As mobile devices proliferate and the cloud becomes the primary way of delivering apps and services, the former hard edge of the network is becoming much fuzzier.
Identity management has been a major focus in security for a long time, and in government that stretches at least as far back as the implementation of HSPD-12 in 2005. The Obama administration ratcheted the effort even higher in 2012 when it released the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Strong identity solutions have become even more vital following the rash of high-profile breaches of both public and private industry sites last year. An executive order from President Barack Obama duly followed late last year, requiring agencies to cut down on identity-related crimes by issuing credentials with stronger security.
And identity will become even more of an issue as agencies finally start moving more of their IT needs to the cloud. Critical data will stay behind agency firewalls in private clouds, but other services and applications will migrate to the public cloud. And “extending an organization’s identity services into the cloud is a necessary prerequisite for strategic use of on-demand computing resources,” according to the Cloud Security Alliance.
That’s easier said than done. Agencies are tightly wedded to their onsite identity and access management (IAM) systems, which generally use Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) and over time have become shaped by the individual policies and specific needs of agencies. What’s needed is federated identity management for hybrid clouds that allows agencies to extend these AD/LDAP systems into the cloud.
Cue the rise of identity-as-a-service (IDaaS). It’s a generic term that, according to CSA, covers a number of services needed for an identity ecosystem, such as policy enforcement points, policy decision points, policy access points, as well as related services that provide entities with identity and provide reputation.
Cloud providers such as Microsoft and Amazon already offer cloud-based directories that synch with on-premises systems. But Gartner expects full-blown IDaaS to make up a quarter of the total IAM market in 2015, versus just four percent in 2011, as spending on cloud computing becomes the bulk of all IT investment by 2016.
That’s driving development of new, native cloud-based identity solutions. Centrify, for example, which already has a fair number of government agencies as customers for its current “cloud savvy” identity management product, recently launched its Centrify Privilege Service, which it claims is the first purely cloud-based, privileged identity solution.
Privileged accounts in particular have become a favorite target of cyberattacks since, once gained, they allow bad guys almost unlimited freedom to roam across an organization’s systems and steal data or disrupt operations. Centrify said CPS offers a way to manage and secure privileged accounts that legacy IAM cannot do in hybrid IT environments.
However, the company still doesn’t expect it to be an easy sell, particularly in government. Though fears about the security of cloud solutions is easing, and budget pressures make the cloud an increasingly attractive answer, agencies are still doubtful about giving up key assets such as privileged accounts to the cloud.
Centrify chief marketing office Mark Weiner said that, so far, seven or eight agencies have begun playing with CPS to see what it might do for them, “though not the largest military or intelligence agencies.”
Parallel to the growing demand for IDaaS is the use of the phrase “identity is the new perimeter” to describe the brave new world of IT. Again, it’s something that was coined years ago but, as mobile devices proliferate and the cloud becomes the primary way of delivering apps and services, the former hard edge of the network is becoming much fuzzier.
Single logons that grant users access across these soft-edged enterprises will become ubiquitous as agencies work toward business efficiency. Making sure the identities used for that access stay secure will be key.