I recently had the opportunity to speak with the two old-line purveyors of privileged user management software (also called Privileged Identity Management and Privileged Password Management) -- Cyber-Ark and e-DMZ Security. In separate phone conversations we covered most of the two companies' offerings and today we'll take a look at how they feel about cloud computing and authentication.
Both companies have been involved with protecting what I'll call "system accounts" for many years. These are the accounts (such as "root" on 'nix systems and "administrator" on Windows systems) that generally allow shared access among a group of IT support personnel and have virtually unlimited access to system resources. Through methods that include data-vaulting, login redirection, session auditing, automatic password reset and other methods, these two organizations do a relatively thorough job of protecting access to enterprise resources. They can do this by funneling access to those accounts and resources through the services they offer. Recently, mainstream Simplified Signon (SSO) vendors (such as Passlogix) have attempted to get into this space so I thought I'd ask the PUM vendors about moving into a different space -- cloud computing.
Cyber-Ark's Adam Bosnian (vice president of products and strategy), Shlomi Dinoor (vice president of emerging technologies) and Roy Adar (vice president of product management) were adamant that the data could be protected by their products no matter where it resided. They did say, though, that protecting that data is the responsibility of both the enterprise and the host-in-the-cloud. Precisely because there's no way to funnel the connection through the enterprise network, they said, it's imperative that the application provider provide methods for validating the connection and using the enterprise's own tools for security. No one should rely solely on the cloud vendor's security.
EDMZ's CEO/CTO Kris Zupa essentially agreed that the necessary "hooks" need to come from the cloud application vendors and advised that customers to "go slow" in moving critical data (and services) into the cloud. Zupan, in fact, almost paraphrased his rivals' thought when he said that Privileged User Management in the cloud would require moving to a modular approach -- that is, part implemented by the enterprise and part by the cloud vendor.
Left unspoken, yet lurking like an elephant in the room, was the lack of open standards for identity management for cloud applications. This was emphasized by a recent announcement from TriCipher, another vendor of PUM software. TriCipher (through their My One Login Web site) and VeriSign have teamed up to offer free multi-factor strong authentication for cloud-based applications. Well, at least for the cloud-based apps offered by Google. If you're a Google apps user, that's good news. If you're, say, a Salesforce.com apps user it's not relevant news. But if you use some Google apps and some Salesforce apps then it should be disquieting news. Disquieting because if you want strong authentication you'll need to double your effort and devote more scarce corporate resources to protecting the enterprise's digital resources.
We need well thought out, universally deployed identity and security "hooks" for the cloud. Tell me where you think they'll come from.
Cyber-Ark and eDMZ had other things they wanted to talk about, and we'll get to those next time.