Active Directory deficient for consumerization-era identity management

Though most enterprises rely on Active Directory, it was designed for a previous era and may not be sufficient for enterprises that need to extend identity out to the cloud and mobile devices. There is a new wave of identity management tools to fill in the gaps.

Ping Identity Corp. transitioned its infrastructure entirely to the cloud four years ago under the direction of its CTO, Patrick Harding. The former software developer and security architect moved the Denver-based identity management company from Microsoft Office to Google Docs and Gmail, Box for storage and Salesforce for CRM. They also support iPhones and iPads for mobility, along with Macs.

"I almost forget what an on-premises environment is like, it's been so long," Harding said.

Harding had experience with federated identity technologies and was able to provide secure access to cloud apps outside the company's firewall. He recently spoke with SearchConsumerization.com about the increasing role enterprise identity management has as IT navigates the pitfalls of mobile devices, the cloud and Software as a Service (SaaS) apps.

There's a change occurring with how enterprises handle identity. Why is that?

Patrick Harding: Enterprises have always had a system of identity, even going back to mainframes, however many number of years ago. The tools to manage identity have changed alongside the evolution of tools and services used within organizations. The use case is no different today than it was a decade ago, but cloud and SaaS has just increased the scope and perception of why identity is important.

Really, we're just beginning to experience the moment when identity management tools catch up with consumerization. It begs the question, why isn't Active Directory good enough for that change?

Harding: Active Directory is used by, like, 99% of large businesses. It's very good for what it does -- otherwise no one would use it. But, there's a line of business now that leverages SaaS and the cloud. Just look at how popular Salesforce.com is. That's the classic cloud-based SaaS app example.

By default, your workforce needs another password and login name to access SaaS apps, which IT can leverage existing corporate credentials to set those up -- whether it's Active Directory or LDAP or something else.

Here's the thing though, how you get employees out of SaaS apps is more important than how you get them in. You have Active Directory credentials so that when an employee leaves the company their access is shut off immediately. Say you get fired. Well, you won't be able to access your Exchange emails or work data as soon as you are de-provisioned in AD.

However, if the company is using SaaS apps, then employees can probably still access them months afterward. You hear this all the time when it comes to Gmail and similar services. Even after an employee has been de-provisioned in AD, they can still access various cloud apps months later. That's kind of scary, no?

This problem is the same problem with mobile and BYOD and things like that, by the way. One way to solve this is to require SaaS apps to need Active Directory credentials as a secondary layer of authentication.  A fired employee attempts to log in, gets by the first gate, but then the SaaS app checks that login credential against Active Directory and it fails the second gate test.

Active Directory is sufficient for the last generation of business, but mobile cloud have changed the needs of IT.

How so?

Harding: Security needs to be standardized and then scaled out to an Internet-distributed level. The most common approach is through tier one single sign on , which is basically password management. That's just masking the problem of enterprise identity.

Tier one SSO, passwords or both?

Harding: Passwords. SSO has a place for SMBs, it's why PingOne, Okta and all of us exist, and it's a good approach for cloud-first. But, I was talking about passwords, which are busted. They don't work. They're the Achilles Heel of SaaS apps.

Look at LinkedIn's recent problems. If they were using strong authentication they would have no need to store passwords and there would be no need for someone to hack them for the most part. Same applies for most other sites.

What do you mean when you say "strong authentication?"

Harding: Strong authentication is multi-factor authentication. …

The problem is for strong authentication to be baked into an app is very expensive. It won't happen and it's a no-win game, unfortunately. PayPal has strong authentication in place, as does Google if you enable it. But, those places are the exception because they can afford to do it.

It sounds like you're saying there's a bigger problem with identity and security on the Internet in general and not just for enterprise.

Harding: Yes, there is. I'd wager most people use the same login and password for every site they use both at home and at work. All it takes is for one site to get hacked to see why that user behavior could be problematic. If Facebook added secondary SMS authentication on top of passwords, it would elevate Facebook Connect, make it more secure and [it's] something lots of services could use because not only would you need a user-generated password, but you would also need a Facebook-generated SMS to gain access.

Facebook has become synonymous with identity on the Internet for most people. If they had the security component, authentication could happen in fewer places and really eliminate the need from other services to collect passwords.

What are some of the misconceptions of identity and the cloud in enterprises?

Harding: The general one is this stuff is hard, which goes back to IBM or Oracle's initial forays into the space. It used to be it would take months to get two apps connected to one another. It's so simplified now where a business can get all of these apps connected in hours and connecting to customers just a few hours after that.

The technology to do this through SAML, APIs, OpenID and OAuth has come a long way in recent years to make this easier. Plus there are plenty of places out there to help business, whatever their needs, to make it happen.

What does the future of enterprise identity management look like?

Harding: Enabling the secure use of SaaS apps and the cloud to start with.  When it comes to identity in this new era, it's about secure authentication, authorizing what they can do within an app, and then account management and auditing for licensing purpose.

But, one area we haven't addressed yet is BYOD, and that could be huge. IT is scared of it because they don't know all the repercussions with data security, privacy, all those issues. But, it boils down to accessing applications and data in a secured way.

Identity and SSO [single sign-on] is important to address BYOD because passwords should never be cached on a mobile device in the enterprise. I think coming up with a way to tailor which apps appear on the device through identity could be pretty powerful.

Another place is data cached on the devices. The classic example is, you lose a phone and the data is cached on it. If data is cached how do we protect it so the bad guy can't access it? Currently, you remote wipe it to erase the PowerPoint presentation, but you run the risk of deleting all the photos you've taken of your kid. We're trying to understand how identity and encryption can help secure cached data on a phone. So, we think, for certain types of files it might require identity to access them if they are cached or stored locally. Cached data is a problem that needs to be addressed, but in a secure way that doesn't intrude on the user experience.

That's the problem of consumerization in a nutshell.

Harding: Exactly. The user experience is key. And something IT overlooks. Doesn't matter if it's on a mobile device, on a SaaS app, or whatever. People will bend over backwards to avoid a bad user experience or if the solution isn't easy to use. That's why extending identity beyond the organization is an important problem to address, because it gives IT more control in terms of mobile and the cloud.