Adopting cloud? You’ll need to update your identity infrastructure to do it securely

Identity-as-a-service (IDaaS) providers are enjoying growing momentum as businesses increasingly accept that their legacy Identity and access management (IAM) systems are too old and inflexible to securely support cloud applications.

One of the beneficiaries has been Ping Identity, which launched an Australian data centre last April as it moved to bolster its presence in this region. “There are a lot of drivers supporting stronger multi-factor authentication that isn’t based on hardware tokens,” chief technology officer Patrick Harding told CSO Australia.

The company’s Australian presence – which uses Amazon Web Services (AWS) infrastructure to reduce the latency of authentication services for local clients – has generated “a lot of traction” locally as businesses leverage hosted IAM services to simplify their cloud migrations by providing a bridge between their cloud and on-premises applications.

Many were embracing IDaaS after years of trying and failing to extend legacy identity systems to support contemporary application architectures, Harding said. “There are a lot of aspirations around digital transformation and digital services here, but they’re trying to do it on an identity infrastructure that is 10 to 15 years old,” he said.

“They have finally come to the revelation that they need to replace it with Web products that can take them to the Web, mobile, and API-driven world. Identity is a foundational area that they have to get right to really address a lot of the customer experience issues that they’ve been facing. They never wanted to bite the bullet, but now they realise that they have to.”

Those identity capabilities will also be essential to locking down privacy efforts around Australian privacy legislation and even more onerous standards such as the European Union’s general data protection regulation (GDPR), which will come into effect next May and will affect any Australian company that collects or manages information about EU citizens.

A recent Gartner analysis flagged an emerging preference for SaaS-based security services, as well as noting that GDPR compliance would be a key driver for increased investment in identity and other services. “Punitive regulations will create board-level fears,” the analysis predicted, “driving security software budget decisions based on the potential financial impact of fines and noncompliance. Consequently, enterprises will look to providers with products that provide the needed visibility and control of their data.”

Non-repudiable identity models will be important for companies that need to demonstrate that they have collected customer consent to data collection under the GDPR’s strong opt-in regime, Harding said. This requirement was further strengthened in the context of increasingly automated online systems, where access to API-driven services – increasingly generated by Internet of Things (IoT) devices – must also be authenticated to ensure chain-of-custody over private information.

“We’re seeing this all moving to more of a continuous authentication, zero-login model where you want to be constantly collecting signals from the user on what they’re doing and how they’re doing it,” Harding said, alluding to newer behavioural-monitoring capabilities that were recently mandated by no less than the US government’s Office of Management and Budget.

Ping Identity is one of numerous identity providers pushing their IDaaS offerings into the market; Gemalto this week launched SafeNet Trusted Access, a cloud-based access management service that integrates analytics capabilities to enforce policies and monitor single sign-on (SSO) access across cloud and on-premises applications.

“Historically, controlling access to resources has been ‘red-light/green-light’ or binary,” said 451 Research principal analyst Garrett Bekker in a statement. “You’re either allowed in or you’re not, and once they are in, most SSO offerings are blind to anything a user does once they are granted. Combining analytics with IAM provides companies with the ability to identify anomalies in access patterns that could indicate risk and help prevent data breaches.”

Security contender Vidder this week debuted an ‘endpoint trust assessment’ enhancement to its PrecisionAccess tool, which enforces access controls across hybrid networks by managing application access based on endpoints. IBM also bowed in the space, this week launching its SAML and OpenID Connect-compliant Cloud Identity Connect framework for single sign-on capabilities.

Like Ping Identity and Gemalto, IBM has watched customers struggling to extend legacy IAM solutions to address Web-based applications: a recent TechValidate survey, commissioned by IBM, found that 44 percent of the 495 respondents said it typically takes from 2 to 7 days per application to link SaaS applications to legacy identity platforms.

Fully 26 percent said it takes around a month, while 9 percent said it takes 3 months or more to complete the integration. Compounded by the growing number of SaaS applications in the typical enterprise – 33, according to recent figures from Fortinet – the effort quickly grows to become unwieldy and offers little futureproofing even if it works.

Convergence of identity and analytics capabilities reflects a growing trend to incorporate analytics for policy-based security enforcement: by 2020, a recent Gartner analysis concluded]], analytics will be embedded in at least 75 percent of security products. A key focus will be the use of analytics techniques to monitor user behaviour, correlated with tighter controls over account access that remains, to many, the most important security control there is.