The cloud is putting so much pressure on the old device-centric security model that it’s forcing a change to an identity-centric security model, where it matters far more who a person is than what device or network they are using. In a single day, one person might access cloud applications from his iPhone, home, main office, and Peet’s Coffee, and he may use his home PC, his work laptop, his phone, or even his Xbox. Trying to identify and secure what that person does based only on a device IP address or network address is simply a lost cause. But it gets worse because the same person may be logging in and out of a half dozen SaaS applications, IPsec VPN, and SSLVPN during the day. Yet many network security tools still try, because it’s in their DNA.
Here’s why. About 16 years ago, shortly after Marc Andreessen wrote the first web browser Mosaic (later became the Netscape browser), the IP firewall was invented, spawning companies like Gauntlet and Checkpoint, which focused on protecting networks from individual devices. The natural way to identify a device was to use device specific identifiers like an IP address or a hardwired MAC address from an ethernet card. That set the tone for the evolution of an entire network security industry that focused on devices and network borders. The identity of the people using of those devices and networks was in the realm of the OS or the application.
After a few years, this became a big enough problem for enterprises that directory management services like LDAP and its kissing cousin Active Directory became popular, and security’s highest level integration with networks and applications became known as the much-loathed “Single Sign On” (SSO) which still doesn’t work very well much of the time at most companies.
Though cloud providers emerged later, they have been innovating at cloud speed. Salesforce.com allows a single sign-on to access all applications hosted on its AppExchange. Facebook offers Facebook Connect which allows people to use their Facebook ID to log into other SaaS applications and web sites, and Google offers a similar service based on Gmail ID. But enterprises are still using Microsoft’s Active Directory.
Security is one of the top cited concerns for CIOs considering a move to the cloud. Enter cloud identity management startups like Symplified, which integrates enterprise security policies and administration with cloud applications and data. As you’d expect for an enterprise product, you can buy an appliance or use it as an Amazon EC2-hosted cloud service, and very quickly have the ability to control which people — not devices — have access to mission-critical data stored in the cloud. Even old-school IT vendor Novell is launching Identity Manager 4.0 with ties to Google apps, SharePoint, and SAP. The list of cloud identify vendors goes on, including Conformity and Identropy, and PingIdentity.
Enterprises need to start planning their cloud identity management architecture now. Otherwise, we may be faced with the day when your Facebook ID becomes the most reliable way to login to your own enterprise applications because Facebook is the most ubiquitous cloud identity provider. That’s convenient, yes, but absolutely not up to snuff from an enterprise security standpoint.
VP Cloud Security
(editor’s note: Dave Asprey joined Trend Micro 2 weeks ago, and he is excited to be blogging on our site. You’ll find him at cloud-related events frequently, including the upcoming Gartner DC Summit next week. Dave is VP of Cloud Security responsible for cloud and virtualization evangelism. In his infrequent spare time, you’ll find Dave at an anti-aging conference.)
To learn more about Trend Micro’s Security Built for Enterprise Virtualization and Cloud Environments, please visit our web site: http://bit.ly/dEmlhv