1 Copyright 2016 Information Security Media Group

The Case for Cloud-Based IAM

OneLogin’s Meyer on Identity and Access Management for the Modern Enterprise

2 Copyright 2016 Information Security Media Group

And it’s a pretty simple business case to

make, says Meyer.

“The only rational place to control all this

access is from the cloud,” Meyer explains.

“Traditional approaches no longer fit the

business reality. They are very expensive

and not adaptable enough. When IT can’t

adapt to what employees need, they find

another way, and they create shadow IT,

which is a compliance disaster.”

In an interview about cloud-based IAM,

Meyer discusses:

• WhytraditionalIAMisnolongersufficient;

• Whycloud-basedIAMisthebetter

alternative;

• Howtoensurelegacysystemsarenotleft

behind;

• TrendsthatarenowshapingtheIAM

marketplace.

Meyer has built groundbreaking enterprise

and consumer software for over 15 years.

One of the first employees at Plumtree

Software, he drove collaboration and

social software into the Fortune 500

until Plumtree was acquired by BEA. He

continued running and expanding the

business at BEA until the company was

acquired by Oracle. At SAP, Meyer led teams

that pioneered bringing cloud software

to the most demanding companies in the

world. Most recently he cofounded and co-

ran the education company UniversityNow,

Inc.

The Need for Cloud-Based IAMTom Field: Dave, why do organizations

today really need identity and access

management?

David Meyer: Today people are using apps,

whether cloud apps or on premise apps,

more than ever before. A couple of decades

ago workers used a handful of apps to

At a time when workers use more apps than ever to do their jobs – and from more locations and devices than ever – traditional IAM is simply not sufficient, says David Meyer, Vice President of Product at OneLogin. Cloud-Based IAM is what organizations truly need.

The Case for Cloud-Based IAM

3 Copyright 2016 Information Security Media Group

do their work. Now with best-of-breed

applications being brought in by every

function in the company, the number of

apps has exploded. Of course, all of these

need to be secure.

Now, the modern worker expects a seamless

experience. It used to be maybe three

weeks into your new employment you’d get

access to all your systems. Today it needs to

happen in the first 30 or 60 minutes of your

employment. At the same time, threats are

getting more sophisticated every day both

inside the enterprise and in the cloud. An

identity and access management system

ensures everybody gets seamless access to

what they need without passwords in a way

that’s perfectly secure.

Field: David, what are the more common

downfalls of traditional Identity and Access

Management (IAM) and why do they make

cloud-based IAM a better alternative?

Meyer: A couple of decades ago, everybody

worked at the office. They were on the

domain. They fired up their computer.

They logged into that domain and used

applications that were on premise.

Now no one is on the domain anymore.

They might be working at the office, but

they’re typically doing their work in apps

that are in the cloud. More and more they’re

not even in the office. They’re accessing apps

from the road and often on a phone or tablet

rather than a PC. And all that information is

flowing through the internet. Therefore, the

only rational place to control all this access

is from the cloud.

Traditional approaches no longer fit the

business reality. They’re very expensive,

and they’re not adaptable enough. Apps

typically take weeks or even months to roll

out using traditional, on-premise identity

access management, and they can be very

expensive to roll out. That was fine when

you only had a few of them. Now people

are adding apps every day, and you struggle

to figure out how to control people when

they’re not on the domain. When IT can’t

adapt to what employees need, they find

another way, and they create shadow IT,

which is a compliance disaster.

Managing Access in Real TimeField: David, what other areas should

companies consider when choosing an

Identity and Access Management solution?

Meyer: The most important thing is that

the cloud system works at the pace your

business does, and that requires a real-time

infrastructure. For example, if you reduce

access for someone in your on-premise

directory, that needs to manifest in your

cloud apps in seconds. It can’t rely on some

batch process that runs every day or every

hour. Some cloud systems even require

people to upload data to modify them.

The key is that you want to have the

cloud vendor manage the process, so

that any changes you make on premise

are made in real time throughout your

overall infrastructure for the true control

you need. When you change someone’s

“It used to be maybe three weeks into your new employment you’d get access to all your systems. Today it needs to happen in the first 30 or 60 minutes of your employment.”

David Meyer

4 Copyright 2016 Information Security Media Group

privileges or give them a new privilege, they

should have instant access. When you take

away privilege they should have instant

revocation. Now part of the way this works

is using standards.

It’s also very important that the vendor you

choose doesn’t have some plan to lock you

in over time because the space is changing

so rapidly. Your vendor needs to be able to

accomplish changes rapidly, and if they

can’t do that, you need to be free to choose

another vendor.

That’s why standards are so important.

The predominant single sign-on standard

is called SAML (Security Assertion Markup

Language). OneLogin has chosen to make

toolkits in this area open source to ensure

that anybody can implement it for free.

Regardless of that, relying on standards

rather than proprietary approaches is the

key.

There’s a standard for provisioning called

SCIM (System for Cross-Domain Identity

Management) that more and more vendors

are leveraging. This raises all boats because

the more people use SCIM for provisioning,

the more any vendor can provision

safely and in real time to any system. On

the mobile spectrum we have the new

standards like NAPPS, based on OpenID

Connect. These allow seamless native app

authentication down at the mobile device

layer itself.

The last thing is that it’s no longer a single-

vendor world. The world is heterogeneous.

The lines of business are choosing which

apps are relevant for their salespeople

or their finance team or their product

5 Copyright 2016 Information Security Media Group

“[I]f you reduce access of someone in your on-premise directory, that needs to manifest in your cloud apps in seconds. It can’t rely on some batch process that runs every day or every hour.”

development organization – and these

are all going to be from different vendors.

The system you choose has to be built on

heterogeneity because you’re likely going

to be dealing with multiple vendors that

are important to you and are themselves

competitors. They might not have the

incentive to work cleanly together.

Seamless Integration for Hybrid Environments Field: We recognize certainly that

organizations have made significant

technology investments. How can they

ensure that their legacy systems are not left

behind when they’re adding access to the

cloud?

Meyer: A key part of taking advantage of

cloud systems in general, cloud identity

systems in particular, is how you’re going

to get there. It doesn’t happen in one fell

swoop. You’re going to have a system which

you’ve been running for years, maybe

decades on premise.

Let’s say it’s Active Directory, which most

enterprises use to manage all of their users.

The system you use in the cloud needs

to seamlessly integrate with that, let you

manage everything from Active Directory,

and have real-time impact in all of your

cloud apps. When you’re ready to start

moving off premise, you can start using

your cloud system as the master and start

provisioning down into Active Directory,

as you have more and more stuff in the

cloud.

Identity standards come into play as

you manage the rest of your on-premise

landscape in the cloud. The LDAP standard,

which Active Directory and OpenLDAP

are based on, has been around for decades.

Your cloud vendor should expose an LDAP

extension too, so that any legacy app you

have that used to point at your on-premise

system can just point to the cloud instead.

It’s much simpler because you have less to

manage on premise. Similarly, your VPNs

and your Wi-Fi systems that control your

network need to talk to the cloud system

over the RADIUS protocol in a secure way.

Lastly your PCs and other machines that

used to connect to the network on premise

now must connect to the cloud network.

You need a means for authenticating your

Mac laptops and your Windows devices, as

well as your phones, directly to the cloud.

OneLogin can do this for you through our

OneLogin desktop and OneLogin mobile

initiatives.

But whatever solution you choose, make

sure it can work and replace over time, in a

non-disruptive way, everything you’ve had

on premise, and until that time, seamlessly

connect to those open standards.

The IAM Product RoadmapField: Let’s take a step back, David. What

are some of the trends you see in the IAM

market that are guiding your product

roadmap?

Meyer: Let’s extend one of the themes we

just discussed – the progressive shift to the

cloud and dealing with a hybrid scenario of

6 Copyright 2016 Information Security Media Group

on premise and cloud for the time to come.

Even if you’ve moved most or all of your

IT infrastructure to the cloud, you might

acquire a company tomorrow that runs in a

purely on-premise environment and needs

to be seamlessly integrated to that.

All dynamic companies are going to be

hybrid for the near future. A few years ago

people used cloud identity to manage cloud

apps. Today people are using cloud identity

to manage their full hybrid enterprise

system, both on premise and in the cloud.

A similar trend is HR systems that manage

employee onboarding are moving from on

premise to the cloud. Workday is perhaps

the best-known example. Companies want

to have HR-driven identity systems. You

onboard someone naturally through your

HR system, and they’re magically brought

into the company and automatically

provisioned to all the right apps before they

start their employment. We’re seeing that

to be a strategic priority at the board level

to get that return on investment where new

employees have a shorter repay period.

Then there is the megatrend to mobile. As

I’ve said, more and more people are not

connected to the domain, and they’re on a

smartphone, tablet or laptop. The standards

are changing. I mentioned NAPPS is an

evolving standard in the mobile landscape.

The key is to connect all these things to your

cloud infrastructure so you have a single

control plane to manage it all.

The large MDM projects of yesteryear are no

longer being embarked upon, so people are

looking for a simple way to manage these

identities with a cloud directory, so that

people can work wherever it’s expedient to

work on a trusted device. They’ll get instant

access to what they need securely. In many

companies, people are only truly compliant

with their passwords, etc., when they’re

connected to the domain. We need a world

where people can go into any app, on their

schedule in a way that’s compliant and

secure and that IT is thrilled with. That’s

what cloud identity offers.

That ‘Oh My Goodness!’ MomentField: Final question for you. OneLogin has

over 2000 customers in almost 50 countries,

all in a wide variety of vertical industries.

What are some of the common experiences

your various customers have reported after

implementing your single sign-on (SSO)

solution?

Meyer: One thing I hear post-deployment is

companies realizing new business initiative

possibilities based on having onboarding

and access automated. I’ll give you an

example. There’s a large postal system

that uses OneLogin, and they can open

up new branch offices and extend access

to new employees in an automated way.

What they hadn’t realized is they could

accelerate business expansion and new

office creation as a business with a top-line

revenue impact because their systems were

automated. Although that didn’t drive their

initial decision, it was an, “Oh my goodness!”

realization after the deployment. We see

that more and more.

The hyper-growth companies have to

“The [IAM] system you choose has to be built on heterogeneity because you’re likely going to be dealing with multiple vendors that are important to you and are themselves competitors.”

7 Copyright 2016 Information Security Media Group

“Today people are using cloud identity to manage their full hybrid enterprise system, both on premise and in the cloud.”

automate everything. To go from two offices to 400 offices internationally, which is the

narrative of another customer, that’s a very rapid expansion. You can’t do that logistically

with a bunch of manual processes. That’s a main thing we see as an unseen advantage after

the deployment that the companies realize.

The other thing is our customers often didn’t realize how dispersed their employee base

was. When you wrap your environment with this control plane in the cloud, that gives you

visibility into all the authentications from where they happened, and you realize workplace

patterns that you didn’t even know existed. How much your employees are traveling in

Asia, for example. The visibility you get with a cloud-based system likes ours that touches

everything is a surprise for customers.

The last bit is that we used to do primarily employee identity. People would manage their

400 or 400,000 employees with a system like OneLogin. Now the touch points our customers

have between their employees and their own partners and their own customers is increasing.

For example, Steelcase has long managed both their employees and their dealer network

in OneLogin. A dealer that buys Steelcase furniture, interacts with OneLogin through the

OneLogin system. Those customers and partners can interact with the employees in novel

ways. That used to be the exception, and now we’re seeing it become the norm. n

8 Copyright 2016 Information Security Media Group

902CarnegieCenter•Princeton,NJ•08540•www.ismgcorp.com

About ISMGHeadquartered in Princeton, New Jersey, Information Security Media

Group, Corp. (ISMG) is a media company focusing on Information

Technology Risk Management for vertical industries. The company

provides news, training, education and other related content for risk

management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of

ways —researching for a specific information security compliance

issue, learning from their peers in the industry, gaining insights into

compliance related regulatory guidance and simply keeping up with

the Information Technology Risk Management landscape.

About OneLoginOneLogin brings speed and integrity to the modern enterprise

with an award-winning SSO and identity management platform.

Our portfolio of solutions secure connections across all users, all

devices, and every application, helping enterprises drive new levels

of business integrity and operational velocity across their entire app

portfolios. The choice for innovators of all sizes such as Condé Nast,

Pinterest and Steelcase, OneLogin manages and secures millions of

identities around the globe. We are headquartered in San Francisco,

California. For more information, visit www.onelogin.com.

Contact(800) 944-0401

sales@ismgcorp.com