Active Directory-based identity access management is no longer confined to the corporate firewall, thanks to new tools that extend directories to mobile devices and SaaS apps.
Centrify and Okta Inc., two identity access management (IAM)
Frontporch Inc., a provider of advertising tools for Internet service providers, based in Sonora, Calif. uses Centrify's DirectControl for Macs product to allow employee-owned Apple laptops to join the company's domain.
The company beta tested Centrify's mobile device management (MDM) and Software as a Service (SaaS) apps because about 75% of the company's applications are on-premises, and the rest are SaaS, said David Miller, IT manager for Frontportch.
"But that's starting to change rapidly," Miller said. "There are more and more applications that are hosted out there. We try to vet those apps, but there are a lot of people just signing up for whatever."
A modern approach to IAM for mobile and SaaS apps will help the IT department support business and lessen the problem of employees creating shadow IT, Miller said.
"It's not our place to tell marketing to use a specific CRM [customer relationship management], but it is our place to work with marketing to figure out what they need and how to securely get it to them, whatever, whenever and wherever that may be,' Miller said.
Legacy approaches to IAM, such as Microsoft's Active Directory (AD) or Oracle's Identity Manager, fail organizations: The products can't manage access from consumer endpoints, don't support rapid adoption of cloud services, and can’t provide secure data exchange across user populations, said Eve Maler, an analyst with Forrester Research Inc. , a Cambridge, Mass.-based IT research firm.
More on identity access from Okta
Okta also released a bevy of smaller features:
- The inclusion of Office 365 within the thousands of SaaS apps Okta already supports.
- Native iOS app to make provisioned applications on those devices identity-aware once a user signs into the Okta app. Android and Windows Phone apps are due in early 2013.
- SMS two-factor authentication in case IT decides certain applications, such as finance or cloud storage and file sync, need stricter access control.
Workers use personal mobile phones and tablets approximately 65% of the time, according to a June 2012 Forrester Research report. In addition, nearly 30% of those surveyed said employees were also provisioning their own software on those devices to use at work, including Dropbox, Box, SugarSync and Evernote, without IT's approval.
To limit the company's security footprint across mobile devices, Avecto, a Windows privilege rights management software vendor based in Andover, Mass., currently has a zero bring your own device (BYOD) policy. At the same time, there isn’t much it can do about employees who sign up for unsanctioned Web apps and use them on personal mobile devices, said Mark Austin, Avecto's CTO.
"There are so many Web applications users can access and too many different identities that can be compromised if corporate email addresses are used to register for them," Austin said. "Passwords are still one of the biggest problems, so any kind of software that mitigates those risks like single sign-on should be embraced."
The question IT departments need to ask is whether Active Directory should be the way to manage entitlements when apps move to the cloud and mobile, said Gregg Kreizman, an analyst at Gartner Inc., a Stamford, Conn.-based research firm.
"Mobile, cloud and social are disrupting and impacting identity to such a degree that it's forcing this once boring market to become really interesting," Kreizman said. "However, it's still logical to build off of AD and leverage this tool that everyone has and is familiar with."
Cloud, mobile IAM
Centrify, based in Sunnyvale, Calif., released DirectControl for SaaS, an identity system that plugs into Active Directory for single sign-on access to cloud apps and services, and Mobile Manager, which provides the same functionality for mobile devices, including Android, iOS and BlackBerry.
Users can self-provision a range of enterprise SaaS apps, including Office 365, Box, Salesforce and Gmail, through the MyApps portal. Plus, there are also tools for resetting passwords and remotely wiping provisioned apps from a mobile device in case it gets lost or stolen.
Centrify has tried to spread some of the most cumbersome IT burdens to the responsibility of users, while also giving IT admins the necessary control required to give employees secure access to SaaS apps and mobile productivity. Both products are currently in open beta and will be available in the first quarter of 2013. They are free for up to three provisioned apps. More than that and there is a $4 per-user per-month charge.
Okta, based in San Francisco, Calif., introduced its Enterprise Identity Network, the first step in its plan to help IT departments replace legacy identity access management systems. Now, instead of simply integrating with existing Active Directory installations, Okta can provide the same access to legacy applications without AD.
The network is a "central system of identity in the cloud" for the various ways organizations will provide identity across SaaS apps, mobile applications and legacy applications, said Okta founder Todd McKinnon. "Companies shouldn't have to rely on two systems of identity, with one of them bolted on to an existing system."