Plugging "Cloud Identity Leaks" - Why Your Business Should Become an Identity Provider
By Mark O’Neill VP Innovation – API & Identity Management, Axway (following Vordel acquisition)
Most people have used the Facebook, Twitter, or Google Apps buttons located on Websites to log into third party services. This approach is useful within consumer IT as it enables the user to access various services via their own Facebook, Twitter or Google Apps passwords without the effort of setting up multiple accounts on different websites. This trend has also transferred to the enterprise with employees now actively logging into business sites or business-to-business marketplaces via their own personal Facebook, Twitter or Google passwords. While employees may enjoy this convenience, organizations need to consider if this practice is good for their business?
Cloud Identity Leaks
Let’s take a look at some of the issues associated with employees using their personal passwords to access third party services. If employees are identifying themselves as Gmail or Facebook users and not as employees of an organization, it is difficult for the organization to have an audit trail of employee behaviour on business sites or within business-to-business marketplaces. For example, when the user is logged into Salesforce, ADP or similar services via their own social login it is impossible for the organization to verify their identity, track their activity and govern access. Additionally, the organization has lost all power of de-provisioning these employees from accessing these services once they leave the organization as, they are still logged into the third party services via their consumer identity and the organization can’t do anything about it.
Corporate IT & CSOs Must Regain Lost Ground
At the moment the majority of employees are accessing third party services via their social log-ins. This means they have effectively transferred control of their identity, with associated provisioning and account management abilities, to Google, Twitter or Facebook. As such, corporate IT is at risk of becoming irrelevant and being viewed as an inconvenience to the employee. To use an American Football analogy this is similar to the employee making an end run around corporate IT. Corporate IT can fight back by making it company policy for employees to use the corporate ID to access third party services, and by making it very easy to do so.
The lack of control over employee identities is also of concern to Chief Security Officers (CSO) who need to know how users are managing passwords, which type of services they are accessing, and evaluate the risk of their identities being hijacked. Typically CSOs will have password policies to address these issues. However, if users are simply bypassing the corporate log-in and logging into third party systems via Gmail-- the CSO's policies are rendered redundant and irrelevant.
It is clear that organizations need to control how employees are using their social identities to access work related services. Within an identity context, Twitter, Facebook and Google are considered to be Identity Providers (IDPs). This means they literally provide the user’s identity. These services are the location where a user logs-in, usually with a user name and password. Facebook or a similar service will then log the user in and vouch for the user’s identity to other systems the employee is trying to use. Of note, it’s technologies such as OAuth and OpenID which have enabled Facebook, Twitter and Google to become IDPs. There is nothing preventing an organization who wants to become its own Identity Provider from also leveraging these technologies to do so.
Organizations who want to regain control of their employees’ identities can make it a company policy for employees to log into third party services via the company Intranet. In this way, the organization can become its own IDP enabling the business to vouch for the identity of its employees. Within this scenario employees could log-in via the company Intranet with the organization providing its own links as a springboard to the various third party services the employee uses. In this way, the business can provide an on-ramp from the users log-in to any third party services the employee may be using, and become an Identity Provider.
An organization can become an identity provider by engaging its developers to produce an internal portal for its employees. However, this approach involves climbing a mountain of complex identity standards. Alternatively, Identity Mediation products offer a Gateway that acts as a spring board from the corporate identity out to third party services allowing the organization to become an Identity Provider and govern employee identities.
To conclude, it’s important to understand that Identity Providers such as Google, Facebook and Twitter own the user’s log in, so in effect they own the user. For example, if a user is logging in via Facebook to several services and they cancel their Facebook account, they will no longer be able to log into the service. Therefore, employee identities are becoming increasingly tied to platforms such as Facebook, Twitter and Google. To alleviate this trend, organizations need to take control of how their employees are accessing services and offer an alternative -- the corporate login. The organization needs to make it company policy for employees to use the corporate log-in, and most importantly make it very easy to use. Otherwise, employees will continue to use their personal log-ins to access third party sites while continuing to expose the organization to potential risks and a complete lack of governance.
About the author
Mark O’Neill is a frequent speaker and blogger on APIs and security. He is the co-founder and CTO at Vordel, now part of Axway. In his new role as VP Innovation, he manages Axway’s Identity and API Management strategy. Vordel’s API Server enables enterprises to connect to Cloud and Mobile. Mark can be followed on his blog at www.soatothecloud.com and twitter @themarkoneill
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.