Cloud IAM: Integration Issues episode artwork

EPISODE · Jul 23, 2019

Cloud IAM: Integration Issues

from Info Risk Today Podcast · host InfoRiskToday.com

A major misconception about cloud IAM is that it's easy to implement, says Mark Perry, CTO for APAC at Ping Identity. Implementation poses challenges, and cloud IAM must be carefully integrated with other systems, he says.

Episode metadata supplied by the publisher feed · Published Jul 23, 2019

A major misconception about cloud IAM is that it's easy to implement, says Mark Perry, CTO for APAC at Ping Identity. Implementation poses challenges, and cloud IAM must be carefully integrated with other systems, he says.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Cloud IAM: Integration Issues

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, I'm Gita Nandikotul, managing editor for Asia and meetings with information security media group. I got a big Mark Wary, Chief Technology Officer, Asia-Pacific, Appian Identity to discuss how the cloud identity and access management is evolving, implementing breaches. Mark discusses where the scenarios in which cloud I am is being deployed and helping build new authentication mechanisms. Thanks for joining the conversation today, Mark.

Thank you, Duda. He's great to be here and hello to your listeners. Mark, in what scenarios do you think with cloud identity and access management is being deployed? Can you explain the scenarios?

Yes, certainly. But there are generally three major scenarios where cloud identity and access management is being deployed at the moment by our customers. I think the first one is, and this is generally the one that is getting most traction at the moment, is where large organisations are wanting to manage identities in a much easier fashion, a more cost effective fashion, and they're generally people, employees or contractors, itinerant workers, business partners, third party brokers or agents. Those people who are not necessarily full-time employees with the company.

And cloud IAM can provide a fast and secure means to managing on boarding and managing the lifecycle of those identities in a much easier way than traditional on-premise identity management systems can. And across that, you still have the same ability to integrate into applications via SAML or Open ID Connect and provide access to the applications through a single sign-on that are needed. The second way is generally around organisations who need to store customer identity or associated data. And this has been traditionally from startups or new enterprises inside companies, innovation hubs and so on.

But even now, large organisations are starting to move high customer identities to the cloud. There are a number of reasons for that. Generally cloud IAM is much more modern architecture. It allows for restful APIs to access the identity data to manage different types of data from your traditional relational databases or your ill-gap hierarchical stores using say JSON attributes, which you use by developers and you can hook into microservices and the mobile app is much easier that way.

You're able to do a whole lot more with relationships around different customer and customer or customer business or customer to product relationships. You can store device data and other data which changes rapidly. It gives you a lot of different options that may not be available in traditional systems. And again, cloud IAM does generally provide the full scope of multi-factor authentication, account recovery for forgotten passwords or forgotten account scenarios and so on.

The third way is really around where people are wanting to limit their on-premise footprint and where that's allowed by regulation and security risk compliance requirements. So we see this with say some major banks in Australia now where they have a mandate to move workloads into the cloud that they still need to integrate back into on-premise systems for regulatory compliance. And that enables them to put a certain amount of the identity stack in the cloud. So the access management components, because it's a reverse proxy mechanism, even the identity federation components.

So they're not necessarily storing customer identities in the cloud in that case or employee identities, but they're enabling the access into applications and services through a much more agile capability out of the cloud that they manage themselves. So I think the main thing about all of those is you can outsource your services to third party vendors and services in the cloud, but you can't outsource the risk to the business. And that's something that every business has to weigh up to make sure that they're following the right compliance for their company. So interestingly, you mentioned that cloud IAM can provide fast and secure means to manage on-boarding and ongoing lifecycle management of identity.

So what does that mean to the practitioner? Yeah, it's interesting. Traditionally in identity management, we've had in a very heavy weight identity management platform, which has a workflow engine and a very large and growing database and all sorts of capabilities to check who has access to watch and so on. That doesn't go away.

That often that's still required, especially for employees and ROs. But if you're looking at a consumer identity platform, what you need to be able to do is register a user in a way that creates a least amount of friction for that customer, that consumer. So they can go ahead and then use the service and hopefully sign up to spend money with that service as quickly as possible. So for the practitioner who's deciding what capabilities to use there, you have to look at all the security elements, obviously.

You're storing customer data, use names, passwords, device data, and other personal information. So it has to be secured properly. But often the major security risks are around account recovery. So if I can trick a service into allowing me to reset a password, and for someone else then I get control of that account, which means that you have to be very careful about looking at what capabilities there are to identify a user and then enable them to do password reset or to recover an account that's being forgotten about.

And like I mentioned before, around that you've got the ability generally to have some form of multi-factor authentication, whether it be one-time passcode over SMS or via an email link or what have you. But increasing companies are moving towards device-based MFA using push notifications and technologies such as FIDO, which allow for much more secure capabilities. And again, it really comes down to not only what's easy for developers to get something up and running, but also what needs the security requirements of the service. Because the last thing anybody wants is to be finding out they've been breached and then there are tens of thousands or millions of customers to find out their personal information has been stolen.

There's a trade-off between getting things done quickly and getting them done securely. And that's what CloudIAM tries to do. So do you think that CloudIAM needs to be considered as a fully integrated component of the entry-site security landscape to provide that kind of business value that or prevent breaches? So what was your order?

Okay. Yes, that's a good question. I really think that in a lot of cases, companies just want to get things done. They've got timelines to meet their executives have said that they need something at market as quickly as possible.

It's often the way it works that people just stand up something very quickly and what starts out as a proof of concept goes into production and then that has to be managed and maintained. And that's what creates technology silos in the organisation. It might be fine if you're just setting up one application, but if you have then say employees in it to manage things for consumers, so you call sense people need to manage accounts and you have to allow for your employee identity system to go to access that application. There are examples where people have taken on new organisations or joint ventures and they have to bring in third party identities to be able to manage or continue to develop the service and that gets very difficult if the service is just being written in isolation.

So generally with most companies of a certain size, you have to be thinking about how does this work in terms of my overall identity strategy. And that generally means that the service that you pick in the cloud needs to be able to support modern federation protocols like Open integration, mashups and so on through other systems that can be difficult if an identity management system in the cloud has been chosen and it can't integrate easily. So it's really important that people look at this as part of an overall strategy and that enterprise architecture comes into play here not just getting something working for the sake of it. So what has been the big challenge for the practitioners, the CI source when they want to integrate the security within cloud IAM?

I think that one of the major misconceptions around cloud IAM and cloud services in general is that they're easy to implement. They're not necessarily easy, they are generally quicker than going through a procurement cycle for servers and on-premise capabilities and services. The issue still is around IAM that specialist skills are required. So there are vendors out there who will try and sell this is a very easy project to take on however because it's often integration required and sometimes integration back into on-premise or legacy systems there can be a number of different roadblocks that make it considerably harder than what executives might think.

And this is something where a lot of people want customization of a service as well. And of course the more you go for an off-the-shelf cloud service, generally the less customization capabilities you have available. So we're seeing a trend now where people are evaluating the ability to stand up their own identity software in cloud services like Azure and AWS and GCP and so on. And there are companies now that provide a managed service around these capabilities and that gives customers the ability to consume it as a service that still have a broad range of customization capabilities.

That generally depends on the budget and the time people have to stand up a service. But if you start looking then again at that something as part of a providing business value over a long period and not just getting to production in three to six months then that can certainly be available way. So can you think of a use case in an enterprise which has built a cloud ion strategy and what kind of solutions, how do they approach? Yes, there's one large customer in the United States who use identity as a service product which and they have about two million customers.

They're a large supermarket chain and they were going all cloud. They realized that what they had on-premise was going to hold them back. Their developers were going to build new services, very much API driven, microservices, a lot of mobile apps for their end customers. So the customers had a great customer experience while they're in the stores or ordering outside the stores and they really wanted a cloud service that was going to give them the capabilities they needed but also in terms of security so that they weren't going to potentially be a danger of breathing bridge.

But something that was very modern in architecture, something that had full rest API coverage, had multi-factor authentication built in enabled them to define different types of authentication flows depending on the risk of the transaction for example. And that was something that they were able to buy off the shelf and then implement with their own people. So it's one example where it's not a highly regulated industry so they can afford to store customer identity information in the cloud and it makes a lot of sense in that case where they have something that's buying off the shelf with a large number of capabilities that can be integrated by modern standards like Open ID Connect and REST. You mentioned about architecture, cloud-eye architecture.

So what would be the ideal framework for an enterprise? It's difficult to make a judgment because of the different requirements around compliance and risk there and I think most people will have a good understanding of what makes sense for their organisation. But I think one of the major things people have to remind themselves of is that the attackers that our guys are looking for all the chinks in the armour, all the small holes that they can get through. So you really have to be very careful what you use to store identity data and what's involved in your authentication and authorization flows there.

I think there are various frameworks out in the market at the moment. I think people have to be really aware that it's much beyond being able to authenticate and store data and so on. They have to be looking at the security flows for account recovery, for password reset, allowing for multi-factor authentication as standard, not just as an optional extra or as a cost add-on. I think we as an industry have to push multi-factor authentication as being no longer optional.

And then looking at what the impact on the processes of the organisation are as well, how you integrate that into your CICD pipelines, how you're able to push new capabilities and new updates to applications and data schemas and so on. Such that it provides for 24 by 7 operation and that's certainly something that the newer cloud capabilities provide for. But again, you have to evaluate that pretty carefully so that you're getting the best capabilities for your money. What do you think practitioners need to pay attention to or need to understand when it comes to implementing cloud IM?

What kind of processes? What kind of issues steps that are required from security team? I think when you're deciding on a platform like this, obviously there's going to be a security review that happens. You'd want to see penetration test results.

You'd want to see the various security standards being met. One of the big things that happens is often there's a question around data sovereignty when you're storing data in the cloud. And this is something again, which is very customer specific depending on which industry they work in for governments or for for financial services or whatever that can be a big no-no to store data outside of country. Other organisations quite happy for their data to be stored off of site, whether that be in the US or Europe or in Asia Pacific.

So that's one thing that has to be looked at really carefully. What does the the identity service in the cloud? Where do they still store their data? And what are their processes for backups for recovery and what standards do they need to have an organisation?

Also, you need to look at what the support for developers is like because that's often driving the deployment of these services. So you want something that's fully rest enabled, but supports OpenOD Connect that has your multi-factor authentication built into it. That has a lot of how the box capability. So you're not writing your own security code.

And I think definitely there are things to be said about having the right skills in the organisation and trying to bring as much of that in house as possible. Because often these services are very mission critical. They have direct impact on the uptime of the organisation whether that has a financial impact or a regulatory impact and being able to have the right people in the organisation who understand how these services work is becoming more important. Thank you very much Mark for sharing your thoughts on how Cloud iM is evolving and it is also helping customers free empty breaches.

Thank you very much Ben. Thanks. This is Gita N

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on July 23, 2019.

What is this episode about?

A major misconception about cloud IAM is that it's easy to implement, says Mark Perry, CTO for APAC at Ping Identity. Implementation poses challenges, and cloud IAM must be carefully integrated with other systems, he says.

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!