It's not a new notion, but one that is gaining adherents: Perimeter-based security options like firewalls and access controls just will not cut it for new technologies that expand beyond corporate networks.
"Identity is the new perimeter," said Andi Mann, a vice president at CA Technology, during a Google Hangout with other cloud experts sponsored by Datamation recently. "You can't lock down by firewalls any more – you can't even really lock down by application access anymore because you're getting portions of an application from different services and different providers."
Users are accessing these beyond-the-firewall services without IT knowing about it (shadow IT), employees are using their mobile phones to handle corporate information (BYOD). Those use cases and more are causing a rethinking of security approaches. "It's much more complex," said David Linthicum a vice president at consultancy Cloud Technology Partners, who also sat in on the Hangout.
Migrating to an identity-based security approach will be better for most organizations in the long run because it can be cheaper than investing in hardware and allows more flexibility, Mann and Linthicum agreed. Using an identity-based approach allows organizations to focus on who the person is and what they are allowed to access, rather than are they allowed through this barrier point. "It's a whole different mode and one that opens you up to be able to use multiple services from multiple providers, to take a best of breed public plus private approach," says Mann.
Take hybrid cloud computing: Many define it as any combination of on-premises and off-premises cloud resources. So, a database that's serving information to a cloud-based Salesforce.com customer relationship management tool, or a virtualized environment in a company's data center drawing on spare storage capacity in Amazon's cloud could be considered hybrid clouds. But when developers are spinning up virtual machines in the public cloud, the traditional firewall may not protect against corporate data flowing back and forth unprotected.
And hybrid cloud is where organizations are looking. Linthicum, who consults with customers on cloud adoption strategies, says most customers see hybrid cloud as an end goal. They want to retain their legacy installations, while moving hesitantly toward using outsourced options because of perceived lack of security and privacy.
"Pretty much everyone has it on their radar screens now," he says.
Mann says it's even more widespread. A recent CA study, he said, found that 94% of respondents from around the globe reported they're already using a combination of both on-premise and off-premise resources to create a hybrid environment. "This is even sooner than the near future, it's right now," he says.
Federated identity access management is not new, but the move to using cloud-based services makes the need for these systems greater, says IDC security analyst Sally Hudson.
"The traditional IT perimeter no longer exists, hence neither does the traditional perimeter defense posture," she wrote in an e-mail. But, that doesn't mean implementing these systems is just a plug-and-play and you're ready to go. "Next generation security monitoring, maintenance and management is expensive and requires highly skilled professionals," she says. "It will rely more on real time information profiling and back end analytics and less on passwords and simplistic access methods."
Vendors in this market include IBM, CA Technologies, RSA – the security division of EMC, Oracle, Covisint, NetIQ and Ping Identity, among other newer companies like Okta, OneLogin, ForgeRock and Symplified, she says.
Network World senior writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.