If you are receptive to the ideas of the Jericho Forum security thinktank, then you may well accept its view that organisations can no longer rely on the firewalls that used to mark the extent of their control over IT infrastructure.
Of course, in most cases the firewalls are still there. But they have had to become increasingly porous as more and more of the legitimate access to IT applications takes place from beyond their limits. Furthermore, with the increasing use of software as a service (SaaS), many of the applications are themselves beyond the firewall.
Legitimate users need to be distinguished from the hackers who are increasingly focused on targeting a given organisation’s IT infrastructure, often by passing themselves off as legitimate users.
Supporting remote users as well as internal ones and keeping criminals and hacktivists at bay requires pushing the boundary of authorised access far beyond traditional firewalls to user-access devices. Hence the concept of the identity perimeter.
The technology that can enable this concept - single sign-on (SSO) - is not new, but many of the ways it is being used are.
The traditional suppliers in identity and access management, namely CA, Oracle and IBM, have had SSO systems for many years. The primary use of these products has been to save users remembering multiple usernames and passwords, which is considered a security issue because if they have too many, they start writing them down.
These vendors have had to adapt to a new set of competitors that have designed their SSO systems to support the trends of rising numbers of remote users who are often using their own devices, and the increasing use of SaaS.
More recent arrivals in this market include Ping Identity, Okta, Symplified and SaaSID, while a more established specialist, Imprivata, has found a niche for SSO in healthcare.
Link legitimate users and resources
These systems aim to make establishing a safe identity - wherever the user happens to be - the ultimate perimeter to a given business’s IT activities. They link legitimate users with the resources they require, with the SSO system acting as an identity bridge.
However, these systems can do much more and in some cases these additional capabilities are more about access to applications and data sources than identity - especially when it comes to dealing with customers. Indeed, there are cases when the SSO system need not know a user’s identity at all in the first instance to start providing value.
Imagine an inquisitive would-be tourist turning up at a travel agent’s website. They may just want to get a feel for the cost of air travel, car hire and hotels before considering making a booking. The SSO system can provide federated access to the resources needed to get quotes, adding more detail when the prospective customer actually decides to book something.
Of course at that stage an identity needs to be established. To an extent, a consumer can make up an identity at this point, perhaps by inventing a username. But this identity will need to be linked to a real email address and a genuine means of payment.
Opening up more resources
At this point the SSO system, in conjunction with other services, is starting to establish and improve the quality of the identity of the new customer. Once established, this identity can be used to open up more resources - for example, the customer’s transaction history as seen through the booking system.
Other transactions, in particular business-to-business ones, rely on acquiring identities from existing systems. For employees of a given organisation, these identities will generally come from an internal directory of some sort, most commonly Microsoft Active Directory.
However, when it comes to opening applications to partners and other external business users, the most valuable source of identity is likely to be an external one, such as the partner’s own internal directory or the membership database of a professional body.
For consumers and business users, social-media sites such as Facebook and LinkedIn are becoming accepted sources of identity in certain circumstances.
This trend means SSO systems increasingly need to be able to access multiple sources of identity for authenticating users. To make this process as simple as possible, the SSO system itself and the sources of identity need to be standardised.
Identity and access-management standards
A number of standards have arisen in identity and access management to support this need, including the lightweight directory access protocol, or LDAP, for storing identities and the SAML security assertion mark-up language for sharing them. An understanding acceptance of standards and a given vendor’s support for them should be an important aspect of the criteria for any SSO evaluation.
The ability to access identities from a wide range of sources and link them to multiple applications enables more integrated and efficient business process and supply chains.
Here, car dealerships linking in to a manufacturer’s ordering systems and lawyers linking in with court management systems and law-enforcement bodies are good examples. The SSO system can also broker policy about what a given user can do with a given resource and define templates for different roles, simplifying the provisioning of users.
Perhaps more importantly, when the relationship with a given user ends, deprovisioning them from the SSO systems ensures access to all resources is cut at a stroke.
There are many benefits to be gained from extending access to IT applications and resources to users working way beyond traditional firewalls, but a means of enabling, monitoring, controlling and stopping access will always be needed. SSO can be an effective way of achieving this.
Quocirca’s report, The identity perimeter is free to download for TechRepublic readers.