I was fortunate to join IT decision makers from some of the world’s most forward thinking organizations for a day-long roundtable October 30, in Sausalito, CA, to share their initiatives and strategies in managing identity and access to cloud applications. The audience included IT leaders from industry innovators like Uber, Zendesk, Pandora, Yelp, The Carlyle Group, Pinterest, Jabil, and Steelcase. The event presented an opportunity for these IAM practitioners to engage with their peers and share information about architectures, challenges/solutions, and best practices.
The results I found interesting from live polling of attendees included:
- 67% have Active Directory deployed
- The remainder have OpenLDAP or are cloud-only
- 38% of their deployed Apps support SAML (or an open standard)
- 69% have vendors configuring SAML configurations
- 77% stated that their level of effort required to report on identity policy compliance was “Significant”
- The #1 benefit associated with their IAM deployments:
- Increase employee productivity (33%)
- Reduce risk (33%)
- Increase IT productivity (20%)
- Manage compliance (14%)
The corresponding discussions surrounding these topics revealed the following:
- Active Directory: for better or worse, Active Directory is not going away
- For organizations where Active Directory (AD) was deployed, few were prepared to eliminate AD from their infrastructure anytime soon. In most cases, legacy Windows apps e.g. critical business solutions and compliance tools, were the limiting factor. However for those without on-prem directory services like AD or OpenLDAP, the direction forward was via a cloud directory, e.g. a SaaS cloud identity provider.
- SAML (Security Assertion Markup Language), SSO (Single Sign-On), and Identity Federation: open standards are taking hold
- SAML adoption continues to accelerate, improving the IT department’s ability to quickly onboard and provision cloud applications and end users
- SAML essentially eliminates passwords by signing into cloud applications through the exchange of authentication and authorization data. This data leverages digital signatures to establish trust between the identity provider and a service provider’s applications.
- Organizations are actively implementing cloud vendor onboarding certification (CVOC) programs to help accelerate provisioning of new cloud-based apps and services while reducing the risk. One of the most important questions on a CVOC form is: “Do you provide a Security Assertion Markup Language (SAML) 2.0 API/connector for secure exchange of user authentication and authorization information between web domains?”
- Mobile Trends and NAPPS (Native Applications): a pending new standard for mobile and desktop native applications
- The proliferation of mobile applications, including apps custom to the organization, make the need for a SSO solution critical. However most mobile apps don’t support SAML, and tiny keyboards are incompatible with passwords. And for those mobile apps that do support SAML, the user’s authentication experience is poor, and security is weakened since the sessions aren’t frequently re-validated.
- The industry is looking to solve this problem with the introduction of NAPPS, a standard protocol to provide SSO for users on mobile devices through a “token agent” which will enable native mobile applications to authenticate users more easily.
- As is the case with SAML, the promotion of NAPPS to mobile application developers will be imperative in order to provide a more seamless user experience.
This year’s inaugural Identity First conference brought together IT leaders across industries and provided a forum for open discussion regarding the future of IAM. I anticipate this community will advance innovations in the IAM market and existing best practices through ongoing networking, working sessions and annual conferences. I encourage other leaders not currently members of Identity First to register at: https://identityfirst.org, and as new members, to contribute to the Identity First Benchmark Survey - State of Identity Management 2014 available at the website.