Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Moving forward, we expect that the models will converge. With the adoption of cloud IAM at SMBs and enterprises, suite vendors will need to provide cloud IAM services. This will definitely lead to a surge of acquisitions of the above smaller providers (Symplified, Okta, OneLogin, etc.) in the next 12-24 months.

A Christmas Present From MIT?

As much as the cloud computing model makes sense to me, my security sensibilities cry out about information risk every time I start to consider actual implementation for data of value across an enterprise.

A model which has always made sense has been to place only encrypted data in the cloud, holding the keys locally. This solution gives you control over data access, bypassing any Patriot Act concerns, but allows realization of the benefits of a shared, cloud infrastructure. It has always been recognized, however, that this solution has a number of drawbacks, such as:

• The immense corporate sensitivity of the encryption keys utilised. These keys become essential to doing business. If they are corrupted, lost or held hostage by hacktivists, for example, then the organization stops dead in the water.
• The difficulty of creating indexes, searching and applying transactions across encrypted data stores. If the concept is to keep the keys away from the cloud environment then actions such as indexing, searching or running database functions become very challenging.

In 2009 an IBM cryptographer named Craig Gentry wrote a PhD dissertation describing a solution to the second of these challenges, unfortunately it too had a drawback - his homomorphic encryption solution would increase transaction times by a factor of one trillion.

WebLogic: Oracle updates for cloud usage

In the upcoming  release of WebLogic - WebLogic 12c – Oracle updated the software to:

- meet the latest Java standards. It will run on the latest version of the core Java runtime environment, Java SE.

- be compatible and comply with the full Java Enterprise Edition 6 platform profile (incl. APIs and libraries for Java EE6) JAX, JSF and Enterprise Javabeans.

Other changes:

- WebLogic will run with Oracle Virtual Assembly Builder

- Software has been engineered to work more easily with RAC

- WebLogic has been integrated with Apache Maven

This will make for an easier cloud deployment for all you Oracle kiddies out there.

Compliance And Cloud – Responsible Or Accountable?

It's interesting how many threads there are on the Internet that still debate the difference between these two words: "responsible" and "accountable." Oddly enough, today I stumbled across two definitions, from seemingly respectable sources, that hold diametrically opposite views! To me, the answer is simple - you can delegate responsibility, but accountability remains fixed.

This is a key point in the extended enterprises in which we now function. Firms are now made up of a myriad of offshore and outsourced services, running on systems that are similarly fragmented and distributed across vendors. This complex tangle of people and data represents a huge challenge to the CISO, who remains accountable for the security, and often the compliance, of his employer yet is no longer responsible for their provision.

With a methodical and comprehensive process and a surfeit of resource (please stop laughing at the back!), the CISO does, however, have the ability to follow the data trails and manage risk down in this regard. Unfortunately, with the advent of cloud, things are taking a turn for the worse. Cloud vendors are reluctant to be scrutinized, and the security and compliance demands of the CISO can often go unanswered. If cloud really is to be a mainstay of computing in the future, something has to give - we need to find a balance where compliance and security assurance requirements are met without fatally undermining the cloud model. This is a key topic for 2012 and something we'll be following with interest.

As security professionals, we remain accountable for resolving these issues, no matter how much responsibility has been pushed to third parties and cloud vendors. So, how do you minimize the workload involved in managing the third parties that make up your extended enterprise, and how do you gain assurance around cloud vendors?