Businesses are now increasingly moving towards cloud as it offers obvious advantages like lower costs and a variety of features. But at the same time there are concerns for risks to data security in cloud.Software vendors are still continuing to transition features, functions and data into cloud which has led to an increased usage of cloud-based desktop and mobile applications. This has resulted in the popularity of Identity as a Service or Identity Management as a Service (IDaaS), an authentication infrastructure kept in cloud.
What do I need to know about IDaaS for the CISSP exam?
Identity as a Service or IDaaS is a service provided by a third party that builds, hosts and manages an authentication infrastructure. It typically contributes towards easy management, broad integration options and a compact onsite infrastructure.
According to PCMag, the following is a list of some of the best Identity Management as a Service solutions this year. The software solutions have been rated on the basis of characteristics such as lowest price, directory connector, Comprehensive Report Library, Password Sync, Multiple SSO policies, User self-service, User-customizable SSO portal, support for SaaS, Mobile SSO, SML Authentication and Third-Party Multifactor Providers.
Okta Identity Management
Windows Azure Active Directory
Centrify Identity Service
Ping Identity PingOne
What does IDaaS functionality include?
IDaaS serves to provide identity and access management functions to particular systems on customer premises and in cloud. Basic functionality of IDaaS includes:
Access: It includes Single Sign-On (SSO), authorization enforcement and user authentication. Single Sign-On (SSO) enables employees, customers and partners to obtain fast, easy and secure access to all Software as a Service, mobile and enterprise apps with single authentication from corporate credentials. For authentication, different adaptive methods can be used based upon the level of risk, changes in situation or sensitivity of application.
Identity Governance and Administration (IGA): It provides target applications with individual service identities by managing identity ad access life cycles across a number of systems. Core functions of IGA include Identity Lifecycle Management, Access Requests, Role and Policy Management, Workflow Orchestration, Auditing, Password Management, Reporting and Analytics, Access Certification
Intelligence: Provides reports related to logs and answers log related questions. With the help of on-premises provisioning, user data can be synced with enterprise and web applications.
What are the Benefits of IDaaS?
As already mentioned above, IDaaS brings with it ease of use and functionality, which is why it is a widely used security decision for access and identity management across organizations. Let us look at some of the benefits it offers.
Affordable: In the past, investing in a cyber security solution was something only large organizations could think of due to the high costs that came along. Based on cloud, Identity Management as a Service is an affordable and inexpensive security solution. Because of its affordability and functionality, IDaaS may soon become a much demanded service by customers..
Improved Management: Again, because it is based on cloud, it provides convenience and improved management to customers.
Security of Cloud based Apps: Apps are everywhere and most businesses now have their own apps for the ease and convenience of their customers. But not only do they provide functionality, they can be susceptible to threats if not properly secured. IDaaS helps provide secure access to apps by using authentication and access controls.
Easy Implementation without help from Experts: Unlike conventional IAM, where a CISO has to worry about hiring experts for the team, Identity Management as a Service does not depend upon IAM professionals for implementation. IAM experts are not only difficult to hire, they often switch to working for competitor companies or consulting firms after receiving training. For IDaaS, on the other hand, your provider designates IAM experts as employees of third party who work on the already established Identity and Access governance.
Easy to Upgrade: IAM would take a long time to upgrade. . IDaaS providers upgrade according to their roadmap infrastructure and are responsible for the timely upgrades. The competitive edge factor among the providers goes into the benefit of customers, as it ensures that providers make it available before their competitors.
Better security: That’s because a cloud service provider does not want to lose its customers at any cost, and when it comes to security, they want you to have full trust in them. Losing trust on part of customers means losing money for them.
Centralized Management: The one-time login feature of most of the IDaaS solutions allow businesses to manage everything in one place with a single dashboard, interface and infrastructure.
Support on Demand: Some Cloud-based solutions provide 24 hour monitoring and technical support from experts to their customers on demand.
Reduced Risk: Due to the service-based architecture, associated business risks are reduced to a considerable extent. This is because if a software as a service based solution does not deliver according to the organizational requirements, it can be canceled any time, contrary to licensed software.
Easy Sharing Across the Network: Identity Management as a Service is supported by cloud, and hence makes sharing easier across the network of users. A new software, for instance, can be easily made available to all network users simultaneously.
Regardless of the size of an organization, IDaaS can help it get advantages of a comprehensive Identity and Access Management (IAM). This is because IDaaS is based on cloud and even small organizations that are unable to themselves build, maintain and manage infrastructure are able to avail and experience the benefits of IDaaS.
With the IT environment changing constantly, business operations have become more complex and hard to secure. Employees sometimes need to create multiple identities for different platforms across a business, with multiple usernames and passwords. Moreover, as an employee leaves his job, all associated accounts need to be disabled. Using conventional IAM to manage identity and access is difficult, expensive, and time consuming. Identity Management as a Service provides better functionality to support the diversity in IT environment.
Apart from identifying people, the Internet of Things has also increased the significance of identity of things. Since IoT provides potential opportunities to malicious users, IDaaS can help manage and secure access to internet-connected devices.
CISSP Training – Resources (InfoSec)
What type of 3rd party identity services do I need to know?
Directory Synchronization or DirSync is a short form for Windows Azure Active Directory Connect Tool (formerly called Azure Active Directory Synchronization Tool). It is a tool that makes copies of the local directory in Microsoft Exchange hybrid cloud arrangement. After making copies, DirSync propagates to an active directory instance in Windows Azure cloud. It runs after every few hours and transfers changes in on-premises directory to cloud. The changes are only allowed to go from directory to cloud and not from cloud to directory. Hence, it helps synchronize on-premises AD users to Office 365 for small businesses and professionals.
The DirSync tool can be installed on the server in Azure or on-premises. However, it is recommended to install it in Azure due to the following reasons:
It can help configure and provision servers based on cloud at a much faster pace, thus providing on-time services to customers.
It provides improved site availability with little effort.
It can let organizations lessen the number of on-premises servers.
This is a form of Identity Management where a single identification credential is used by multiple enterprises for subscription and access to data of all enterprises in the network. This system is also called identity federation.
Federated Identity Management can help different companies with different standards and technologies to share their expertise. It is a cost-effective solution where sharing a single application, for example, can provide consolidated cost savings for all the partners. Security Assertion Markup Language (SAML) can allow partners to transmit authorization messages across the FIM system. SAML can recognize if a user is an individual or a machine and defines their level of access accordingly. FIM has the advantage of letting every enterprise have its own directory and exchange data safely.
In addition to SAML, Federated Identity Management can be achieved through Higgins trust framework, OpenID and information cards.
Federated Identity provides the benefit of increased security due to the ability to keep the authentication process under on-premises active directory AD. It also reduces administrative overheads significantly and increases employee productivity where they no longer have to provide their credentials multiple times for every application. If an organization has an Active Directory structure in place, Federated Identity can easily be implemented without any recurring costs.
Fast ID Online (FIDO)
This is a set of security specifics for strong authentication developed by FIDO Alliance in 2012. These specifications support public key cryptography and multi-factor authentication. In an authentication complying with FIDO, users do not necessarily need to keep strong passwords or go through a password recovery procedure in case they forget their password. This is because FIDO authenticates users and stores information such as biometric data to protect a user’s device. This serves to provide security to users who have their personal data in a server on the cloud.
When the protocol is implemented within Application Programming Interfaces (APIs), it considerably reduces work for developers as they no longer need to develop secure logins for mobile customers with various operating systems on a variety of hardware. FIDO supports Universal Second Factor (U2F) protocol and Universal Authentication Framework (UAF) protocol. By using the latter protocol, a client device generates a key pair while registering online and holds the private key, while registering the public key with the service online. When authenticating, the client device proves that it possesses the private key by signing a challenge such as entering a PIN or providing fingerprint. U2F protocol requires a second factor, such as a security token on USB or Near Field Communication (NFC) tap.