The IT world is fairly familiar with the idea of sprawl – especially when it comes to the virtual machine and cloud worlds. IT Admins, Database Admins, App Development teams, and others all spin up new machines instead of using shared space on existing machines, leading to more machines proliferating through the environment; necessitating the need for more physical hardware on-site and more resource utilization in the cloud. All of this, of course, led to higher budgets and costs, as physical machines to set up as new virtual hosts are not cheap, and more and more cloud instances quickly lead to higher cloud provider bills.
Diego Mejia from SecureAuth recently gave a talk on how sprawl can impact a business from many non-core-IT perspectives as well. The interesting thing is that the concept of sprawl also applies to identity. We started with all corporate apps sitting behind a firewall in a datacenter and shielded by a VPN. One identity provider (like Active Directory) was all that was needed to block the bad guys and let in the good users. Over time, however, business units began to use Software as a Service (like SalesForce), and users demanded Bring Your Own Device (BYOD) policies that might not support the current VPN solution. Employees also have begun to use social media and other traditionally non-business apps as part of their day-to-day work operations, or at least within the company sphere of influence.
This lead to an interesting problem. Before now, everyone authenticated off of a shared identity datastore, like Active Directory, yet suddenly found themselves authenticating against different datastores all over the internet. I log into the company network from my laptop by using my Active Directory credentials. I also log into my email via some form of cloud service, and SalesForce via their site, and Twitter and Facebook both for my own accounts and (if I have privileges) with my corporate accounts as well. Even more worrying, because of BYOD policies I might not be logging into any of these services from a company-approved and managed device. Stopping this kind of "ID sprawl" has become impossible in the modern, connected enterprise.
How do you address sprawl in enterprises?
You could lock down access from unknown devices, and break BYOD. You could limit the types of applications used company-wide, also limiting productivity in the process. The classic balancing act between end-user flexibility and security comes into full effect, with neither side being a good trade-off.
Instead, focus on making sure that only the right people get into the right systems. By keeping people with unauthorized credentials off these systems in the first place; what application they are using and what device they are using it on become irrelevant.
Layered, adaptive, transparent authentication is a key component of this idea. Before a username is even given, you need to make sure that the user is coming in on a known, safe device. Then you need to determine if they should be able to log in by determining their apparent location, or if they're using technologies that obscure their IP and other location information. If they pass those tests, then you need to make sure that user (identified by a username, or email address, or ID number, etc.) has access to the resources they just asked to get into. For example, a receptionist shouldn't be trying to access a back-end HR system. Finally, and only after those steps, you need to make sure they have the passwords and other login tokens required by the company to finalize the authentication.
Is this enough? Maybe. But there are other factors to consider on top of this. Come back next week where we take a look at how BYOD and identity sprawl, together, can further impact the security of your business.