protecting Networks
- Identify and Access Management as a Service Gets Boost with SailPoint’s IdentityNow Cloud Service
- Identity Governance Becomes Must-Do Items on Personnel Management and Security Checklist