In recent months, examples abound of the hazards posed by lackluster authentication systems. Breaches at large companies and government agencies, from Blue Cross to Home Depot to the U.S. Office of Personnel Management, have served as a wake-up call for those affected and a warning sign for those at risk. Identity management systems are a core piece of the security puzzle.
A significant challenge with identity management is to balance the need for security and ease-of-use. IT managers are often forced to make tradeoffs. The most robust system is apt to require a multi-step authentication process. The fastest sign-on process may be more vulnerable to breaches.
The act of balancing security and simplicity involves some added subtleties for users of virtual desktop infrastructure (VDI). At the network level, it means scaling and managing communications with a security layer independent from any single device or application. For individual users, access policies must encompass user roles and device types as well as ever-shifting physical locations.
Secure identity management in general has become more challenging as enterprises move from fixed workstations to a mobile, multi-device environment, says Sal D’Agostino, CEO of IDmachines, an identity management consultancy. Virtualization and the rise of bring-your-own-device workplaces are accelerating that shift.
Simple sign-on processes are still a sought-after goal. But in the wake of high profile security breaches, D’Agostino says IT managers in virtualized environments have been putting greater emphasis on keeping intruders at bay and are willing to sacrifice some convenience in order to do so.
To that end, D’Agostino advises a four-step approach to secure identity management:
- Determine the most crucial information to protect
- Deploy encryption where feasible
- Add extra security layers for users with access to the most sensitive data
- Implement multi-factor authentication.
“You want to identify the so-called crown jewels and make sure they’re well protected,” he says. That’s especially crucial in heavily regulated industries, such as health care and sectors such as retail, where a well-publicized hack can have a devastating affect on the bottom line.
Emerging open source and cross-platform protocols for identify management and authentication promise to help simplify matters. The SCIM open standard (short for System for Cross-domain Identity Management), which launched its version 2.0 last year, provides a method for automating the exchange of user identity information between IT systems. It’s designed for enterprises deploying identity infrastructure in cloud and software-as-a-service environments and is also feasible for VDI.
Other initiatives include:
- Kantara Initiative, an industry group focused on identity management, approved the UMA (User-Managed Access) standard, one year ago, capping five years of development efforts. The protocol gives users a single control point for authorizing who can access their online personal data and services across the Web.
- Single sign-on is growing in popularity: At the University of Southern California’s Viterbi School of Engineering, for example, the notion of requiring a new account and user name for students logging on to VDI resources seemed too cumbersome, says the school’s IT director Michael Goay. Instead, engineering students accessing the system can use the same login they use for other campus resources. Imprivata, which provides identity management services for nearly 2,000 hospital systems, many of which have VDI in place, offers a way for users to access all their data with a single sign-on. To enable the next level of security, for accessing patient records, users have an RFID-enabled identity card.
Despite the progress, there’s still plenty of room for improvement in identity management, particularly in healthcare. As it stands, many hospitals have effective authentication for staff, but not always for those they serve, D’Agostino says, noting: “One of the really difficult things about healthcare is the lack of any really good identity scheme for patients.”
Underwritten by HPE, NVIDIA and VMware.