Deprovisioning in the Cloud Arrow to Content

February 23, 2012 | Leave a Comment

Let’s be honest: how many of you have tried logging in to one of your former employer’s accounts?  Maybe you had a CRM solution and you wanted to get the name of that guy who suggested he had the next hot idea.  You didn’t set your out-of-office message with your new/personal contact information in the hosted email service.  The travel site for the previous company was just plain better than anything else you can access.  As security professionals, we know the risks: the lag time for deprovisioning varies, but best practices suggest when an employee walks out the door, all of his administrative access shuts down as it closes.  That has been harder to do in the cloud.  Even with SAML tokens and a smathering of open standards for authentication, inconsistent support by SaaS providers and spotty enterprise directory integration leave opportunities for exploitation that simply don’t exist in the on-premise IT world.

 

The open identity standards were supposed to fix this, but even after six+ years, they haven’t been adopted across the industry. Federated Identity Management, OAuth, SAML (Security Assessment Markup Language), OpenID and large initiatives to implement them, such as those by Google and Facebook, are beginning to pop up on various sites.  A Fortune 500 company easily uses over 100 cloud services, ranging from expense reporting with Concur to American Express’ GetThere Travel to SalesForce’s Customer Relationship Management software.  All 100 don’t support a new authentication standard and those that do don’t all support the same one.

 

Why is this important, you might ask?  Quite simply, until you have a single place to pull the plug or an extraordinarily mature configuration management / process control structure embedded into the corporation, you cannot fully disconnect an ex-employee from the company.  Most companies will immediately remove access to obvious things like Active Directory/LDAP and VPN credentials.  They may synch other passwords through automated processes and close down internal access to SAP or Oracle.  The remaining stragglers may seem innocuous, but there was some function that was important enough to enroll the employee in the first place.  Think back to the multitude of cloud services you use day to day for your job; many of them still rely on good old usernames and passwords.

 

Password policy controls

 

If you’re stuck with passwords, there is always the possibility of a password intermediary, a system you log into that stores all of your credentials in a hash format you can’t read or, better still, access.  There are plenty of programs that run locally on your machine, password vaults of sorts like KeePass, Password Vault, etc., where the user enters a master password (that may be looped into a directory structure of some sort) and receives back a set of service IDs.  Click on the service you want and a password is automatically copied to the clipboard.  Of course, there is a bit of customization necessary to make the commercial and open source projects into something single purposed where, if an administrator removes your rights to that program, all other access simply goes away.

 

But what happens when a power user, or better still a corporate executive, says they want to venture away from the corporate standard (be it Wintel or Apple or even Linux) and use something different.  Customizing software’s expensive; customizing and supporting multiple platforms becomes exponentially so.  Someone else may already have done the legwork – at least one vendor looks to have taken this approach towards handling customization.  Between the major PC OS release schedules and versions, and the constantly (and quickly) evolving mobile platforms, can anyone really afford to wait for locally developed software?

 

There are a plethora of “as a Service”s – Software as a Service, Platform as a Service, and recently venturing cloud folks began pitching Identity as a Service.  Certificate Authority (CA) vendors like Entrust, GeoTrust and Verisign might argue that’s what public certificates were all about, but let’s table that discussion for later. Instead of Identity as a Service, which is trademarked by Fischer International Identity, let’s use Gartner’s “Identity and Access Management as a Service” (IAMaaS) as defined in their 2011 Magic Quadrant for User Administration and Provisioning.   So, how can IAMaaS help?

 

Let’s let the cloud fix the cloud problem

 

Since the cloud got us in to this mess, can it be the solution as well?  What happens if we move the password vault to the cloud?  The idea for most IAMaaS providers centers around an information store that synchronizes internally, federates when it can, uses two-factor when it’s important and stores passwords when all else fails.

 

  • Internal Synchronization – this is one of the stickier prospects to the deal.  The directory service that a corporation uses (LDAP, AD, etc.) has to be accessible to the IAMaaS.  Not directly accessible that you’re handing over the password tables, but lookups and validations do need to occur.  In many cases, this is an on-premise device for network security reasons and so that the data remain fresh; real-time integration beats anything with latency.  Plus, when we keep the systems internally synchronized, we’re not amplifying the deprovisioning problem by introducing an across the board delay.
  • Multi-platform support – the cloud is always (usually) on and all of the authentication happens across http.  This makes the services cross platform (provided they have a TCP connected device and browser).
  • No expensive programming – most of the vendors write connectors for the various websites they support out-of-the-box.  This abstracts away the complications of Facebook changing their login processes or Google changing their APIs.  The number of connectors included out of the box may be indicative of the breadth of support by that vendor, or poor design/programming choices in creating the backend software.
  • Standards support – in the Fortune 500 company example, I can use the out-of-the-box connectors side by side with a federated OpenID, SAML or even a future standard.  And I expect that two-factor authentication will still work when it needs to.
  • Ease of adding new sites, services and apps – In addition to the out of box connectors and standards, several of the products include do-it-yourself, wizard options that work in most cases.  When that doesn’t work, some vendors find the development of new connectors so trivial they offer a fixed-priced development.

 

The benefits of IAMaaS are numerous and include deprovisioning.  An administrator maintains access to the keys to the kingdom without having the responsibility of legible text files or tons of endpoints to support.  Users don’t worry about complexity requirements, password rotation, multiple login credentials, federation, or any of the other headaches associated with good password policies.  When an employee leaves, the administrator uses the well-implemented processes already in place to eliminate internal access; the external sites simply fall off as user’s rights.

 

The same techniques are applicable to a wide range of sectors, and could even be useful in the Public Sector.  The US military stood up their DEERS/RAPIDS CA around the mid 90′s. Several of the agencies and military services utilize this CA through a smart chip embedded card called the Common Access Card (CAC) for Identification and authentication.  With this card, users can log in to their systems, access secured web sites using client side certificates, and send signed or encrypted emails – internally, they define secure.  But even the government uses publicly available websites (you thought Linkedin and Facebook are only mined by corporate recruiters?) as well as “external” inter-departmental and inter-agency sites, where these same deprovisioning problems are even more imparative.  Automating the processes might help the Government more than we’ll ever know.

 

The crop of identity providers clambering to ride the cloud and become the next default solution include players in Gartner’s MQ that already embraced the cloud, but also non-represented companies conceived there:

 

  • CA Technologies’ Role and Compliance Manager
  • Citrix OpenCloud Access
  • Courion’s Access Assurance
  • Fischer International Identity’s Identity as a Service (yes, the trademarked one)
  • Forge Rock
  • Intel’s Cloud Access 360
  • Iron Stratus
  • McAfee’s Cloud Identity Manager
  • Okta’s Application Network
  • OneLogin
  • Ping Identity’s Ping Federated
  • Symantec’s O3
  • Symplified’s Symplified Suite
  • VMWare’s Horizon Application Manager

 

This is far from an exhaustive list, and each solution has their benefits and detractors.  If I left you out, please expand the article by way of comments.

 

Jon-Michael C. Brook is a Sr. Principal Security Architect with Symantec’s Public Sector Organization.  He holds a BS-CEN from the University of Florida and an MBA from the University of South Florida.  He obtained a number of industry certifications, including the CISSP and CCSK, holds patents & trade secrets in intrusion detection, enterprise network controls, cross domain security and semantic data redaction, and has a special interest in privacy.  More information may be found on his LinkedIn profile.

 

Opportunity Knocks Once… Arrow to Content

February 10, 2012 | 1 Comment

In 1983, I was a young electrical engineering student, when I took a job working for a small long distance company in Phoenix Arizona.  For me, Opportunity had Knocked and I had just opened the door on an amazing future.  In the world of communications, things were already changing and were about to begin changing in even more dramatic ways.  1984, the Divestiture of AT&T would reshape the way the world communicates.  The personal PC was appearing.  In the 1980’s fiber optic cables and  transoceanic fiber optic cables  began to crisscross the world.  As of 2010, the only continent that was not connected with fiber optic cables was Antarctica.  Fiber optics enabled huge amounts of data to be transported anywhere in the world.  On the heels of this data explosion came the World Wide Web, the Internet began to be something more than a tool for universities and the Defense Department.  Multiple processor and multi-core processor computing systems became the norm, putting tremendous amounts of processing power in the hands of the masses. In recent years, virtualization has made its debut and helped to launch the cloud revolution.    Truly, I have had a once in a lifetime opportunity to be in the right place at the right time.

 

When I had the opportunity to get involved with the Cloud Security Alliance and become a part of the Subject Matter Expert (SME) Group, I realized that Opportunity was Knocking once again.  Just as all of these advancements have paved the way, making cloud services possible, I believe that the Cloud Security Alliance will serve a critical role and establish the patterns that will determine what Cloud Services will look like in the future and the SME Group will have an important part in that future.

 

When the CSA was formed, it recognized the importance of involving and engaging the companies and people that were working with and making the technologies of tomorrow.  The SME Group was formed to involve and engage those companies, making available a forum where those companies that are using and creating the cloud can have a voice.  I learned long ago, that I don’t know everything and that there is great power and opportunity in association.  The SME Group is such an association.  As a member of the SME Group, you will have the opportunity to meet and work with people from all over the world, working in all kinds of industries and technology with vast amounts of knowledge and experience.  Members of the SME Group not only have a front row seat to where the Cloud is going, but can also provide input and direction, allowing the entire cloud community to benefit from their knowledge and experience.

 

If you are a member of the SME Group, I want to thank you for your participation.  If you are a corporate sponsor of the CSA, but not currently a member of or involved in the SME Group, I want to invite you to get involved, and if you are a company interested in, involved in or considering incorporating cloud services in your business, I want to invite you to become a corporate sponsor of the Cloud Security Alliance.  It will be an investment that is well worth it.

 

Opportunity is Knocking, all you need to do is open the door.

 

Henry St. Andre

Co-Chair SME Group

Page Dividing Line