Oracle Magazine spoke with Martin Kuppinger, cofounder of analyst firm Kuppinger Cole, about the challenges of authorizing users and provisioning access to IT resources in an era of cloud computing and social networks.
Oracle Magazine: What are the drivers that lead organizations to implement centralized identity management systems?
Kuppinger: For years the drivers were mainly technical and administrative: finding ways to simplify processes associated with managing identities among multiple information systems. Today, the drivers have fundamentally changed. Besides these obvious security and logistics factors, the main drivers are governance, risk management, and compliance. System access must be managed by well-defined processes that meet all necessary audit requirements. Having a central identity management instance instead of decentralized, siloed systems makes it easier to enforce segregation-of-duties rules and minimal rights for users and to devise a strong audit capability.
Oracle Magazine: What is service-oriented security, and what are the challenges to deploying a service-oriented identity management architecture?
Kuppinger: Oracle uses the term service-oriented security to refer to externalization; for example, handling the administration, authentication, authorization, and auditing outside of applications by providing well-defined external identity management services and a standardized, centralized infrastructure to deliver these services. That might sound pretty simple, but it involves changing how security is implemented in applications. The advantages are obvious: standardized, consistent security; quicker implementation of security; reduction of security holes; faster time to market for secure applications; easier testing of applications; and so on. The biggest challenge comes with changing the mindset of the developer.
Oracle Magazine: What is federated identity management?
Kuppinger: Federated identity management provides a way for different identity providers and service providers to work together, based on standards. For example, it allows a supplier to determine which users can access specific applications. The users are managed once, not multiple times, and the information is always up-to-date. Federation is the key technology for extending business process beyond the perimeter in a secure manner—to integrate customers, business partners, and external cloud services.
Oracle Magazine: How does federated identity management work with social networks, blogs, and interactive forums?Kuppinger: While there is certainly a need to manage the identities of people outside the organization, that is somewhat difficult with social networks. However, since Facebook and other social networks are increasingly used for the primary contact with potential customers, implementing a very lightweight self-registered “authentication” is a good idea since it provides at least some information about the customer. Over time, we will see more-flexible approaches, such as an “identity bus” where various internal and external identity providers can offer authentication services and deliver information about users for service providers and relying parties. The identity providers will be chosen according to the requirements of the specific interactions and transactions. For example, to merely access information, a simple Facebook-like registration might be sufficient. To sign a contract, you’ll want a more rigorous identity management process. Different classes of interactions and transactions require different levels of trust and reliability.
Oracle Magazine: How do organizations address ease of use and the security required by identity management solutions?
Kuppinger: There is always a trade-off between keeping things simple enough for users yet secure enough for the organization. Consider authentication: a basic username/password login is the norm, but there are ways that you can deploy a much stronger form of authentication. For example, you might apply context-based authentication to enterprise systems using Oracle Adaptive Access Manager, together with some type of strong two-factor authentication. These methods are a bit more involved, but they reduce the risk of social phishing significantly. In the end, the key is to enforce consistent, universal strategies for both authorization and authentication, for all types of users, services, and systems. Consistent approaches are the foundation for secure environments.