Luiz - Fotolia
In the wake of several high-profile data breaches tied to compromised credentials, support for cloud identity standards appears to be accelerating at a fast clip.
At the Cloud Identity Summit in La Jolla, Calif., earlier this month, a number of leading cloud security vendors and top cloud providers showed strong support for an assortment of open standards, such as SAML, OpenID and FIDO, in the cloud identity and authentication market. Technology giants, including Microsoft, Google, VMware and Salesforce took the stage to promote better interoperability and increased adoption of identity standards.
Alex Simmons, director of program management for Active Directory at Microsoft, said in his keynote that while cloud services have increased enterprise and consumer productivity, they've become a major target for attackers, specifically the user account credentials; in fact, he said, Microsoft defends its accounts from about 95 million attacks every single day.
"Right now, that is the biggest form of attack: credential phishing," Simmons told the audience. "And we've got to get rid of it."
As a result, Simmons advocated the elimination of passwords altogether and embraced federated identity standards.
"The next time you see a startup with a smartphone app that doesn't support the right federation standard, you should just walk away," Simmons said. "And you should make sure when your RFPs go out that they require SAML or OpenID Connect or something that gets us out of this world of everybody having to have a really good username and password."
One standard that received notable support during the event was FIDO. Simmons said Microsoft, which is a board level member of the FIDO Alliance, was excited to bring FIDO support to Windows 10. Eric Sachs, product management director of identity at Google -- another FIDO Alliance board member -- said during his keynote that FIDO is a crucial part of developing a "phishing-proof authentication scheme" for the industry. Google has already rolled out FIDO-based authentication for its Chrome browser using USB keys from security vendors like Yubico, and Sachs said Google plans on expanding its use of FIDO-based authentication.
While dismissing traditional password schemes, Sachs noted that "if we stopped doing this just for Chrome browser, that wouldn't be particularly helpful. That's why we're involved in the standards communities -- so hopefully this same thing can be adopted by other operating systems and other browsers."
Some of the event's speakers had forceful messages for the IT industry: start supporting cloud identity standards or risk being left behind. For example, Ian Glazer, currently senior director of identity at Salesforce and formerly a vice president of identity and privacy at Gartner, said during his keynote that not supporting identity standards is "antithetical to the modern enterprise." He also compared the current state of identity standards to the emergence of TCP/IP in the networking space.
"Not supporting standards puts you on the wrong side of history," Glazer said. "If your service provider does not support standards-based identity, they are not acting in your best interest or your customers' best interests."
Identity standards gaining support
Security vendors at the event believe support for open standards around identity and authentication is reaching a critical mass. Andre Durand, CEO of Denver-based Ping Identity, which hosted the Cloud Identity Summit, said the space is attracting a growing number of industry experts to help solve the cloud identity security issues and improve.
"Things are moving quicker than you'd think," Durand said. "There's still a lot of work to be done, but conversations are moving forward and there are a lot of smart people in this space right now. The collective IQ has really gone up."
Jerrod Chong, vice president of solutions engineering at Yubico, said the conversation has changed because businesses that rely on the Internet and cloud to conduct their business are demanding better methods.
"The whole reason we're all here [at the summit] is because the industry needs to work together on this," Chong said. "It wasn't so easy to talk about this stuff a few years ago, but now companies are talking about identity and hardening credentials."
Brendon Wilson, director of product management at Nok Nok Labs, an authentication vendor based in Palo Alto, Calif., said cloud identity is an ecosystem-driven space where the incentives to adopt standards are higher for security vendors, cloud providers and vertical industries.
"I think there is a lot of interest in open standards because companies can't do it themselves," Wilson said. "The support was born out of necessity."
That's not to say the battle is over. Chong said there are still a number of companies moving ahead with their own proprietary identity and authentication systems. Some vendors, he said, just don't want to change their business models to participate in open standards efforts.
"If Microsoft can do it," Chong said, "anyone can do it. Microsoft has made huge strides recently."
During his keynote address, Simmons discussed Microsoft's willingness to share IP to improve cloud identity security -- a notion that he recognized might seem "shocking" for the audience.
"I encourage everybody to think broadly about the success of entire industry," he said, "rather than the success of our individual kingdoms."
Wilson said it's just not practical to operate in a walled garden when it comes to identity and authentication systems.
"We've seen vendors try to do their own proprietary authentication systems. But who's going to use it?" Wilson asked. "You have to have support. You're not going to dictate what apps your customers can and can't use based on your authentication system. That'd be suicide."
But with businesses like MasterCard, Visa and PayPal supporting open standards like FIDO, Chong said the number of security vendors and cloud providers joining in will only increase.
"Everyone should be supporting open standards for identity and authentication," he said. "We've got Google and Microsoft on board with FIDO, and hopefully we'll get AWS. Those three together would be huge for cloud security."
(Amazon Web Services did attend the Cloud Identity Summit, and Praerit Garg, general manager of AWS identity & directory services, spoke during a session on identity security and IaaS.)
Durand believes that a significant shift has taken place in the security and cloud industries regarding identity and authentication, and that there's no going back to proprietary systems.
"Enterprises don't want vendor lock-in," he said, "and I think the vendors are realizing that you can't scale to the kind of security that enterprises desire when the identity systems aren't standardized."
Learn more about how the FIDO Alliance gained government support from the U.S. and U.K.
Find out how CERN uses federated identity to protect its Helix Nebula cloud