Uncharted Waters

Oct 3 2012   7:51AM GMT

Bring Your Own Identity Is Here! (Mostly).

Matt Heusser Matt Heusser Profile: Matt Heusser

Back in March, I wrote post called “Bring Your Own Identity” where I suggested that the next step in device management was to take these generic identity management tools (Facebook, Twitter, Google, Amazon) and allow users to log on with them inside the organization.

Bring Your Own Identity (BYOI) just arrived for business.

It is called “Identity”; it is Windows Azure Active Directory, and yes, it is from Microsoft.

Here’s why you might want to use it — how — and what.

The Backstory: The SaSS-y Company

Imagine a company that is 100% based on Software As A Service — or at least as close as we can reasonably come.  You have corporate email in gMail, collaboration in google docs and Google+, project management in LeanKitKanban (or maybe Pivotal Tracker), HR and sales using SalesForce.com, Accounting in Quickbooks online, PR using radianSix.  The desktop is just the device you use to get there; employees bring their own devices, use a Chromebook with no traditional operating system or a Mac.  Operating System doesn’t matter; everything is web-based.

It sounds wonderful, but the reality to that world is maintaining about a fifteen different logins.   One some of them, my email address will be my login; others will have a username.  Some will have requirements for a short password with a special character, others a longer without.  These tend to change over time, so I will end up with six or seven similar, but not identical, logins — I will likely write the logins and passwords on a piece of paper that I try to hide … and now we have a security problem.  Of course I can’t tie these to twitter or facebook because, if I leave the company, the company needs to own the data.  There’salso  no way I can tie these to active directory, because they are outside the firewall.

This is the void that Windows Azure Active Directory is trying to fill.  It exists outside the firewall, so you can use it as a login engine.  If the session is cached in the browser, you can “login with Azure” and save the typing step.  Configure the firewall with the right holes and certificates, and you can even have desktop login from Azure.  There are third-party solutions providers that can itegrate Azure with other systems for you, and good ol’ Centrify, that enables companies to achieve single sign-on with Active Directory to anything – linux, mac, mobile devices, Windows-Based SAP, ERP,and CRM systems, you name it.

We’ve got a lot of potential here, but I can’t help notice that there aren’t many success stories.  Device Management inside the firewall, or at least, single login (inside the firewall) has been around for years thanks to vendors like Centify.  Outside of it, we have things like the Federal Government’s Common  Access Card, that can inject login credentials into the browser — but not much in the private sector.  We could use LDAP, and, in some instances, Active Directory outside the firewall, if the vendor supports it, but those integration points are painful and slow.

The Identity AD, things will be less painful … if the vendor supports it.

I know. You’ve heard that one before.  We have a solid theory now; what we need are success stories.

I’m with you, and I’m looking for them.

More to come.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • What WaaD does for the marketplace « Musings from a Security Guy
    [...] was reading the following article from Matthew Heusser -Bring Your Own Identity Is Here! (Mostly). – Unchartered Waters – and he was covering some of what AD Azure can do for these ‘greenfield’ companies.  [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: