Over the last year I’ve been following the identity and access management space more closely—along with EMM, it’s a key component of end user computing in the world of cloud apps and mobile devices. One of the significant players that I wasn’t familiar with yet was Ping Identity; so last week I met with Pam Dingle, their principal technical architect. Today’s article is some of my notes from our conversation.
First, a few of the basics: Ping has been around since 2002, with their main on-premises identity and federation server called PingFederate. In 2011 they launched PingOne, a cloud-based identity as a service offering. They also have PingID, a multi factor authentication product that can use their mobile app as a factor.
One of the things that always comes up in identity conversations is who will use it and when they’ll use it. Of course federation and SSO have been around a long time, and the security and convenience benefits are obvious. But identity management for cloud-based apps is kind of like EMM: there are a lot of companies that aren’t doing anything about it yet, and instead just dealing with user accounts in cloud apps in a more manual way. The tipping point, Pam said, often comes around specific app projects like Office 365; or there’s just a corporate size and complexity threshold where identity as a service makes sense—as she put it, once you have a CISO, you’re there.
Some of most distinctive things that Ping is working on now involve making complex access decisions. This involves layers of policy, adaptive authentication, and consulting various sources of information. Layered policies can be by app, by user group, by IP address, by what type of authentication is used, time of day, and so on. Adaptive authentication is the idea that authentication requirements might be changed based on policy—for example, if a user logs in from out of the country, the could be asked for a second factor. Some examples of external information can be partner security products like ThreatMetrix, AirWatch, or any other data sources (they have an SDK for integrating other data sources).
Of course identity management and EMM go hand in hand—information about the state of a device can be used to make access decisions, or certificates on devices can be used as authentication factors. Ping Identity doesn’t have their own EMM line, but can integrate with AirWatch for these things.
Another major topic with any identity vendor is the state of identity standards. Like other vendors, they have a catalogue of cloud app integrations. In an ideal world, Pam said, widespread standards would make that go away. (Her advice to ISVs? Write to the standards!)
2015 was a huge year for the spread of SAML in enterprise cloud apps, but Ping is also active with the spread of OpenID Connect, a much more lightweight authentication protocol that rides on top of OAuth 2.0.
Another important development that the whole identity space has been buzzing about is Chrome Custom Tabs in Android and Safari View Controller in iOS. I won’t go into the details here, (instead, check out these blog posts by Paul Madsen and by John Bradley) but the end result is that single sign on for enterprise mobile apps is getting easier.
If all these standards and OS updates seem baffling or at the very least not exactly something you’ll be dealing with directly, take solace—that’s essentially the job of identity as a service vendors to figure out in conjunction with ISVs, OS makers, and standards organizations. For IT, the biggest job is getting our existing directories federated to an IDaaS provider. (Like other vendors, Ping has their own connector that can take the place of ADFS and get everything synchronized.) From there, we can take advantage of the progress that the ISVs, OS makers, and standards organizations are making.