3
FEATURE January 2012 Computer Fraud & Security 5 The importance of identity security This isn’t necessarily a bad thing. On the contrary, it can dramatically improve efficiency, motivation and productivity – but it is driving a new role for the IT department in balanc- ing access and security. This shifting role for IT places a greater emphasis on protecting identity, information and data. Security, though, is not about keeping people in – or out – but more about collaboration, managed identity and access. It should be about ensuring that the right people have the right access to the right things at the right time. The requirement for applications to identify users and make access and authorisation decisions has not changed, however. Externally hosted applications generally require each user to have his or her own user name and password, forcing users to remember login credentials for each application and requiring regular password changes to ensure security. This diminishes pro- ductivity and increases security risks from phishing and hacking as users pick memorable passwords. If an organisa- tion attempts to thwart this by estab- lishing strict password policies, users just record them somewhere. What is needed is a way to eliminate passwords altogether and provide Single Sign-On (SSO) to web applications while still continuing to maintain high security levels. The rise and rise of the cloud Web applications are located inside of the organisation, hosted externally, delivered as a service, or configured as any combination of the three. Security for internal applications is relatively straightforward, providing that all users and applications are in the same security domain, and a central identity management (IdM) system identifies and authenticates users. This can also be used by applications to make decisions about access. “Repeated logins exact a substantial productivity tax on the organisation. Remembering all those user- names and passwords is dif- ficult and time consuming” All of this falls apart when applications are moved outside of the firewall or to another security domain, including mov- ing to Software-as-a-Service (SaaS) and Business Process Outsourcing (BPO) vendors, such as Accenture or Hewlett- Packard. Since these applications do not have access to the organisation’s IdM system, each maintains its own user database for access and authorisation purposes. Users must sign on to each application with a distinct username and password each time a new browser session is initiated. While this may not seem like a major problem, consider how many logins are required when hundreds or thousands of workers each have to sign on to multiple web applications sev- eral times each day. In addition to becoming an applica- tion adoption barrier, repeated logins exact a substantial productivity tax on the organisation. Remembering all those usernames and passwords is difficult and time consuming, and it is not uncom- mon for users to choose a memorable, identical username and password for every application. If someone guesses or discovers the username/password pair, they potentially gain access to all of the user’s applications – the ‘keys to the kingdom’ problem. The ideal solution is to eliminate application passwords alto- gether and provide SSO to all web appli- cations using secure, scalable, standards- based, cost-effective means. Why Internet SSO? Today’s business climate is tough. The ongoing recession means that every penny of Capital and Operational Expenditure (CapEx/OpEx) is now under constant scrutiny – including security investment decisions. These security investments are of vital impor- tance, but there is no avoiding the fact that they need to be reinforced with a strong business case. Internet-based identity security always yields high rates of return on investment, and provides substantial business benefits, including increased customer satisfaction, reduced expenditures and higher employee productivity. Jason Goode Jason Goode, Ping Identity Cloud computing is fundamentally shifting the enterprise network from fixed, data-centric server technologies to a flexible, application-driven, dispersed network that aligns more closely to business needs. The security landscape has therefore changed: IT departments can no longer control what devices their employees bring into the office, what they physically connect to the network and how they access information.

The importance of identity security

Embed Size (px)

Citation preview

Page 1: The importance of identity security

FEATURE

January 2012 Computer Fraud & Security5

The importance of identity security

This isn’t necessarily a bad thing. On the contrary, it can dramatically improve efficiency, motivation and productivity – but it is driving a new role for the IT department in balanc-ing access and security. This shifting role for IT places a greater emphasis on protecting identity, information and data. Security, though, is not about keeping people in – or out – but more about collaboration, managed identity and access. It should be about ensuring that the right people have the right access to the right things at the right time.

The requirement for applications to identify users and make access and authorisation decisions has not changed, however. Externally hosted applications generally require each user to have his or her own user name and password, forcing users to remember login credentials for each application and requiring regular password changes to ensure security. This diminishes pro-ductivity and increases security risks from phishing and hacking as users pick memorable passwords. If an organisa-tion attempts to thwart this by estab-lishing strict password policies, users just record them somewhere. What is needed is a way to eliminate passwords altogether and provide Single Sign-On (SSO) to web applications while still continuing to maintain high security levels.

The rise and rise of the cloud Web applications are located inside of the organisation, hosted externally, delivered as a service, or configured as any combination of the three. Security for internal applications is relatively straightforward, providing that all users and applications are in the same security domain, and a central identity management (IdM) system identifies and authenticates users. This can also be used by applications to make decisions about access.

“Repeated logins exact a substantial productivity tax on the organisation. Remembering all those user-names and passwords is dif-ficult and time consuming”

All of this falls apart when applications are moved outside of the firewall or to another security domain, including mov-ing to Software-as-a-Service (SaaS) and Business Process Outsourcing (BPO) vendors, such as Accenture or Hewlett-Packard. Since these applications do not have access to the organisation’s IdM system, each maintains its own user database for access and authorisation purposes. Users must sign on to each application with a distinct username and password each time a new browser

session is initiated. While this may not seem like a major problem, consider how many logins are required when hundreds or thousands of workers each have to sign on to multiple web applications sev-eral times each day.

In addition to becoming an applica-tion adoption barrier, repeated logins exact a substantial productivity tax on the organisation. Remembering all those usernames and passwords is difficult and time consuming, and it is not uncom-mon for users to choose a memorable, identical username and password for every application. If someone guesses or discovers the username/password pair, they potentially gain access to all of the user’s applications – the ‘keys to the kingdom’ problem. The ideal solution is to eliminate application passwords alto-gether and provide SSO to all web appli-cations using secure, scalable, standards-based, cost-effective means.�

Why Internet SSO?

Today’s business climate is tough. The ongoing recession means that every penny of Capital and Operational Expenditure (CapEx/OpEx) is now under constant scrutiny – including security investment decisions. These security investments are of vital impor-tance, but there is no avoiding the fact that they need to be reinforced with a strong business case. Internet-based identity security always yields high rates of return on investment, and provides substantial business benefits, including increased customer satisfaction, reduced expenditures and higher employee productivity.

Jason GoodeJason Goode, Ping Identity

Cloud computing is fundamentally shifting the enterprise network from fixed, data-centric server technologies to a flexible, application-driven, dispersed network that aligns more closely to business needs. The security landscape has therefore changed: IT departments can no longer control what devices their employees bring into the office, what they physically connect to the network and how they access information.

Page 2: The importance of identity security

FEATURE

Computer Fraud & Security January 20126

When the number of applications running outside of an organisation’s firewall increases, so does the risk of password theft. The more distinct a username or password that a user must memorise, the higher the chance they will store it in a place where it can be stolen. SSO is a simple solu-tion to this dilemma. Users do not need to sign on again to access appli-cations and their identity and access information is passed securely to the application vendor. Since they are already authenticated, no password is required. And because no password is required, there is no password for anyone to steal.

The value of Internet SSO for busi-nesses can be summed up as:

• Increased application adoption: Internet SSO and identity federation removes one large adoption barrier and delivers the same ‘click and work’ convenience that users have grown to expect from their other business-critical applications.

• Increased employee productivity: time wasted through employees log-ging into several applications per day can cost an organisation with 1,000 users up to 250 minutes per day.

• Decreased helpdesk costs: Research from Gartner has shown that the average user calls the helpdesk 19 times a year, with 30% of all calls being password related. Some SaaS and BPO vendors charge their cus-tomers for these calls where the

organisation’s own helpdesk does not handle application password issues. There is a time and cost implication of reassigning new passwords when-ever users forget their original access details.

A question of identity

The benefits of Internet SSO are clear from an investment point of view. But equally important are the security implications – that is to say, the factors at risk in the event that passwords are hacked or phished.

“Hackers do not just gain access to our data but to our very personal identity infor-mation. Potentially, this can be incredibly damaging, both from an individual and enterprise perspective”

It is common these days to speak of the dangers of ‘data’ loss. But when passwords and other sensitive informa-tion are compromised, our online iden-tities are at stake. From a user with a Facebook account to a corporation with over 1,000 employees under a uniform email address, our online identities have become valuable assets by which we gain access to all manner of sensitive information. When this is compro-mised, hackers do not just gain access to our data but to our very personal identity information. Potentially, this can be incredibly damaging, both from an individual and enterprise perspec-tive. SSO addresses these challenges, eliminates password risk and does so using architecturally sound means.

What is ‘federated identity’?The key to implementing SSO is ‘feder-ated identity’. This provides a secure, standard, Internet-friendly way to share identity among multiple organisations and applications. With standardised federated identity, users sign on once using a standard network login or

Federated identity standards can provide users with seamless SSO access to cloud-based applications.

SAML 2.0 incorporates three existing federation technologies and standards – SAML 1.1, ID-FF 1.2 and Shibboleth.

Page 3: The importance of identity security

FEATURE

January 2012 Computer Fraud & Security7

hosted authentication service. When they click a web application link, their identity is transparently and securely shared with the application, remov-ing the login requirement. Since the organisation authenticates the user and the application provider can verify the authenticity of the provided federated identity, application passwords are obvi-ated and users enjoy click-and-work access to applications.

The essential element here is to implement a standard, because when a technology is federated, all participants must play by the same rules to enable interoperability. Federated identity would be impossible without stand-ards. Each organisation embarking on application sharing would have to spin up an elaborate design and develop-ment project, negotiating interfaces between each party’s unique infra-structures. Unless each connection was repeatedly tested, security risks could result. To conduct such an effort every time a connection is made with a busi-ness partner or vendor would prove to be prohibitively expensive and time consuming.

Standardising federated identity and SAMLThe need for federated identity was identified in the early 2000s and, by 2005, two major identity federation standards remained – Security Assertion Markup Language (SAML) and WS-Federation (related to a number of Web Service standards).

“Identity federation is a huge win for users, IT and the business alike. It bridges separated silos of identity systems to provide organi-sations with the ability to secure their cross-boundary interactions”

SAML today is the dominant stand-ard, enabling the secure exchange

of authentication and authorisation information between security domains. An ‘assertion’ is made by an identity provider, which has the responsibility of maintaining the user’s identity and authenticating the user using a variety of means. Once a user is authenticated and selects a web application URL, identity federation software converts his or her local identity into a SAML assertion. This is digitally signed and encrypted to ensure authenticity and may optionally include other data required by the destination application. The assertion is then securely transmit-ted to the Service Provider (SP) that provides the application. Identity fed-eration software at the SP receives the assertion, verifies and decrypts the con-tents and shares the information with the application, which uses the data to sign the user on, thus enabling SSO. From the users’ perspective, they click the application link and start working – completely insulated from the federa-tion identity ‘magic’ going on behind the scenes.

SAML’s major advantage is that it is widespread, and adoption is growing throughout the industry. Its popular-ity derives from its many advantages – security, scalability and dependability in thousands of product deployments worldwide.

Identity federation is a huge win for users, IT and the business alike. It bridg-es separated silos of identity systems to provide organisations with the ability to secure their cross-boundary interactions. Identity federation enables:• Easier access for users to utilise exter-

nal resources over the Internet.• Improved end-user experience.• Uninhibited online interaction.• Reduced sharing and impersonation

of usernames.Users love federation because

Internet SSO enables them to use web applications as easily as internal applications while freeing them from remembering (and resetting) an inven-tory of passwords. IT loves federation

because it simultaneously enhances security and reduces the support bur-den, especially at the helpdesk. And business leaders love federation because it smoothes application and data shar-ing with customers, business partners, vendors and even subsidiaries while decreasing risk and increasing regula-tory compliance.

The future of security

In today’s web-centric application envi-ronment, with its wealth of internal and external web applications and services, federated identity is critical for making access both seamless and secure while ensuring that users adopt applications as quickly as possible. The fact that the passwords are encrypted and not sent out to or stored in the cloud reduces the security headache for the IT department. Also, besides the obvious benefit of hav-ing a single login and passwords that do not need to be written down anywhere to be remembered, the majority of users will only have one login, and the authentication of that login can be made extremely secure.

So as more and more businesses look to the cloud for service provisioning, cloud identity management, including Internet SSO, should sound the death knell for passwords as we know them and increasingly become the de facto solution to secure information and identity and allow seamless access from both inside and outside a company’s boundaries.

About the authorJason Goode is the EMEA regional direc-tor at Ping Identity and is responsible for sales across the entire EMEA region. With over 10 years sales experience in the iden-tity security space, he is focused on help-ing customers implement cloud identity security solutions. Prior to joining Ping, Goode worked for a number of public and privately owned enterprise software com-panies focused on delivering identity and security products.


Who am I? Embracing Your Identity in Christ Importance of Identity

Who am I? Embracing Your Identity in Christ Importance of Identity

Documents
Importance and advantages of brand identity design

Importance and advantages of brand identity design

Design
Identity Access Management Fishnet Security

Identity Access Management Fishnet Security

Documents
The Importance of Managing Your Online Identity

The Importance of Managing Your Online Identity

Career
IBM Security Identity Manager: Microsoft SharePoint ...public.dhe.ibm.com/software/security/.../sharepoint... · IBM Security RMI calls Identity Server Dispatcher Service (an instance

IBM Security Identity Manager: Microsoft SharePoint ...public.dhe.ibm.com/software/security/.../sharepoint... · IBM Security RMI calls Identity Server Dispatcher Service (an instance

Documents
Computer Security: Data and Identity Management - ABMA · Theft Security 1 3/28/2017 Computer Security: Data and Identity Management Data Security - Identity Theft:

Computer Security: Data and Identity Management - ABMA · Theft Security 1 3/28/2017 Computer Security: Data and Identity Management Data Security - Identity Theft:

Documents
Identity Federation and Its Importance for NASA's Future

Identity Federation and Its Importance for NASA's Future

Documents
Importance of Security Information

Importance of Security Information

Documents
Microsoft asp.net identity security

Microsoft asp.net identity security

Technology
THE IDENTITY DEFINED SECURITY ALLIANCE

THE IDENTITY DEFINED SECURITY ALLIANCE

Documents
Identity-Powered Security

Identity-Powered Security

Technology
Security & Identity in AllJoyn 14.06

Security & Identity in AllJoyn 14.06

Software
Information Security & Identity Theft - Banking with … · Information Security & Identity Theft What is Information Security? (continued) ® Information Security Core Principles

Information Security & Identity Theft - Banking with … · Information Security & Identity Theft What is Information Security? (continued) ® Information Security Core Principles

Documents
IBM Security Identity Manager Version 6.0: …...IBM Security Identity Manager Reinstallation .....167 Ensuring that IBM Security Identity Manager objects are removed from the Oracle

IBM Security Identity Manager Version 6.0: …...IBM Security Identity Manager Reinstallation .....167 Ensuring that IBM Security Identity Manager objects are removed from the Oracle

Documents
Importance of Corporate Identity Design

Importance of Corporate Identity Design

Design
Extending IBM Security Identity Manager

Extending IBM Security Identity Manager

Documents
Request for Information Cyber Security Assessment, Remediation, and Identity ... · Importance of both Credit and Identity Theft Protection: Credit monitoring is an important part

Request for Information Cyber Security Assessment, Remediation, and Identity ... · Importance of both Credit and Identity Theft Protection: Credit monitoring is an important part

Documents
IBM Security Identity & Access Manager

IBM Security Identity & Access Manager

Technology
NetIQ identity powered security

NetIQ identity powered security

Technology
Is Your Online Identity Exposed? Data Breaches and Identity Security

Is Your Online Identity Exposed? Data Breaches and Identity Security

Internet
Identity, Privacy & Security

Identity, Privacy & Security

Documents
IBM Security Identity Governance Infographic

IBM Security Identity Governance Infographic

Technology
セールスフォース・ドットコム Identity & Security

セールスフォース・ドットコム Identity & Security

Technology
Identity Management Security Guide

Identity Management Security Guide

Documents
Identity and Security Management at Duke Universitysites.duke.edu/.../2016/04/3-1100-T-1-Identity-and-Security-Manage… · Identity and Security Management at Duke University

Identity and Security Management at Duke Universitysites.duke.edu/.../2016/04/3-1100-T-1-Identity-and-Security-Manage… · Identity and Security Management at Duke University

Documents
IBM Security Identity Governance and Intelligence Version ...public.dhe.ibm.com/software/security/products/isim/... · Identity Governance and Intelligence is an integrated identity

IBM Security Identity Governance and Intelligence Version ...public.dhe.ibm.com/software/security/products/isim/... · Identity Governance and Intelligence is an integrated identity

Documents
2017 Predictions: Identity and Security

2017 Predictions: Identity and Security

Software
Security & Identity Analytics - Attachmate · Security & Identity Analytics How Security and Identity Analytics can Drive Adaptive Defence Adam Evans | Senior Identity & Access Specialist

Security & Identity Analytics - Attachmate · Security & Identity Analytics How Security and Identity Analytics can Drive Adaptive Defence Adam Evans | Senior Identity & Access Specialist

Documents
The Importance for the: Tourism State Identity

The Importance for the: Tourism State Identity

Documents
SAP Identity Management Security Guide

SAP Identity Management Security Guide

Documents