I got to thinking the other day about the terms “privileged identity management,” “privileged account management,” and “privileged access management”. These are all terms that the industry uses pretty interchangeably, but have the meanings changed over the years? Do they need to?
Here’s why I ask the question:
We used to define privileged users, as administrators of a system or application – people who could cause big problems if they made a serious mistake or did something malicious. We created ways to restrict what administrators could do, and we started by controlling specific administrative accounts – the ones that represent the proverbial keys to the kingdom.
When we look at how our IT environment has changed (and how we expect it to continue to change), we see the same high-level trends having an impact across the board. Typically, as an industry, we describe these broad changes as mobility, cloud and consumerization of IT. But essentially these trends point out that the how of IT is changing. Let me explain what I mean.
In many cases it’s useful to look at the what and the how – the goals and objectives along with the ways those goals and objectives are met. I would argue that the what of IT has not changed. IT is about connecting consumers of technology resources to those resources. This is the case whether we are talking about a user on a mainframe terminal on a hardwired connection to a mainframe server or a user on a tablet sitting in a coffee shop connected to an application running on a hosted server in a provider’s datacenter. So if the what of IT hasn’t really changed, then we need to look at the how. These large trends are changing how we do business, so perhaps it is time to look at how our approach needs to change in order to keep up with the times and, more importantly, prepare ourselves for the future.
So let me bring this discussion back to privileged identity management. The trends we’re seeing create a lot more grey area. The ways consumers connect to resources and the ways we need to manage these relationships have shifted as we move from a much simpler and controlled environment to a very dynamic and diverse environment. In this environment, every user has more privileges (in fact they have differing degrees of privilege across a varying environment). And these privileges may have a significant impact across an organization. For example, a user who has access to a corporation’s social media accounts may inadvertently communicate information that should not be publicly shared. Another example is the case of a “dev-ops” team managing server infrastructure in the cloud. Are these people developers or IT admins?
Lastly, I’ll point out that the distributed devices and resources (due to mobile devices, outsourcing, hosted servers, federation, etc.) increase the attack surface that organizations need to deal with, so consistency across our environments is critical. An image of a door with ten locks but no walls (e.g. just walk about the door) comes to mind.
What’s my point? It’s that from a privilege-management perspective, we have evolved to the point we knew would arrive someday. Smart folks who came before have already described that we need a systemic way to think about privilege management and that we must start with principles like “least privilege access”: Users should log in as themselves and receive only those privileges required for their job. If they require more privilege, they should explicitly elevate privilege, and I would add, in a manner whereby all their activities can be specifically traced back to the individual. Some will argue that least privilege has been too hard to deploy and manage, but this is a terrible rationalization for deploying band-aids or doing nothing. We simply must make it easier to deploy least privilege models of privilege management. We need to make sure we are using the right models and frameworks to describe privilege management for our expanding problem space and requisite solution.
What do you think?
Satya Nadella, Microsoft’s new CEO, has been widely covered in the news talking about Microsoft’s new strategy of ‘Mobile First, Cloud First.’ We wholeheartedly agree with this philosophy and it really shows in our Centrify User Suite, an integrated cloud, Mac and mobile offering. In this blog post I’ll discuss some of my thoughts regarding what Microsoft offers vis a vis cloud identity and compare/contrast that to what Centrify offers.
First, let me make it clear we also wholeheartedly agree with Microsoft about the value of two key elements of their cloud strategy – Office 365, and Azure. Azure is available to customers and ISVs as both a Platform-as-a-Service (PAAS) and Infrastructure-as-a-Service (IAAS) offering. For Office 365, the Centrify User Suite provides significant value to Microsoft customers from a functional and ease-of-deployment perspective – which we’ll cover in more detail below. Regarding Azure, Centrify uses Azure to power our commercial cloud and mobile solutions. Everyone at Microsoft interested in increasing Office 365 adoption and driving more usage of Azure has an ally in Centrify.
The underlying identity store underpinning Office 365 is Microsoft Azure Active Directory, which like Azure, is also available as a cloud directory for ISVs and application developers. You might think this is Active Directory… that’s something you already know and love, right? Well, not exactly. The Active Directory brand is being leveraged in the name of the product; but, Azure AD does not equal AD. Azure AD is new and cloud-based while Active Directory is an on-premises offering and has been around for over 15 years, and remains the de facto standard directory service with over 95% penetration in Enterprise. Since its introduction into the market in 1999, companies have invested huge sums of money in their AD infrastructure and processes to support its use. Generally speaking, companies want to protect those investments, and they don’t want to further build out their infrastructure.
AD supports standards such as Kerberos and LDAP while Azure AD supports a different set of single sign-on protocols such as SAML. AD provides Group Policy to manage users and computers from a policy perspective, while Azure AD does not have comparable capability to Group Policy and you have to look to a separate solution to manage computers and devices.
A key thing to remember is that Azure AD in effect represents a parallel directory infrastructure to what customers have on-premise with Active Directory. That is, if a user has an identity inside AD, to access Office 365 they must also have an identity record inside Azure AD. In effect you are maintaining duplicate identity stores — one on-premise and one in the cloud. This is very similar to deploying Salesforce — the cloud app would have its own directory independent of your on-premise AD.
Recently the general availability of Azure Active Directory Premium was announced – a solution that provides password reset and group management of Azure AD users and groups respectively, as well as builds on the SaaS SSO capabilities to third party apps that Azure AD provides by adding provisioning, multi-factor authentication and reporting. Azure AD Premium sounds on paper like a great set of capabilities in a cloud- and mobile-centric world. And frankly it would be a good set of initial capabilities if a customer were purely a cloud-centric customer with Office 365 being the primary app the customer has and the customer did not have an on-premise AD to deal with.
The rubs with Azure AD Premium have to do with some of the points I made above about it being a separate directory infrastructure vis a vis AD and lack of policy management solutions.
Let’s talk about that first point in a bit more detail. The reality is that in a cloud/mobile-centric world in which you have on-premise AD, to leverage Azure AD Premium as your Cloud Identity solution you actually must rely on a lot of on-premise tools. Namely you have to rely on DirSync to sync data from AD to Azure AD, and for federated single sign-on leveraging AD you must rely on Active Directory Federation Service (ADFS). And in more complicated environments you have to rely on Forefront Identity Manager (FIM) to replicate AD data to the cloud.
The fact is that all three of these tools have significant limitations. In the case of ADFS and FIM, these tools were built pre-Azure/pre-Office 365, so they are in effect on-premise- vs. cloud-centric. Take ADFS for example. It requires at least 4-5 servers to deploy, some in the DMZ, requires ports to be poked in firewalls, etc. which is antithetical to having a cloud-centric approach. The Centrify approach is to deliver federation services to/from AD mainly in our cloud service with a small proxy server that can be deployed in minutes on-premise to tie into AD. Tom Kemp illustrated in painful detail the many trials and tribulations associated with ADFS here and here. In future blog posts I will describe some of the limitations with DirSync and how Centrify does a much better job of provisioning data from AD to Azure AD.
The other side of this coin is that Azure Active Directory decidedly points customers to store identity only in Microsoft directories. They have designed an offering that attaches customers to their platform, so if identity data is on-premises, it is in AD, if in the cloud, it is Azure AD. This is in stark contrast to Centrify’s “identity where you want it” approach, where today we can have all identity data in AD for accessing cloud apps, so no replicating identity data to the cloud, and/or we also let you have identity data stored in our cloud directory. Pretty soon we will be supporting additional cloud directories (including in fact Azure AD). With Centrify, a company can store employee data in on-premises AD, contractors in Azure AD, partners in the Centrify cloud directory, and say customers’ identities in a cloud-based CRM. This is a much more flexible and cloud friendly approach to cloud identity.
Net-net the drawbacks of Microsoft’s cloud identity offerings is that in an AD environment you have to rely on a lot of on-premise software and you must only use their identity stores/directories.
But let’s also not forget about the policy management issue I brought up above for management of devices and systems. Again Azure AD (Standard or Premium) does not address that. Microsoft does offer InTune, and has a marketing bundle of InTune and Azure AD Premium called Microsoft Enterprise Mobility Suite (“EMS”).
But … InTune itself has its own rubs. It requires licenses of on-premise Systems Center and is not integrated with Azure AD from a user or IT admin perspective. This is in stark contrast to Centrify completely bundling and integrating in from the get go both mobile and identity management. Big difference, and not only in price, but in functionality, and being truly cloud- and mobile-centric. More about InTune in later blogs.
As our CEO Tom Kemp said in a recent blog, we like having our vision validated by a vendor such as Microsoft. But a cloud-first and mobile-first vision should be about delivering purely cloud-centric and mobile-centric solutions, not about requiring loads of on-premise capabilities and having solutions that are not truly integrated together. And it should be about giving customers flexibility to have identity and policy where they want it too. Net net is we like our position vis a vis Cloud Identity and Active Directory integration in a “mobile first, cloud first” world, and we think you will too. But please also note that we think our end goal is in the end aligned with Microsoft’s goals … we want customers to successfully get to SaaS Apps such as Office 365 — we just think we've built a better mouse trap to help them get there.
In a recent CIO Journal/Wall Street Journal article “Report: Passwords Take a Toll on Employees”, author Rachael King cites the findings of a recent study by the National Institute of Standards and Technology (NIST) with single sign on as a solution to remedy employee attempts to cope with authentication across multiple devices and applications, and having to remember too many passwords.Read more...
In my last blog post, I wrote about how, at a minimum, when you bring together SaaS management and mobile management, you’ve got a great value proposition, and you’ve got an unparalleled set of synergistic features. The focus of this blog post is how this great value proposition and synergistic feature set help solve the challenges related to SaaS management, including single sign on, as well as the challenges related to mobile device management.Read more...
In my last blog post, I wrote about how IT needs a new model, one that secures the proliferation of mobile devices, solves the password challenge, and allows you to regain, as IT, some of the access control and visibility that you had enjoyed when you managed everything inside the firewall. The formula for this is to start to get away from using passwords as the primary security mechanism for apps, and the easiest way to do that is through single sign on (SSO).Read more...
In my last blog post, I wrote about how it's a brave new world of SaaS apps and mobile devices for today's knowledge workers who now have a myriad of choices on how to access business applications, with mobile being the new, preferred way to access applications. And they use a lot more applications than just a few short years ago. These increasing number of applications can be accessed via the Cloud or software-as-a-service (SaaS), as well as on-premise, and span across CRM (customer relationship management), ERP (enterprise resource planning), HCM (human capital management), SFA (sales force automation) and many, many others. But this introduces some interesting challenges, including the rise of too many passwords for end-users, increasing numbers of mobile devices accessing applications, and IT management loss of control and visibility.Read more...
It's a brave new world for today's knowledge workers who now have a myriad of choices on how to access business applications, with mobile being the new, preferred way to access applications. And they use a lot more applications than just a few short years ago. These increasing number of applications can be accessed via the Cloud or software-as-a-service (SaaS), as well as on-premise, and span across CRM (customer relationship management), ERP (enterprise resource planning), HCM (human capital management), SFA (sales force automation) and many, many others.Read more...
Centrify presents single sign-on with SAP applications this week in Las Vegas at SAP TechEd!Read more...
Are you making Office 365 more difficult than it has to be? Testing the federated version of Office 365 requires a lot of dedicated hardware and effort. Centrify makes Office 365 much easier!Read more...
Discusses standards for provisioning users into Saas applicationsRead more...
I am a typical enterprise knowledge worker. I extensively use Microsoft Office. I switched from a Windows PC to a MacBook a few years ago. But during these past couple of years, either I, my department or my enterprise has adopted a TON of SaaS apps that now fit into my daily workflow.
As I stop and evaluate the consequences of this phenomenon, I am stunned at how screwed up and brittle my daily workflow has become simply because of all of the dang passwords I am forced to use.