Identity management continues move toward the cloud
Verizon Enterprise Solutions today announced a series of feature enhancements and European availability for its cloud-based Universal Identity Services, as the march toward a single, trusted and universal identity for citizens and government employees continues.
Identity and access as a service, or IDaaS, is projected to account for 25 percent of all new identity and access management sales by the end of 2015, compared with 5 percent in 2012, according to a recent Gartner study. By the end of this year, the total IDaaS market is expected to reach $265 million.
Verizon Universal Identity Services uses multifactor authentication to verify users are who they say they are by combining an individual’s username and password with a computing device that generates a one-time password or a biometric scan, such as fingerprint recognition. Once authenticated, users can securely access online content such as websites, corporate resources and even electronic medical records from their computer, smartphone or tablet.
The “Verizon 2013 Data Breach Investigations Report” found weak or stolen passwords and credentials account for 76 percent of data breaches, underscoring the need for stronger online identities, said Tracy Hulver, the company’s chief identity strategist.
“We have made it so complex for users, especially the ones with multiple systems to sign into, that they start writing down [passwords] because they can’t keep track of all of them,” Hulver said. “But interestingly, none of the breaches we investigated were the result of second-factor authentication weakness.”
And that’s an important distinction for cloud-based identity and access management services, experts say, particularly because the cloud has moved the traditional security perimeter away from the firewall and onto the user’s identity.
“With the domination of cloud, SaaS and mobile, enterprise IT organizations have been forced to look outside of typical perimeter defense and adopt new [identity and access management] solutions as the perimeter around corporate access,” said Jay Kaplan, CEO of Synack Inc. and a former NSA analyst. “Firewalls, VPNs and traditional perimeter security still have their place, however, today’s fragmented IT environment has spurred innovation in identity management essential to IT security as a whole.”
Hulver agrees, but with one caveat. “The perimeter is still really the data or the resources you’re trying to protect,” Hulver said. “And there’s a difference between authentication and authorization. That’s where a lot of identity systems fail.”
To date, two-factor authentication in the government has primarily taken the form of a password combined with a smart card, such as the Common Access Card used by the Defense Department, or the Personal Identity Verification card used by the Department of Homeland Security. But those cards can be expensive, requiring the agency to cover the cost of the cards and the infrastructure necessary to issue the cards, read the cards to grant access, and a host of other on-location services, Hulver said.
DHS, for example, announced in May it plans to overhaul the entire DHS identity and credentialing system to the tune of $99.5 million. DHS plans to replace its current inventory of more than 270,000 PIV cards with a smart card infrastructure capable of leveraging multiple forms of biometrics.
“You can provide a cloud-based service much less expensively,” Hulver said. “It’s a lot easier to have a third-party identity provider rather than have separate agency identity stores and federate all of them.”
While many government officials recognize the cost and management challenges are major issues they must deal with, the acceptance of cloud-based identity management in the government has been mixed.
“Some agencies are on-board with a single identity and credential,” Hulver said. “There are also people in the government who don’t trust that.”
But the uncertainty surrounding the current federal budget outlook could be another factor pushing the government toward IDaaS. The government’s main effort to promote a standards-based single sign-on capability, known as the Identity, Credential and Access Management initiative, for example, is considered by many senior IT officials to be an unfunded mandate that is complex and difficult to deploy successfully.
And while building independent identity repositories in stovepipes and trying to integrate and federate those repositories after the fact has been a problem for government in the past, it is no longer an approach that will escape financial scrutiny.
“In general, identity-as-a-service is still fairly new,” Hulver said. And because it’s so new, “people still have a tendency to question if they want to use cloud or maintain total control.”
Today, there are several pilot projects in the planning stages that will test the Verizon IDaaS in the citizen-services arena, allowing citizens to enroll and use their single identity to access various government websites and services, Hulver said. Although he would not name the agencies involved, the pilots will require cross-agency integration, he said. Verizon is also in discussions with the Federal Risk and Authorization Management Program about IDaaS certification, he added.
But will the cloud finally usher in the era of the single, universal identity? Maybe, and not without some risk, Kaplan said.
“Recent adoption around standards such as SAML, OpenID, OAuth and SCIM are certainly moving us closer to a single, universal identity for authentication and user administration,” Kaplan said. “It’s clear, however, that the centralization of such functions also necessitates secure implementation; a breach in the [single sign-on] service itself could equate to putting a large number of sensitive resources at risk across multiple environments.”