Identity Brokers Clouding Identity Lifecycle Management – They Are Different
6 min readIdentity Lifecycle Management (ILM) is a very difficult concept to get your hands around in order to effectively implement processes and solutions in an organization. Even thought every business does ILM today, whether they realize it or not, the processes and the governance behind it can always and should always be improved.
Over the past year there is a new concept, a brochure buzzword, that has popped up that is beginning to ‘cloud’ and confuse an already difficult business concept. I am talking about Identity Brokers, Identity Hubs, and other new startup companies that are offering Identity-like capabilities but are not Identity Lifecycle Management solutions. Technically they can say that they are ‘Identity In The Cloud’ as they have some identity management capabilities like provisioning, resetting a password, putting and account into a group but that’s about the extent of it when it comes to identity management functionality. The Identity Brokers are really cloud based authentication hubs providing Federation Single Sign On for Cloud to Cloud services. Identity is flashier than authentication when it comes to the marketing I guess.
However, I have seen that it’s confusing, frustrating, and may have some go down a path thinking they will be able to get full ILM to meet audit, governance, and compliance requirements and miss the mark. Especially if the business has no cloud services or very, very few to actually need a cloud based authentication system.
I have spoken to local peers, national contacts in the business and vendors of these brokers and ILM products and the feeling is mutual. There is a cross messaging that is blurring the fact that ILM and the brokers are really apples and oranges, they are both fruits is where their commonalities end. Let me try to explain the difference between an enterprise Identity Lifecycle Management system and a cloud based Identity Broker that provides cloud Single Sign On.
An Identity Lifecycle Management system has been traditionally on premise connecting to an organizations directory endpoints, designed with as much business policies as it can, ILM handles the Segregation of Duties (SOD), have a workflow engine to drive business approvals, it’s tied into the enterprise SIEM, can provide extensive audit reports on the identities and access, and manages a person’s business identity from birth to termination (provisioning and de-provisioning).
Anything can say they provision. By definition provision means “a thing provided or supplied”. However, most people think about creating an account when they talk about provisioning and that’s it. These new Identity Broker solutions are provisioning a single account to target points. What about getting the user into the physical card system that is a data entry and not an account? Cube location? Hardware provisioning, giving the thing of a laptop to you and tracking that to your identity? Phones, cellular and land line? The list goes on that ILM systems are designed for, the complete identity profile.
Here’s a one line command to add an account to Active Directory
dsadd userUserDN [-samidSAMName] -pwd {Password|*}
Put that into a script and you have a provisioning tool. So what? ILM provisioning is not about creating an account. It’s about getting access, tools and resources to the user that meets your business’ rules from HR to Application requirements checking compliance against SOD policies, making sure approvals are in place and being able to be a central location to prove it to auditors. ILM is all about the business.
Who are you? What access do you have? How did you get that access? Do you have the access you need only? If you think you can answer those then show me…. in 5 minutes time.
Identity Brokers or Cloud Identity systems are AaaS (Authentication as a service) systems. They provide a way for companies that are decentralizing on-premise systems to cloud or managed based services model, getting away from hosting it themselves. This movement introduces a new, complex problem and going back to pre-SSO days of each application having their own security. Which this is. If you have Office365, Google Apps, Dropbox, Salesforce, and other SaaS based applications then you already know that each one of those applications have their own accounts, security, login methods, etc… To combat this you have two options, build an on-premise Federation Hub yourself or use these Cloud based Identity Brokers. At the end of the day your internal users will login to your core business Active Directory and then federate through the Identity Broker/Hub to Single Sign On out to the SaaS applications.
The brokers do have the capabilities to create accounts in your endpoint, usually limited to Active Directory and maybe an LDAP, but to have them say they are Cloud Identity solutions, in my professional opinion, is a stretch. The best example of this came a few days ago when Salesforce.com jumped into the Cloud Identity ring.
Yes, Salesforce.com the same one the majority of sales organizations in the world know and love, now provide Identity Broker services called Salesforce Identity. Their service has absolutely nothing to do with your on-premise, proprietary ILM processes, governance or auditing beyond their services. They provide Single Sign On through Salesforce.com to other applications.
In the industry when you say Identity Management you come across three big players, CA, Oracle and IBM. There are others but those are the major players in the ILM space.
In the new and growing Identity Broker space there are many players scrambling to get on top of the pile. Ping, Okta, OneLogin, Symplified, and now Salesforce.com. When you look at the services and the fact that Salesforce has slipped into the Identity Broker business it takes away from the Identity in the Cloud as a security solution and really demotes it down to an authentication feature you may or may not use.
As I have been researching and looking at these new startups I don’t see them having a really robust or long term business model. They provide authentication services and unless they expand beyond that, the industry will hit a saturation point. Because once you have a solution, a utility like these brokers, you don’t need anything else. What I think will happen now, especially with Salesforce.com Identity coming out is a model to build up and get acquired by big boy services that are in the cloud. Salesforce has one, Peoplesoft, SAP, and really any of the major social site as well could scoop one up.
Really what it comes down to when you look and new, flashy technology is not to get caught up in the pretty UIs but look at the core functionalities and see if they are aligned to your IT and Security strategies. Identifying the gaps of the business with existing investments and see if these fill those gaps or not. But don’t be fooled by Identity in the Cloud and think it’s Identity and Access Governance.
The markets are driven by price and consumer demand. If a new Identity Broker is 1/4 of the price of a full ILM system and they truly are a 1 to 1 in capability then that big boy would have to drop the price to compete. A big clue to what things really are is that the market is creating a new arm of Saas/Aaas and not being coupled together with legacy. They are 1/4 of the price because they have 1/4 of the capability, not because of lack of design or effort, but because they are focused on a different area and a smaller tactical problem of centralizing authentication to de-centralized cloud applications. Federation 2.0 movement.
Always be on top of the latest and greatest but remember the technology folks are not necessarily talking with the marketing folks.
In fact I think in nature IT and Marketing are sworn enemies.
End of Line.
~~~~~~~~~~~~~~~~~~~
Binary Blogger
Twitter – @BinaryBlogger
Facebook – Binary Blogger
Subscribe To The RSS
Sign up for our free newsletter!
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
Right on!
The notion that these cloud vendors can solve your problems in a fast-cheap-easy way is do disingenuous. Maybe if you are a small shop, but there are 2 things they like to ignore. Legacy and business workflow. IMO infrastructure and connecting to endpoints is easy. that’s 10% of your IDM effort. The real hard work is defining and designing your business workflow.
But be careful…. doesn’t matter if you have been doing federated identities since 2003, Okta might say, you are scared of change for not wanting to replace your on-prem with their service.