By Matt Klassen
Staying out of the headlines should be a top priority for you and your organization. It may sound counter-intuitive, but all too many recent headlines have been about organizations that have failed to protect their corporate assets and interests. Ask Sony or Target about their experience on the front page. So what prevents your company from being next?
Pamela Dingle from Ping Identity's CTO Office recently presented a webinar on this topic. In her presentation Pam outlined the current Identity and Access Management (IAM) landscape, as well as examined the future of Next Generation Identity and its place in the age of security breaches.
IAM best practices and architecture are evolving quickly, and most organizations have not kept pace. At Ping Identity we believe that IAM best practices and technology may be one of your best defenses for keeping out of the security breach news.
Today, most organizations have several common IAM components in place that work to reduce the risk of breach. Common components in today's architecture include:
With these current-gen IAM components and standards you can accomplish a lot to reduce risk for your organization, including:
However, there are also several major gaps that many customers using current generation IAM cannot address in a comprehensive manner, creating risk for the organization. These include:
The Next Generation of Identity Security is fundamentally different from today's architecture. There are several transformational concepts that are critical to the architecture:
Next-Gen Identity ensures that all identities are tracked and managed, including users, software, and devices. Next-Gen addresses use cases seamlessly across human and machine to usher in the Post-Password Era.
By David Gorton
Last week in this blog series, we discussed what makes traditional identity security systems like CA Single Sign-On® (formerly called CA SiteMinder) inadequate for supporting and protecting today's business models and top IT initiatives. We also compared traditional identity and access management systems to Next Gen Identity solutions. Read last week's blog post. Today, we will describe the migration process from a traditional IAM system to a Next Gen Identity solution.
To start, migration is hard, expensive and filled with disruption. As you look at your identity and access management (IAM) infrastructure and evaluate whether the power and simplicity of a Next Gen Identity solution is worth the disruption to business-critical infrastructure, realize that you are already disrupting and adding complexity to your current identity solution to keep up with business demands.
If you are using a traditional IAM product like CA Single Sign-On, you have probably been wrestling with your infrastructure through upgrades, add-ons and difficult support issues. It might feel like everything is 'good enough', but the reality is that new IT business models are forcing another round of upgrades, add-ons and difficult support issues--impacting revenue and impeding worker productivity.
As we have architected and developed our Next Gen Identity solution, a common sense approach to application migration has emerged. By following our four migration steps, much of the disruption can be reduced when moving your web access management (WAM) functionality away from CA Single Sign-On while immediately taking advantage of the emerging IT business models.
Before we review our four migration steps, it is important to highlight a critical migration capability of the Ping Identity solution. Ping Identity architected the Next Gen Identity solution to co-exist, side-by-side, with the existing CA Single Sign-On deployments. Through the advanced integration capabilities of PingFederate, CA Single Sign-On authentication events and web sessions can be shared across both identity security solutions. As a result, your end-users will not be aware of the underlying system changes during a migration. Additionally (and importantly), your helpdesk staff won't be flooded with questions related to changed behavior, additional sign-ons or increased friction when accessing their applications.
The four migration steps for successfully moving away from CA Single Sign-On to Next Gen Identity are:
The migration starts with planning. It is critical to survey your current infrastructure to understand how your users are authenticated, how access is managed, what policies are in place and what your web access management architecture should look like when the migration is completed. Note: our next blog post in this series will discuss some critical decisions that must be considered during the planning step.
After a solid plan has been developed, the installation and integration of the Next Gen Identity solution is performed. The integration with CA Single Sign-On is important to provide the end user with the same experience. This is also a good time to test the migration plan with an application that has low risk when migrated.
Once the initial deployment is complete and the first several applications have been successfully migrated, it is time to ramp up migration. Full application migration starts in earnest, typically working from the simplest applications to the most complex.
The last step, after the applications have been migrated, is to finalize the migration. If all the applications have been successfully migrated from CA Single Sign-On or other web access management systems, then the integrations between CA Single Sign-On and the Next Gen Identity solution need to be removed. Ultimately, the CA Single Sign-On infrastructure can be turned off and retired.
When the migration is complete, your IT group should see significant cost savings. Additionally, your group will be positioned to handle the next decade of identity trends that are critical to maintain a secure environment while also supporting your business.
See our migration guide executive brief for more information about our four migration steps.
Next week in this blog series, we will explain the technical strategies for authentication during a migration to a Next Gen Identity solution and the capabilities of such an identity security platform. In the meantime, here are some good related resources:
By David Gorton
As 2015 begins, the IT security industry is reviewing 2014's successes and failures, especially in terms of supporting new IT business models, such as SaaS, infrastructure as a service (IaaS) and expanded customer and partner access. Additionally, IT is reviewing its past methods of protecting (or lack of protecting) information, particularly across web and API resources. Post-review, it is apparent that traditional identity and access management (IAM) systems, such as CA SiteMinder® (now called CA Single Sign-On), are inadequate.
Over the next several weeks, this blog series will:
Today, we'll cover the first two bullets.
First, while CA SiteMinder offers a comprehensive and highly customizable web access management (WAM) solution for internal users and applications deployed within a firewall, the customization and complexity works against it when IT wants to adopt new initiatives, such as connecting with SaaS applications, protecting applications deployed in IaaS or when APIs are added to applications to enable mobile apps and server-to-server communication.
For example, a new and important IT initiative is that of moving applications from expensive datacenter deployments into an IaaS, such as Amazon Web Services™ (AWS). However, the complexity of CA SiteMinder most often prevents this initiative. Specifically, connecting agents or proxies deployed at the IaaS back into on-premise policy servers results in costly network operations that increases request latency and significantly impacts user experience. Trying to move policy servers into the IaaS results in shattering an otherwise brittle system that is not prepared for an IaaS deployment. Ultimately, such attempts to extend to IaaS are costly and undermine the savings attributed to deploying to IaaS. (Watch our Cloud Readiness webinar.)
In contrast, Ping Identity has specifically architected our Next Gen Identity solutions to secure applications wherever they are deployed. Our Federated Access Management solution brings together single sign-on (SSO), federation, web and API access management and multi-factor authentication. Lightweight identity standards and protocols are used to support on-premise IAM deployments in conjunction with IaaS deployments. Wherever your organization is in the spectrum of IaaS adoption, Federated Access Management can secure your applications and enable their migration to wherever is most cost effective.
Another example of new business and IT initiatives overextending CA SiteMinder is that of adding native mobile app support and APIs. As applications are migrated, they are typically upgraded with new functionality, like adding APIs to support native mobile access or to enable server-to-server communication. However, this becomes a significant challenge to traditional IAM software like CA SiteMinder. In order to protect these new APIs, a new software component has to be added into the infrastructure. This results in two sets of security policies and integrations with identity infrastructure to control access to the same information. Yet, duplication is a security killer. These systems will inevitably get out of sync, leading to vulnerabilities that bad actors will exploit.
Again, in contrast, Ping Identity solutions directly address this shortcoming in CA SiteMinder and other traditional identity and access management software. Federated Access Management combines web and API access management into a single package. A single set of authorization and authentication policies are applied to both web and APIs. This completely removes the duplication and complexity of the 'two separate system' problem that CA SiteMinder creates.
Of course, there are many more reasons to migrate from CA SiteMinder into Ping Identity's Next Gen Identity solutions. To illustrate this, we have created a simple table comparing the level of support for IT initiatives (trends) between Ping Identity IAM and CA SiteMinder. See for yourself how CA SiteMinder and other legacy systems are holding you back.
Finally, as the news of our Next Gen Identity solutions propagates through the IT security industry, we are getting many questions about migrating from CA SiteMinder to our Next Gen Identity solution. Next week, we will discuss this migration process.
In the meantime, good related resources include: