Tomasz Zajda - Fotolia

Cloud, SaaS bring identity and access management challenges

In this Q&A, Identity Automation's co-founder and CEO, James Litton, talks about the identity and access management challenges and the effects of cloud services in the IAM market.

Identity and access management challenges organizations looking to strengthen their security infrastructure. Additional problems arise when IT administrators must maintain data on premises and in the cloud.

In this Q&A, James Litton, CEO and co-founder of Identity Automation in Houston, discusses the challenges that many organizations face in adopting an identity and access management system, as well as the concerns about moving data and applications into the cloud.

What are some identity and access management challenges that many organizations face today?

James Litton: As organizations push more and more into the cloud, what they realize after a little while is that they created a little bit of a nightmare for themselves. You have all these different systems that are disconnected from your central system of control. You’re then presented with the challenge: How am I going to manage these systems? How can I automatically control the creation of accounts? How can I manage the access for all of those accounts in a way that isn't a nightmare for my IT department?

The best way to handle that is through a comprehensive identity management system with a central policy management engine that allows you to create accounts for all of these disparate systems and control access within all those systems.

James Litton, CEO and co-founder, Identity AutomationJames Litton

We continue to hear about organizations that are struggling with [security] breaches. Nine times out of 10, these breaches are not what people envision. The way that it happens is that [hackers] guess somebody's credentials. Most organizations are very good at granting access as people move around in an organization, but they're absolutely terrible at removing that access. Over time you end up with an access accumulation situation where people have way more access than they should, and that's what the bad guys take advantage of to compromise an organization.

There is oftentimes a contention between what users want in terms of convenience and ease of use and the organization's need for security. Unfortunately, those things don't always align, and there tends to be a lot of focus on the convenience play while at times letting the security piece suffer. A prime example of that is multifactor authentication. When our users enter their user ID and password, they're presented with a requirement for an additional authentication method, which frustrates them. It's not convenient, but it does improve security. I think that this contention continues to be a challenge in a lot of organizations.

How does the adoption of cloud and SaaS affect the identity and access management space?

Litton: From a security perspective, we would argue that pushing data into cloud-based services lowers the organization's ability to control that data. There's a higher level of risk because you don't have continuity around all of your systems and your data. You're somewhat dependent on that cloud service and that's okay. We all do that and we have a responsibility to vet those different services to make sure that they're doing all that they should be doing to protect our data.

SSO is not security. SSO is a convenience play.

I think the challenge becomes how you ultimately manage those systems because you're not really going to be able to directly, in most instances, control security. What you have to do is say, 'OK, how am I going to effectively manage my on-premises systems and 50 or 100 or 200 cloud-based systems that I, as an organization, use?'

Many organizations unfortunately haven't cracked that nut. What they're doing is managing the systems manually, and what that ultimately leads to is very poor security practices. For example, [they might] have accounts lingering in these systems for users that are no longer employed within the organization.

Do most organizations have reasonable access control and identity management systems in place?

Litton: We definitely seem to be at a place where there's more awareness than ever before. A lot of organizations are confused on the approach that they should take. There's a lot of focus on the convenience play, so organizations go down the single sign-on path. SSO is not security. SSO is a convenience play.

Now that organizations have the SSO piece in place, they're starting to wonder what's next. Then they're starting to look at other [platforms] like access management. Governance gets a lot of a press these days, but you have to couple that with lifecycle management and access management systems.

What are some exciting trends in the identity and access management market right now?

Litton: The area where you probably have the most 'excitement,' would be around [the] different ways of authenticating. This could be in the context of replacing a password or in the context of multifactor authentication. But it would be things like, 'How do we finally realize a password-less environment?' Doing things like push authentication in place of password authentication, multifactor or biometrics, Bluetooth proximity, radio frequency identification, these kinds of things are fairly exciting in terms of just making it easier while continuing to be secure for users to access their systems.

There's also development in the areas of artificial intelligence to help make decisions around things like access management or access control. To conduct a certification campaign, most organizations … send out thousands of emails to different systems owners to validate access for the users. That's overwhelming. What tends to happen is that those system owners do 'accept all' or 'approve all' so you can technically check the box for compliance, but you haven't actually improved your security posture. [AI] will definitely help organizations be more organized by focusing on users that should be [questioned] rather than just approving all.

Dig Deeper on Mobile security