the case for cloud- based iamresources.onelogin.com/...for-cloud...iam-apr-2016.pdfin an interview...
TRANSCRIPT
1 Copyright 2016 Information Security Media Group
The Case for Cloud-Based IAM
OneLogin’s Meyer on Identity and Access Management for the Modern Enterprise
2 Copyright 2016 Information Security Media Group
And it’s a pretty simple business case to
make, says Meyer.
“The only rational place to control all this
access is from the cloud,” Meyer explains.
“Traditional approaches no longer fit the
business reality. They are very expensive
and not adaptable enough. When IT can’t
adapt to what employees need, they find
another way, and they create shadow IT,
which is a compliance disaster.”
In an interview about cloud-based IAM,
Meyer discusses:
• WhytraditionalIAMisnolongersufficient;
• Whycloud-basedIAMisthebetter
alternative;
• Howtoensurelegacysystemsarenotleft
behind;
• TrendsthatarenowshapingtheIAM
marketplace.
Meyer has built groundbreaking enterprise
and consumer software for over 15 years.
One of the first employees at Plumtree
Software, he drove collaboration and
social software into the Fortune 500
until Plumtree was acquired by BEA. He
continued running and expanding the
business at BEA until the company was
acquired by Oracle. At SAP, Meyer led teams
that pioneered bringing cloud software
to the most demanding companies in the
world. Most recently he cofounded and co-
ran the education company UniversityNow,
Inc.
The Need for Cloud-Based IAMTom Field: Dave, why do organizations
today really need identity and access
management?
David Meyer: Today people are using apps,
whether cloud apps or on premise apps,
more than ever before. A couple of decades
ago workers used a handful of apps to
At a time when workers use more apps than ever to do their jobs – and from more locations and devices than ever – traditional IAM is simply not sufficient, says David Meyer, Vice President of Product at OneLogin. Cloud-Based IAM is what organizations truly need.
The Case for Cloud-Based IAM
3 Copyright 2016 Information Security Media Group
do their work. Now with best-of-breed
applications being brought in by every
function in the company, the number of
apps has exploded. Of course, all of these
need to be secure.
Now, the modern worker expects a seamless
experience. It used to be maybe three
weeks into your new employment you’d get
access to all your systems. Today it needs to
happen in the first 30 or 60 minutes of your
employment. At the same time, threats are
getting more sophisticated every day both
inside the enterprise and in the cloud. An
identity and access management system
ensures everybody gets seamless access to
what they need without passwords in a way
that’s perfectly secure.
Field: David, what are the more common
downfalls of traditional Identity and Access
Management (IAM) and why do they make
cloud-based IAM a better alternative?
Meyer: A couple of decades ago, everybody
worked at the office. They were on the
domain. They fired up their computer.
They logged into that domain and used
applications that were on premise.
Now no one is on the domain anymore.
They might be working at the office, but
they’re typically doing their work in apps
that are in the cloud. More and more they’re
not even in the office. They’re accessing apps
from the road and often on a phone or tablet
rather than a PC. And all that information is
flowing through the internet. Therefore, the
only rational place to control all this access
is from the cloud.
Traditional approaches no longer fit the
business reality. They’re very expensive,
and they’re not adaptable enough. Apps
typically take weeks or even months to roll
out using traditional, on-premise identity
access management, and they can be very
expensive to roll out. That was fine when
you only had a few of them. Now people
are adding apps every day, and you struggle
to figure out how to control people when
they’re not on the domain. When IT can’t
adapt to what employees need, they find
another way, and they create shadow IT,
which is a compliance disaster.
Managing Access in Real TimeField: David, what other areas should
companies consider when choosing an
Identity and Access Management solution?
Meyer: The most important thing is that
the cloud system works at the pace your
business does, and that requires a real-time
infrastructure. For example, if you reduce
access for someone in your on-premise
directory, that needs to manifest in your
cloud apps in seconds. It can’t rely on some
batch process that runs every day or every
hour. Some cloud systems even require
people to upload data to modify them.
The key is that you want to have the
cloud vendor manage the process, so
that any changes you make on premise
are made in real time throughout your
overall infrastructure for the true control
you need. When you change someone’s
“It used to be maybe three weeks into your new employment you’d get access to all your systems. Today it needs to happen in the first 30 or 60 minutes of your employment.”
David Meyer
4 Copyright 2016 Information Security Media Group
privileges or give them a new privilege, they
should have instant access. When you take
away privilege they should have instant
revocation. Now part of the way this works
is using standards.
It’s also very important that the vendor you
choose doesn’t have some plan to lock you
in over time because the space is changing
so rapidly. Your vendor needs to be able to
accomplish changes rapidly, and if they
can’t do that, you need to be free to choose
another vendor.
That’s why standards are so important.
The predominant single sign-on standard
is called SAML (Security Assertion Markup
Language). OneLogin has chosen to make
toolkits in this area open source to ensure
that anybody can implement it for free.
Regardless of that, relying on standards
rather than proprietary approaches is the
key.
There’s a standard for provisioning called
SCIM (System for Cross-Domain Identity
Management) that more and more vendors
are leveraging. This raises all boats because
the more people use SCIM for provisioning,
the more any vendor can provision
safely and in real time to any system. On
the mobile spectrum we have the new
standards like NAPPS, based on OpenID
Connect. These allow seamless native app
authentication down at the mobile device
layer itself.
The last thing is that it’s no longer a single-
vendor world. The world is heterogeneous.
The lines of business are choosing which
apps are relevant for their salespeople
or their finance team or their product
5 Copyright 2016 Information Security Media Group
“[I]f you reduce access of someone in your on-premise directory, that needs to manifest in your cloud apps in seconds. It can’t rely on some batch process that runs every day or every hour.”
development organization – and these
are all going to be from different vendors.
The system you choose has to be built on
heterogeneity because you’re likely going
to be dealing with multiple vendors that
are important to you and are themselves
competitors. They might not have the
incentive to work cleanly together.
Seamless Integration for Hybrid Environments Field: We recognize certainly that
organizations have made significant
technology investments. How can they
ensure that their legacy systems are not left
behind when they’re adding access to the
cloud?
Meyer: A key part of taking advantage of
cloud systems in general, cloud identity
systems in particular, is how you’re going
to get there. It doesn’t happen in one fell
swoop. You’re going to have a system which
you’ve been running for years, maybe
decades on premise.
Let’s say it’s Active Directory, which most
enterprises use to manage all of their users.
The system you use in the cloud needs
to seamlessly integrate with that, let you
manage everything from Active Directory,
and have real-time impact in all of your
cloud apps. When you’re ready to start
moving off premise, you can start using
your cloud system as the master and start
provisioning down into Active Directory,
as you have more and more stuff in the
cloud.
Identity standards come into play as
you manage the rest of your on-premise
landscape in the cloud. The LDAP standard,
which Active Directory and OpenLDAP
are based on, has been around for decades.
Your cloud vendor should expose an LDAP
extension too, so that any legacy app you
have that used to point at your on-premise
system can just point to the cloud instead.
It’s much simpler because you have less to
manage on premise. Similarly, your VPNs
and your Wi-Fi systems that control your
network need to talk to the cloud system
over the RADIUS protocol in a secure way.
Lastly your PCs and other machines that
used to connect to the network on premise
now must connect to the cloud network.
You need a means for authenticating your
Mac laptops and your Windows devices, as
well as your phones, directly to the cloud.
OneLogin can do this for you through our
OneLogin desktop and OneLogin mobile
initiatives.
But whatever solution you choose, make
sure it can work and replace over time, in a
non-disruptive way, everything you’ve had
on premise, and until that time, seamlessly
connect to those open standards.
The IAM Product RoadmapField: Let’s take a step back, David. What
are some of the trends you see in the IAM
market that are guiding your product
roadmap?
Meyer: Let’s extend one of the themes we
just discussed – the progressive shift to the
cloud and dealing with a hybrid scenario of
6 Copyright 2016 Information Security Media Group
on premise and cloud for the time to come.
Even if you’ve moved most or all of your
IT infrastructure to the cloud, you might
acquire a company tomorrow that runs in a
purely on-premise environment and needs
to be seamlessly integrated to that.
All dynamic companies are going to be
hybrid for the near future. A few years ago
people used cloud identity to manage cloud
apps. Today people are using cloud identity
to manage their full hybrid enterprise
system, both on premise and in the cloud.
A similar trend is HR systems that manage
employee onboarding are moving from on
premise to the cloud. Workday is perhaps
the best-known example. Companies want
to have HR-driven identity systems. You
onboard someone naturally through your
HR system, and they’re magically brought
into the company and automatically
provisioned to all the right apps before they
start their employment. We’re seeing that
to be a strategic priority at the board level
to get that return on investment where new
employees have a shorter repay period.
Then there is the megatrend to mobile. As
I’ve said, more and more people are not
connected to the domain, and they’re on a
smartphone, tablet or laptop. The standards
are changing. I mentioned NAPPS is an
evolving standard in the mobile landscape.
The key is to connect all these things to your
cloud infrastructure so you have a single
control plane to manage it all.
The large MDM projects of yesteryear are no
longer being embarked upon, so people are
looking for a simple way to manage these
identities with a cloud directory, so that
people can work wherever it’s expedient to
work on a trusted device. They’ll get instant
access to what they need securely. In many
companies, people are only truly compliant
with their passwords, etc., when they’re
connected to the domain. We need a world
where people can go into any app, on their
schedule in a way that’s compliant and
secure and that IT is thrilled with. That’s
what cloud identity offers.
That ‘Oh My Goodness!’ MomentField: Final question for you. OneLogin has
over 2000 customers in almost 50 countries,
all in a wide variety of vertical industries.
What are some of the common experiences
your various customers have reported after
implementing your single sign-on (SSO)
solution?
Meyer: One thing I hear post-deployment is
companies realizing new business initiative
possibilities based on having onboarding
and access automated. I’ll give you an
example. There’s a large postal system
that uses OneLogin, and they can open
up new branch offices and extend access
to new employees in an automated way.
What they hadn’t realized is they could
accelerate business expansion and new
office creation as a business with a top-line
revenue impact because their systems were
automated. Although that didn’t drive their
initial decision, it was an, “Oh my goodness!”
realization after the deployment. We see
that more and more.
The hyper-growth companies have to
“The [IAM] system you choose has to be built on heterogeneity because you’re likely going to be dealing with multiple vendors that are important to you and are themselves competitors.”
7 Copyright 2016 Information Security Media Group
“Today people are using cloud identity to manage their full hybrid enterprise system, both on premise and in the cloud.”
automate everything. To go from two offices to 400 offices internationally, which is the
narrative of another customer, that’s a very rapid expansion. You can’t do that logistically
with a bunch of manual processes. That’s a main thing we see as an unseen advantage after
the deployment that the companies realize.
The other thing is our customers often didn’t realize how dispersed their employee base
was. When you wrap your environment with this control plane in the cloud, that gives you
visibility into all the authentications from where they happened, and you realize workplace
patterns that you didn’t even know existed. How much your employees are traveling in
Asia, for example. The visibility you get with a cloud-based system likes ours that touches
everything is a surprise for customers.
The last bit is that we used to do primarily employee identity. People would manage their
400 or 400,000 employees with a system like OneLogin. Now the touch points our customers
have between their employees and their own partners and their own customers is increasing.
For example, Steelcase has long managed both their employees and their dealer network
in OneLogin. A dealer that buys Steelcase furniture, interacts with OneLogin through the
OneLogin system. Those customers and partners can interact with the employees in novel
ways. That used to be the exception, and now we’re seeing it become the norm. n
8 Copyright 2016 Information Security Media Group
902CarnegieCenter•Princeton,NJ•08540•www.ismgcorp.com
About ISMGHeadquartered in Princeton, New Jersey, Information Security Media
Group, Corp. (ISMG) is a media company focusing on Information
Technology Risk Management for vertical industries. The company
provides news, training, education and other related content for risk
management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of
ways —researching for a specific information security compliance
issue, learning from their peers in the industry, gaining insights into
compliance related regulatory guidance and simply keeping up with
the Information Technology Risk Management landscape.
About OneLoginOneLogin brings speed and integrity to the modern enterprise
with an award-winning SSO and identity management platform.
Our portfolio of solutions secure connections across all users, all
devices, and every application, helping enterprises drive new levels
of business integrity and operational velocity across their entire app
portfolios. The choice for innovators of all sizes such as Condé Nast,
Pinterest and Steelcase, OneLogin manages and secures millions of
identities around the globe. We are headquartered in San Francisco,
California. For more information, visit www.onelogin.com.
Contact(800) 944-0401