How To Tell A Hacker From A User

If you are receptive to the ideas of the Jericho Forum, then you may well accept its view that the firewalls that used to demark the extent of control a business can exercise over its IT infrastructure can no longer be relied on. Of course, in most cases the firewalls are still there, but they have had to become increasingly porous as more and more of the legitimate access to IT applications is required from beyond their limits. Furthermore, with the increasing use of software-as-a-service (SaaS), many of the applications are themselves beyond the firewall.

Legitimate users need to be distinguished from the hackers that are increasingly focussed on the specific targeting of a given organisation’s IT infrastructure, often by passing themselves off as legitimate users. Supporting remote users (as well as internal ones) and keeping cyber-criminals and hacktivists at bay requires pushing the boundary of authorised access way beyond traditional firewalls to user access devices (whatever they may be); hence the concept of the identity perimeter.

The technology that can enable this – Single sign on (SSO) – is not new, but many of the ways it is being used are. The traditional players in the identity and access management (IAM) market, namely CA, Oracle and IBM, have had SSO systems for many years. The primary use case has been to save users remembering multiple usernames and passwords, which is considered a security issue because if they have too many, they start writing them down.

These vendors have had to adapt to a new set of competitors that have designed their SSO systems to support the trends outlined above; increasing numbers of remote users (often using their own devices) and the increasing use of SaaS based applications. The upstarts include Ping Identity, Okta, Symplified and SaaSID as well as more established specialists like Imprivata that has found a niche for SSO with the particular requirements of the healthcare sector.

These systems aim to make establishing a safe identity, wherever the user happens to be, as the ultimate perimeter to a given business’s IT activities. They link legitimate users with the resources they require, the SSO system acting as an identity bridge. However, these systems can do much more than this and in some cases, this is more about access to applications and data sources than identity, especially when it comes to dealing with customers.

Indeed, there are cases when the SSO system need not know a user’s identity at all in the first instance to start providing value. Imagine an inquisitive would-be tourist turning up at a travel agent’s web site. They may just want to get a feel for the cost of air travel, car hire and hotels on offer before considering making a booking. The SSO system can provide federated access to the resources needed to get quotes, getting into more detail when the prospective customer actually decides to book something.

At that stage of course, an identity needs to be established. To an extent, a consumer can make up an identity at this point; perhaps inventing a username, but this will need to be linked to a real email address and a genuine means of payment. At which stage the SSO system, in conjunction with other services, is starting to establish and improve the quality of the identity of the new customer. Once established this identity can be used to open up more resources, for example the customers transaction history as seen through the booking system.

Other transactions, in particular business-to-business ones, rely on acquiring identities from existing systems. For employees of a given organisation these identities will generally come from an internal directory of some sort, most commonly Microsoft Active Directory.

However, when it comes to opening applications to partners and other external business users, the most valuable source of identity will likely be an external one such as the partner’s own internal directory or the membership database of a professional body. For both consumers and business users social media sites such as Facebook and LinkedIn are becoming accepted sources of identity for certain use cases.

This means that SSO systems increasingly need to be able to access multiple sources of identity to authenticate users against. To make this as simple as possible requires that the SSO system itself and the sources of identity are standardised. A number of standards have arisen in the IAM world to support this including LDAP (lightweight directory access protocol) for storing identities and SAML (security assertion mark-up language) for sharing them. An understanding acceptance of standards and a given vendors support for them should be an important aspect of the evaluation criteria for any SSO evaluation.

The ability to access identities from a wide range of sources and link them to multiple applications better enables more integrated and efficient business process and supply chains. Here, car dealerships linking in to a manufacturer’s ordering systems and lawyers linking in with court management systems and law enforcement bodies are good examples.

The SSO system can also broker policy about what a given user can do with a given resource and define templates for different roles, simplifying the provisioning of users. Perhaps more importantly, when the relationship with a given user ends, de-provisioning them from the SSO systems ensures access to all resources is cut at a stroke. There are many benefits to be gained from extending access to IT applications and resources to users working way beyond traditional firewalls, but a means of enabling, monitoring, controlling and stopping access will always be needed. SSO can be an effective way of achieving this.

Bob Tarzey joined Quocirca in 2002. His main area of coverage is route to market for ITC vendors, but he also has an additional focus on IT security, network computing, systems management and managed services. Bob has extensive knowledge of the IT industry. Prior to joining Quocirca in he spent 16 years working for US technology vendors including DEC (now HP), Sybase, Gupta, Merant (now Serena), eGain and webMethods (now Software AG). Bob has a BSc in Geology from Manchester University and PhD in Geochemistry from Leicester University.