By David Gorton
Last week in this blog series, we discussed what makes traditional identity security systems like CA Single Sign-On® (formerly called CA SiteMinder) inadequate for supporting and protecting today's business models and top IT initiatives. We also compared traditional identity and access management systems to Next Gen Identity solutions. Read last week's blog post. Today, we will describe the migration process from a traditional IAM system to a Next Gen Identity solution.
To start, migration is hard, expensive and filled with disruption. As you look at your identity and access management (IAM) infrastructure and evaluate whether the power and simplicity of a Next Gen Identity solution is worth the disruption to business-critical infrastructure, realize that you are already disrupting and adding complexity to your current identity solution to keep up with business demands.
If you are using a traditional IAM product like CA Single Sign-On, you have probably been wrestling with your infrastructure through upgrades, add-ons and difficult support issues. It might feel like everything is 'good enough', but the reality is that new IT business models are forcing another round of upgrades, add-ons and difficult support issues--impacting revenue and impeding worker productivity.
As we have architected and developed our Next Gen Identity solution, a common sense approach to application migration has emerged. By following our four migration steps, much of the disruption can be reduced when moving your web access management (WAM) functionality away from CA Single Sign-On while immediately taking advantage of the emerging IT business models.
Before we review our four migration steps, it is important to highlight a critical migration capability of the Ping Identity solution. Ping Identity architected the Next Gen Identity solution to co-exist, side-by-side, with the existing CA Single Sign-On deployments. Through the advanced integration capabilities of PingFederate, CA Single Sign-On authentication events and web sessions can be shared across both identity security solutions. As a result, your end-users will not be aware of the underlying system changes during a migration. Additionally (and importantly), your helpdesk staff won't be flooded with questions related to changed behavior, additional sign-ons or increased friction when accessing their applications.
The four migration steps for successfully moving away from CA Single Sign-On to Next Gen Identity are:
The migration starts with planning. It is critical to survey your current infrastructure to understand how your users are authenticated, how access is managed, what policies are in place and what your web access management architecture should look like when the migration is completed. Note: our next blog post in this series will discuss some critical decisions that must be considered during the planning step.
After a solid plan has been developed, the installation and integration of the Next Gen Identity solution is performed. The integration with CA Single Sign-On is important to provide the end user with the same experience. This is also a good time to test the migration plan with an application that has low risk when migrated.
Once the initial deployment is complete and the first several applications have been successfully migrated, it is time to ramp up migration. Full application migration starts in earnest, typically working from the simplest applications to the most complex.
The last step, after the applications have been migrated, is to finalize the migration. If all the applications have been successfully migrated from CA Single Sign-On or other web access management systems, then the integrations between CA Single Sign-On and the Next Gen Identity solution need to be removed. Ultimately, the CA Single Sign-On infrastructure can be turned off and retired.
When the migration is complete, your IT group should see significant cost savings. Additionally, your group will be positioned to handle the next decade of identity trends that are critical to maintain a secure environment while also supporting your business.
See our migration guide executive brief for more information about our four migration steps.
Next week in this blog series, we will explain the technical strategies for authentication during a migration to a Next Gen Identity solution and the capabilities of such an identity security platform. In the meantime, here are some good related resources:
By David Gorton
As 2015 begins, the IT security industry is reviewing 2014's successes and failures, especially in terms of supporting new IT business models, such as SaaS, infrastructure as a service (IaaS) and expanded customer and partner access. Additionally, IT is reviewing its past methods of protecting (or lack of protecting) information, particularly across web and API resources. Post-review, it is apparent that traditional identity and access management (IAM) systems, such as CA SiteMinder® (now called CA Single Sign-On), are inadequate.
Over the next several weeks, this blog series will:
Today, we'll cover the first two bullets.
First, while CA SiteMinder offers a comprehensive and highly customizable web access management (WAM) solution for internal users and applications deployed within a firewall, the customization and complexity works against it when IT wants to adopt new initiatives, such as connecting with SaaS applications, protecting applications deployed in IaaS or when APIs are added to applications to enable mobile apps and server-to-server communication.
For example, a new and important IT initiative is that of moving applications from expensive datacenter deployments into an IaaS, such as Amazon Web Services™ (AWS). However, the complexity of CA SiteMinder most often prevents this initiative. Specifically, connecting agents or proxies deployed at the IaaS back into on-premise policy servers results in costly network operations that increases request latency and significantly impacts user experience. Trying to move policy servers into the IaaS results in shattering an otherwise brittle system that is not prepared for an IaaS deployment. Ultimately, such attempts to extend to IaaS are costly and undermine the savings attributed to deploying to IaaS. (Watch our Cloud Readiness webinar.)
In contrast, Ping Identity has specifically architected our Next Gen Identity solutions to secure applications wherever they are deployed. Our Federated Access Management solution brings together single sign-on (SSO), federation, web and API access management and multi-factor authentication. Lightweight identity standards and protocols are used to support on-premise IAM deployments in conjunction with IaaS deployments. Wherever your organization is in the spectrum of IaaS adoption, Federated Access Management can secure your applications and enable their migration to wherever is most cost effective.
Another example of new business and IT initiatives overextending CA SiteMinder is that of adding native mobile app support and APIs. As applications are migrated, they are typically upgraded with new functionality, like adding APIs to support native mobile access or to enable server-to-server communication. However, this becomes a significant challenge to traditional IAM software like CA SiteMinder. In order to protect these new APIs, a new software component has to be added into the infrastructure. This results in two sets of security policies and integrations with identity infrastructure to control access to the same information. Yet, duplication is a security killer. These systems will inevitably get out of sync, leading to vulnerabilities that bad actors will exploit.
Again, in contrast, Ping Identity solutions directly address this shortcoming in CA SiteMinder and other traditional identity and access management software. Federated Access Management combines web and API access management into a single package. A single set of authorization and authentication policies are applied to both web and APIs. This completely removes the duplication and complexity of the 'two separate system' problem that CA SiteMinder creates.
Of course, there are many more reasons to migrate from CA SiteMinder into Ping Identity's Next Gen Identity solutions. To illustrate this, we have created a simple table comparing the level of support for IT initiatives (trends) between Ping Identity IAM and CA SiteMinder. See for yourself how CA SiteMinder and other legacy systems are holding you back.
Finally, as the news of our Next Gen Identity solutions propagates through the IT security industry, we are getting many questions about migrating from CA SiteMinder to our Next Gen Identity solution. Next week, we will discuss this migration process.
In the meantime, good related resources include:
By Andre Durand
What You Need to Know About Obama's Security Proposal
President Obama proposed new cybersecurity measures during the State of the Union Address, spurring fresh debate on whether the new proposals are meant to encourage commercial cybersecurity and blunt cyber attacks, or advance an insatiable obsession with data collection and surveillance by leveraging the public humiliation and blackmail of Sony Pictures Entertainment and horrible attack at Charlie Hebdo.
On the surface, the new Personal Data Notification and Protection Act appears pro-consumer in requiring companies notify customers of data breaches within 30 days. But who does this really help? There are already notification laws in 46 states. Some industries, such as credit card and payments processing, impose much tougher standards than the president's 30-day proposal and hold the breached entities responsible for costs, counting every hour and day until issuer and consumer notification.
By contrast, European companies are required to notify breaches in 24 hours, not 30 days, and since IT is a global market, American firms serving the EU market must already comply. So, why go backwards?
While passing such a single uber-notification law might make life simpler for companies struggling with a breach, it does nothing to address the real issue: improving cybersecurity to prevent these breaches in the first place. In fact, it could do the opposite. Meaningful reforms must address the root issues and not simply provide window dressing to their failures.
Since the advent of the Internet, the federal government has made a case for monitoring access to online data, often without warrant or subpoena, for stated purposes of law enforcement, national security, and anti-terrorism surveillance. These efforts were merely re-doubled post 9/11, they were not new policy. Companies are regularly threatened with expensive fines and protracted litigation for failing to comply, and are, in turn, incentivized with promises of liability indemnification against customer lawsuits over privacy.
The Personal Data Notification and Protection Act is expected to further criminalize the sale of stolen identity data. This is an effort to expand on federal enforcement against spyware, empowering courts to order botnets to be shut down, and providing companies liability protection for information-sharing with federal agencies.
While these proposed measures sound reasonable, the last point is highly contentious from a privacy standpoint, and sadly, diverts the discussion away from improving cybersecurity to its precise opposite: enabling unfettered federal access to customer data managed by U.S. IT suppliers, and undermining encryption and Internet security to do so.
This proposed aspect of the new legislation will formalize these tactics, giving them the power of law. Intelligence agencies use these means to obtain direct access to a provider's networks and data stores, as they will not disclose who or what they are looking for at any point in time, and therefore claim to need on-demand access to everything.
Subverting encryption technology and Internet security is costing U.S. citizens, the technology industry, and the nation's economy an escalating and devastating price of cyberattacks. The resulting global mistrust, long suspected even before the Snowden revelations, of the entire U.S. IT industry could cost the industry here an estimated $20 billion-180 billion over the next three years.
The U.S. policy of trying to mitigate cyber-attacks on one hand, while persistently subverting basic security measures essential to protect against them, is schizophrenic and must stop. Instead, the U.S. government must accept the fact that cybersecurity and privacy are not inherent enemies of national security, they are really one and the same. We should adopt pro-cyber security and privacy policies as our best insurance against this new and potent form of warfare.
We should propose legislation that activates secure e-government services directly to citizens. Nearly every major attack in recent history has exploited peoples' identities in some way, whether that be through accessing their email address or social security numbers, hacking into a computer or mobile device, or stealing a credit card number. Managing security at the individual identity level is essential to making a difference in fighting cybercrime in today's climate. To do this effectively, we need mechanisms for extending the identity-proofing services already provided by some agencies and allow the issuance of digital identity credentials. The express intent of such an e-governance initiative would be to improve security, privacy and reduce potential for identity theft-related cyberfraud, without further eroding privacy.
Additional policies to proactively improve cybersecurity should also be studied and proposed. For example, strong authentication measures such as two-factor mobile authentication must be widely adopted, and those organizations that comply with tough cybersecurity standards should be granted safe harbor provisions to encourage action. Cloud data must be encrypted at the end user level, facilitated by third-party key management and identity federation services. Anything else is just a Band-Aid on the Titanic.