User authentication from the cloud? Are you serious?
Why I don’t think cloud identity management is a good idea.
Has the awareness of IT security increased in recent years? At least I had the impression that with WannaCry the topic of IT security first hit the mainstream media in 2017 and since then there has been repeated reports on large and small IT topics. But with the increasing enthusiasm for the topic of “Cloud Identity Management” I really ask myself whether the people at the decision-making level of large companies understand anything about IT security at all.
In the last few years, companies such as Ping Identity, Auth0, OneLogin or Okta have refined their offerings and are now luring companies with a “win-win-win” promise. For that you really have to show respect to the marketing departments of these companies. They have managed to market the softening of the IT security of companies as a security gain and more and more companies like lemmings are following this promise.
Cloud Identity Management means that users only have to authenticate themselves once in the portal of this provider and that they can then access all systems of their own company for which they have the necessary authorizations. With this single sign-on, the login information only remains with the cloud provider and the permission for logging into the individual services takes place e.g. via SAML or Shibboleth, i.e. via an encrypted and signed XML information exchange.
The win-win-win promise
The benefit for users is very obvious. Instead of having to log in to each service separately, you can access all services through a central login. This saves time and nerves. Regular password changes or compliance with password rules can also be significantly simplified.
At the same time, the IT managers are also happy. You have one less topic to worry about and, if in doubt, can put the blame on an external service provider.
The management can also pat themselves on the shoulder because they have saved costs and increased the company’s efficiency.
So much for the marketing promise of Okta and Co. But I wonder how one can come up with the idea of assigning the central user authentication to a service provider? The alarm bells should ring for every data protection officer, every security officer and even every halfway capable IT employee. All applications that are connected to this identity management must be viewed as compromised — especially if the identity provider is based in the USA.
Typical German scare tactics or real danger?
This is no US bashing and I don’t even want to demonize cloud offerings in general. But why do you have to put the master key for your own IT services in someone else’s hands? In the case of American providers, one must assume that the secret services will gain access in case of doubt and the German government was already aware in 2013 that the USA was spying on key technologies that were developed in Germany.
For small teams or companies that do not have a dedicated employee for IT security or IT architecture, I may even be able to understand the decision in favor of a single sign-on service. If you don’t have the necessary employees and IT skills in your own company and you don’t do your own research, it can make sense to use the services of an identity management service such as Okta or Ping Identity.
The situation is different for large companies that protect their valuable research and development with entire IT security departments. There should be employees there who should deal with these central questions and who should also understand the scope of such a decision. The topic of IT security cannot be delegated and there are, for example, other offers and solutions from the open source environment in addition to Keycloak and CAS. Of course, setting up and running such a service is exhausting. But that can’t be the excuse.
Lack of competence or a cultural problem?
There are, of course, many reasons for this, but at its core I see the problem of a “culture of error prevention”. In Germany in particular, and perhaps also in Europe, there is a high probability that IT managers will be fired if the IT costs repeatedly get out of hand. But when company data is encrypted, leaked or stolen, this is stylized as a form of force majeure.
Perhaps the reason is also a lack of awareness of the possible follow-up costs of lax IT security. The probability of IT security incidents occurring is almost certainly systematically underestimated and the financial damage is not attributed to a notoriously underfunded IT and IT security department.
If you want to increase efficiency, do it right.
When it comes to IT security, I’ve taken an extreme stance in recent years. Of course, IT security must not slow down business processes, but sacrificing IT security for efficiency cannot be the right way to go either. You can and should employ external consultants if you do not have the necessary skills to set up your own identity management. Putting access to your own systems in someone else’s hands and hoping for the best can lead to a rude awakening.
Finally, I have a simple suggestion for further increasing efficiency. Dear entrepreneurs: Save yourself the fees for the cloud identity provider and simply use a single user account with an easy-to-remember password. It’s simple, convenient and easy to administer. And best of all: You could cut your IT expenses even further.
