IT Analysis: Who are you? The identity perimeter

By Bob Tarzey

If you are receptive to the ideas of the Jericho Forum, then you may well accept its view that the firewalls that used to demarcate the extent of control a business can exercise over its IT infrastructure can no longer be relied on. Of course, in most cases the firewalls are still there, but they have had to become increasingly porous as more and more of the legitimate access to IT applications is required from beyond their limits. Furthermore, with the increasing use of software-as-a-service (SaaS), many of the applications are themselves beyond the firewall. Legitimate users need to be distinguished from the hackers that are increasingly focussed on the specific targeting of a given organisation’s IT infrastructure, often by passing themselves off as legitimate users. Supporting remote users (as well as internal ones) and keeping cyber-criminals and hacktivists at bay requires pushing the boundary of authorised access way beyond traditional firewalls to user access devices (whatever they may be); hence the concept of the identity perimeter. The technology that can enable this—Single sign on (SSO)—is not new, but many of the ways it is being used are. The traditional players in the identity and access management (IAM) market, namely CA, Oracle and IBM, have had SSO systems for many years. The primary use case has been to save users remembering multiple usernames and passwords, which is considered a security issue because if they have too many, they start writing them down. These vendors have had to adapt to a new set of competitors that have designed their SSO systems to support the trends outlined above; increasing numbers of remote users (often using their own devices) and the increasing use of SaaS-based applications. The upstarts include Ping Identity, Okta, Symplified and SaaSID as well as more established specialists like Imprivata that has found a niche for SSO with the particular requirements of the healthcare sector. These systems aim to make establishing a safe identity, wherever the user happens to be, as the ultimate perimeter to a given business’s IT activities. They link legitimate users with the resources they require, with the SSO system acting as an identity bridge. However, these systems can do much more than this and, in some cases, this is more about access to applications and data sources than identity, especially when it comes to dealing with customers.