The Evolution of Identity and Access

For over 20 years, there has been a trend to consolidate enterprise identities as a single store of record. Many cite the introduction of Sun’s LDAP in 1997 as the first popularly accepted non-resource-based identity system. This was quickly followed by Microsoft’s introduction of Active Directory in Windows Server 2000, based on LDAP.  Today, it is no longer under the contention that an enterprise should have a consolidated, centralized store of identity. The big question has become “where.”

Cloud Model

Most enterprises have either moved or are moving to a cloud model for identity. Okta led the world with its industry-changing Identity as a service product in 2009. They immediately integrated the solution with a single-sign-on platform that basically signaled to the world that cloud-based (SaaS) applications were the ideal way to deploy and integrate solutions.

Microsoft, of course, was quick to follow the Active Directory Federated Services (ADFS) in 2003.  From there, it was apparent to all that the cloud was not a fad. It became the way to not only host applications and servers but to host and administrate users securely.

Centralized Identity Store Integration

Over the last decade, the question of how to integrate all of one’s resources into these centralized identity stores was raised. When these identity cloud solutions were first introduced, the predominant deployment mechanism was web-based. SSO integration to these resources was secured through methodologies such as SAML, a cryptographically secure system to secure a connection from the relying party to the identity provider. Most early applications utilized SAML as their integration methodology which is still the predominant method of SSO for secure applications today.

Mobile Market

The industry has grown rapidly and new devices and users were added to the equation. A significant change was the explosion of the mobile market where the users came to the resources without going to a W3C-approved browser. Instead, they were obtaining the resources via applications.

SSO/ Identity Transfer

SSO and the identity transfer system had to support this shift.  Thus, protocols like OIDC came into play to help enterprises quickly integrate without a crypto key exchange overhead.  Today, most mobile applications are using OAuth 2.0 for integrations.    

The identity providers, especially the cloud identity providers, had to integrate with these lightweight integration protocols to ensure viability and to take advantage of the exploding mobile space.  Identity providers and the public have responded with faster adoption of cloud identities.

IDAAS and Beyond!

The cloud has gone far beyond just web and mobile applications. Cloud identity vendors such as Jumpcloud have integrated on-premise, and expensive mechanisms like domain integration and mobile device management features into their cloud directory platorm.

The one space is still emerging is identity governance for the cloud resources.  Most of the industry is doing their identity attestations, as NIST SP 800-53 PR recommended recommended.AC-4 and mandated by regulator guidances like SOX, SOC2, HIPAA/HITRUST, PCI-DSS, GLB, ISO 27001, and now, CMMC though cumbersome on-premise solutions.

Assign Reviewers
Image #1: With the explosion of cloud-based identity providers, it just follows that tools like YouAttest are needed to perform identity access certifications (NIST 800-53, PR.AC-4) on these platforms

The trend is cloud-based identity attestation systems like YouAttest that integrate directly into the cloud IDAM providers – saving months of integration and associated deployment costs.

YouAttest is an automated identity audit tool for your identity and access controls. Cloud-based and simple to use – YouAttest provides a unified risk platform for your identity audits with the quickest time-to-value and no implementation cost. Contact us and we will start your identity auditing journey.

Facebook
Twitter
LinkedIn

More
articles