the identity perimeter
TRANSCRIPT
-
7/29/2019 The identity perimeter
1/13
Copyright Quocirca 2012
Bob Tarzey
Quocirca Ltd
Tel : +44 7900 275517
Email: [email protected]
Rob Bamforth
Quocirca Ltd
Tel: +44 7802 175796
Email: [email protected]
The identity perimeter
Using advanced single-sign-on to enable open business communications
September 2012
Successful businesses recognise the value of open communications within
and beyond their organisations. However, achieving this means that the
physical and virtual perimeters that had previously defined the reach of
most organisations IT systems have disappeared. This report makes the
case for the use of identity and advanced single-sign-on (SSO) to overcome
many of the issues of providing open integration between businesses and
their customers and partners.
It should be of interest to all those in roles charged with the responsibility
of providing secure access to online resources and to those who want to
make the case for rolling out new online services, but have to overcome
the security concerns of others in their organisation before they get the
approval to do so.
mailto:%[email protected]:%[email protected]:%[email protected]:%[email protected]:%[email protected]:%[email protected]:%[email protected]:%[email protected] -
7/29/2019 The identity perimeter
2/13
The identity perimeter
Quocirca 2012 - 2 -
The identity perimeter
Using advanced single-sign-on to enable open business communicationsIn most cases, only when the identities of the individuals requesting to use IT resources are firmly established should access be
granted. This applies to resources provided internally by organisations and to those sourced from third parties such as software-
as-a-service (SaaS) providers. For most organisations this includes external users from partners and customers as well as
employees. Since many of these access requests are coming from users in remote locations, often via mobile devices, centralised
provisioning and de-provisioning is essential. Advanced single-sign-on systems are one of the most effective ways to achieve
these goals.
Business thrives on
open interaction
Business managers recognise the value of open communications with partners and customers
as well as across their own organisations. A recent study shows that those businesses that are
good at doing this thrive compared to their competitors. Whilst such communication
empowers businesses it also means that both the physical and virtual perimeters of their
organisations IT systems are increasingly harder to define.
Understandingidentity is essential
for safe interaction
To safely enable such interaction and open up applications to support cross organisational
business processes requires a clear understanding who the individuals involved are. In other
words, identity is at the core of successful open interaction and, when well managed, it can
create a bridge between widely distributed individuals. Single-sign-on (SSO) systems are a
powerful way to achieve this goal. In effect they enable the establishment of a new perimeter
based on identity.
Knowledge of
identity comes from
many sources
For the majority of businesses, Microsoft Active Directory has become a de facto standard for
the storage of identities for internal users and some external users. However, there are many
other sources of identity that can be of value. These include consumer and business orientated
social networks, as well as business and trade membership organisations and government
databases. New ones will continue to emerge in the future.
A central identity
switch links users
with resources
The main aim of successful open interaction is to link people with IT resources, mainly
applications. Once their identity is known, advanced SSO systems can act as an identity switch
(or hub) linking them to the resources they are authorised to use and therefore ultimately toeach other. Increasingly, this includes externally sourced software-as-a-service (SaaS)
applications as well as internally provisioned ones.
Advanced SSO
provides many other
benefits
The one time strong and/or multi-factor authentication of users, saving them from
remembering numerous passwords and carrying multiple identification devices is a well
understood benefit of SSO systems. However, advanced SSO systems are also a place to
implement policy about access rights; for example limiting access based on the physical
location of a user.
SSO enables fast
provisioning and safe
de-provisioning
Users need access to many resources and that access is required from multiple devices, some
of which may be employee-owned (smartphones, tablets etc.) or owned by individuals working
for third party organisations. SSO can be used to rapidly provide the access required but
perhaps more importantly, can also remove all access in an instant, with no need to change
anything on the devices used for access. This is necessary to safely support the growing desire
for bring-your-own-device (BYOD).
There are a number
of approaches to SSO
The capabilities of SSO systems vary widely. Some consumer focussed ones are really just
central stores of usernames and passwords, which, whilst providing convenience, make users
less, rather than more, secure. The most advanced SSO systems use techniques such as
standards-based tokenisation for exchanging credentials and encryption for storing and
transmitting information as well as enabling co-ordination of policy. SSO systems themselves
can be implemented in-house or procured as on-demand services.
ConclusionsThe business case for investing in SSO is not just about security and risk reduction. Whilst these are major primary benefits,
advanced SSO is as much about business enablement and empowering employees, customers and partners to interact online.
Businesses that achieve this will have a competitive edge; those that do not will lose out.
-
7/29/2019 The identity perimeter
3/13
The identity perimeter
Quocirca 2012 - 3 -
Introduction the value of open interaction
The authors of the 2012 Global CIO Study1
conclude that the top three priorities for businesses are empowering
employees through values, engaging customers as individuals and amplifying innovation with partnerships.
Clearly, these are all people issues that involve open communications. The report also shows that, increasingly, the
communications that drive this will be online, particularly through the use of social media (Figure 1).
The report goes on to say that there will be ever more
demand for transparency and the competitive need to
open up organisations to collaborate more [both]
internally and externally and that this emphasis on
openness is 30% higher among organisations that
perform well. In other words, organisations that
recognise the value of external collaboration are more
successful than those that do not.
With face-to-face communications, which mostrecognise will continue to play the most important
role, the ultimate identifier comes into play; people
recognise and remember each others faces. Even
when meeting new people, the circumstances that
lead to the meeting and the location it occurs in are
usually enough to provide the veracity needed to be
sure that someone is who they say they are.
When communication is online everything changes: there is no physical recognition and the location of the
individuals involved in a communication is often not known to the participants. However, for businesses to
successfully engage customers as individuals and innovate with partners online they must be certain that the
individuals involved are who they say they are. Identities are the keystones of the arches in the electronic bridgesthat connect organisations.
Overcoming some of the problems with provisioning, managing and authenticating identities is the subject of this
white paper. In particular it looks at the benefits of using single-sign-on (SSO) systems as an identity switch or hub,
which can open up the resources that are shared between users, be they an organisations own employees or those
of partners and business customers or, indeed, consumers. These resources may be provisioned internally or
procured on-demand from cloud service providers.
The paper should be of interest to all those charged with the role of providing secure access to online resources and
to those who want to make the case for rolling out new online services, but have to overcome the security concerns
of others in their organisation before they get the approval to do so.
-
7/29/2019 The identity perimeter
4/13
The identity perimeter
Quocirca 2012 - 4 -
Who are you? The identity bridge
Most of us are fortunate enough to know who we are most of the time; proving it is another matter. In the physical
world proof involves an array of documents and devices. Land at an airport and you use a passport to get through
immigration, a debit card to get local currency and a driving licence to pick up a hire car. The online world is even
worse; many have tens or hundreds of different accounts to access with different identifiers for each one.
For businesses and public sector organisations the holy grail of identity management is to find a way of
authenticating users with a high level of confidence just once and providing them with secure access to a range of
resources; so called single-sign-on (SSO). This applies to their employees, but also individuals from external
organisations and/or, in some cases, consumers. An SSO system can act as a hub or switch; a single point of access
with a near-failsafe means of establishing identity, which will be tolerated by users as it becomes a familiar process
that does not need to be repeated every time a new resource is accessed.
One obvious benefit of effective SSO is to reduce the risk of IT systems being compromised through the
unauthorised use of lost or stolen passwords. However, there is much value beyond this. For businesses, SSO allows
processes to be put in place across their organisation and extended to customers and partners, which would havebeen hard to achieve without it. Users get transparent and hassle-free access to the applications they need to do
their jobs. IT staff can quickly provision new users and safely de-provision ones that no longer need access.
Increasingly, SSO has become available to businesses of any size as SSO systems themselves are made available as
on-demand services.
Effective SSO systems act as an identity bridge sitting at the centre of the major challenges of managing online
identities (Figure 2). These include accessing various sources of identity, authenticating a user against a given
identity, providing access to resources, applying access policies and managing identities.
-
7/29/2019 The identity perimeter
5/13
The identity perimeter
Quocirca 2012 - 5 -
Sources of identityInformation about identities resides in various electronic databases. Most businesses run their own internal
database for employees, by far the most common being Microsoft Active Directory, which is almost a de facto
standard in larger organisations. Some organisations add external users to their internal directories; however, there
are plenty of other sources of identity for helping to authenticate outsiders. Some are run by government bodies,
others by commercial organisations.
In the consumer world many have accounts with Facebook, Google, PayPal and/or a number of other online
services. It is already possible in many cases that, having authenticated to one service, credentials can be passed to
another, for example, having logged into Facebook, Facebook Connect enables your Facebook login credentials to
be used to gain access to certain other online services. The open source service OpenID exists specifically to help
overcome the problem of managing multiple identities, a sort of SSO for consumers.
There are also sources of identity that bridge the business and consumer worlds. For example, LinkedIn accounts are
owned by individuals but are commonly used for business purposes. Before anyone had ever heard of LinkedIn the
same was true for many individuals that were members of professional or trade organisations. In many cases, just as
with LinkedIn, the membership of such bodies is a personal one that travels with the member from one job to
another.
For businesses, external sources of identity can be used
when providing access to broad groups of users, for
example doctors in private practices accessing
government-run healthcare systems or insurance
brokers logging on to the systems of the financial
services companies whose products they sell.
However, having multiple sources of identity also causes
headaches. Governments have historically built up huge
databases covering different physical and online
requirements; silos of identity across which there is little
correlation. This has also happened in businesses. Here
one of the main reasons for multiple databases of
identity has been because there are multiple IT systems
and applications: for example, separate identity
databases for Windows and Linux users, when there
may be a complete overlap between the users of both.
Another issue is with the growing use of software-as-a-
service applications (SaaS) sourced on-demand over the
internet, which around 40% of larger businesses say
they use (Figure 3), as do many small businesses. These
applications will often have their own directories of
users and mechanisms for authentication. The providers
of SaaS applications have their own security concerns,
making sure different customers sharing the same
platform remain discrete. Some businesses still harbour
security concerns about the use of cloud-based services,
which SSO can help overcome (Figure 4).
-
7/29/2019 The identity perimeter
6/13
The identity perimeter
Quocirca 2012 - 6 -
Having many silos of identity is a problem that needs to be overcome. There are a number of ways around the issue
of multiple identity databases; these include:
1. Consolidate to a single directory there are tools that assist with this, for example allowing Microsofts Active
Directory to be used as a source of identity for other systems. The benefit here is a single internal directory. The
downside is that there will be external sources of identity that it may be hard to incorporate, especially if theseare for providing third party access.
2. Regularly synchronising directories for example, apply updates to Microsoft Active Directory in the first
instance and then roll out changes to other directories. This is unsatisfactory as many of the synchronisation
mechanisms will not be available off the shelf so they will have to be built. This leaves too much scope for error
and it will probably not be possible to update externally owned databases.
3. Single-sign-on an advanced SSO system can access multiple sources of identity, acting as an interface for
authentication and be a broker for access to a wide range of resources for both employees and external users.
Interfacing to different directories can be a challenge, but standards help. The main one for accessing identity
data is LDAP (lightweight directory access protocol).
Understanding a users identity is one thing, authenticating that the person who wants to use it as the owner of that
identity is another matter.
Proving identityAuthenticating that a user has a right to use an identity has long been a challenge. Many have lost confidence in the
simple username/password combination, especially if it is going to be used to open up a range of resources;
stronger and/or multiple means of authentication are desirable.
One of the most common ways of implementing strong authentication has been to use some sort of hardware
token. Others include bio-metrics, smartcards, mobile phones and checking the physical identity of the access
devices being used. All have advantages and drawbacks. In some cases strong authentication has been extended to
the consumer world, especially for online banking.
A big potential drawback with strong authentication is that it can mean having multiple physical devices to
authenticate to multiple different applications. Another is that users will be put off using many applications because
the process of accessing them is too cumbersome. One of the best ways to overcome these problems is SSO, where
a single point of authentication is provided.
To be clear, this need not mean that once the user has authenticated themselves that they have unlimited access to
all approved resourced wherever they are. Advanced SSO systems allow that to be controlled depending on the
context of the access request and the type of user; for example the access rights of an internal employee will be
different to those for business partners and customers.
Appl yi ng access pol ic iesGiving a user access to a wide range of resources via a single authentication has its dangers; even strong
authentication may be compromised. Once a user is in, how long do you leave it before automatically logging themout? Seconds, minutes, tens of minutes? If they are working in a shared workspace or a public place using mobile
technology this can be a problem. If they are a user from a partner or customer organisation it is harder to ensure
good practice is known and applied.
To this end policy needs to be put in place to control access to resources depending on the type of user and the
context of the user access request. For example, an employee known to be within the physical confines of the
workplace may be given access to email, CRM and the accounting applications. However, if they are requesting
access from an external location the use of the accounting application may be blocked. Employees working from a
desktop system in an office may be automatically logged out after 30 minutes of inactivity, whilst it may be after just
5 minutes for mobile users and those from third parties.
-
7/29/2019 The identity perimeter
7/13
The identity perimeter
Quocirca 2012 - 7 -
It may also be desirable to vary the granularity of access between external organisations. For example an insurance
company may deal with many external brokers; however, those that have sold lots of insurances policies may be
given access to better deals than those that have sold fewer. The management of such access policies needs to be
dynamic and be updatable at short notice to suit changing business conditions. With a single point of access and
enforcement this can be achieved, providing capable management tools are used.
Identity managementThe provisioning of identities and their on-going administration requires a management system that addresses both
identities and the rights associated with them. This needs to operate at a number of levels, in some cases addressing
individual user requirements, but more often assigning rights and applying policies to groups of users. Some identity
management systems can, where necessary, link different identity databases through synchronisation. An
alternative to this is to use an SSO system as a broker between different identity databases and various applications.
Active Directory has a number of features that eases identity management: for example, the grouping of users by
job role, department, seniority etc. for which policies can be managed en-masse and the creation of default
identities for fast provisioning of new users. However, even when Active Directory is the main source of identity in a
given organisation, there may well be others that need to be used to provide access for partners and customers.
Once identity is under control, businesses can be more confident in making use of the innovations that are at the
core of contemporary open communications, namely mobile computing and the use of on-demand services. They
also have more confidence to put in place business processes that span multiple organisations. This has led to the
concept of identity as the new perimeter.
Identity as the new perimeter
When most computing was done on mainframes there was no need for SSO, it was implicit in the way computers
were accessed. The access perimeter was that of a single physical computer; identify yourself to it from a dumb
terminal and you could use the resources you were authorised to access. There was little need to provide access to
external users.
The coming of client-server in the late 1980s complicated things. PCs become common access devices and
applications could be running on a range of backend servers; for example email being run centrally as an enterprise
wide resource, whilst other applications were maintained locally by line of business. However, generally speaking,
mostly the devices involved were within the physical confines of a given organisations, linked by a private and
proprietary network; the network had become the new perimeter for computing. Most access was still confined to
the employees of a given organisation.
The commercial adoption of open networks, and the internet in the 1990s, complicated things further; networks
were no longer isolated, they were all becoming linked and could exchange information using common standards.
To maintain security, firewalls were introduced to police access, keep corporate networks private and maintain an
identifiable perimeter. This needed to be porous as more and more applications were enabled for use by externalusers.
However, the growing use of the internet has introduced two new challenges. First, it is not just external users
coming in; internal users are making more and more use of externally sourced on-demand applications running on
shared platforms run by third parties. Second, users, internal or external, could be anywhere, using various devices,
in some case personal ones rather than those owned and controlled by their employer.
In this world, there is no physical or network perimeter. The only thing can be used for sure to decide who has
access to what is a users identity. Identity can in effect act as the new perimeter, with an SSO system as the
enabler, connecting users with applications.
-
7/29/2019 The identity perimeter
8/13
The identity perimeter
Quocirca 2012 - 8 -
Once an organisation has the capability to do this it can use SSO to drive a whole range of business processes that
would have been more complicated to implement otherwise. Here are few examples:
Linking both internal and external users with multiple cloud sourced applications, for example Google Apps
for email, salesforce.com for CRM and SuccessFactors for human resources
Insurers opening up certain applications directly to the hundreds of brokers they work with, using broker
association membership databases as a source of identity. An insurance company that adopts SSO will alsogain a competitive advantage if brokers find their systems easier to access and use.
Linking dealers into a car manufacturers supply chain applications, making available the various
applications that drive the relationship
Travel companies linking business people or consumers (perhaps using social media as a source of identity)
to a range of third party resources that they act as agents for such as airlines, hotels, car-hire companies
etc.
Seamless linking of mash-up applications over the internet; for example linking banks with CheckFree
printing service or hotels with car rental companies
Governments opening up a wide range of resources to citizens, by settling on one of their many databases
as the primary source of identity
However, the value of the most capable SSO platforms goes well beyond just linking users with applications. Thereare a wide range of other benefits too.
The extended value of SSO
So far, this report has made the case for using SSO to help enable three of the major changes going on in the way IT
applications are provisioned and used:
1. Opening up of internal applications to outsiders to create extended value chains
2. Easing access to the growing use of applications provisioned from cloud services providers (software-as-a-
service/SaaS)
3. Increasing mobility of users and the range of devices in use for remote access
For many businesses the need to provision diverse users with access to a multitude of resources will be enough
justification for the investment needed in SSO. However, the case is strengthened when a range of other use cases
and enhancements to business processes that become possible are considered.
The rapid provisioning and de-provisioning of usersWhen a user joins an organisation, getting them quickly up to speed will involve providing them with access to
various resources, an email account (perhaps using a hosted email service), access to an employee portal, a hosted
CRM system and so on. The same applies to a new partner joining a trading network or a consumer booking a
holiday. To provide a good service requires opening up the resources quickly and securely.
However, perhaps it is even more important to disable all access when the individual ends their relationship, be it an
employee resigning, a customer moving their account or a partner changing allegiance. Without an SSO system it
would be all too easy to leave in place access to the on-demand CRM system or email account. By disabling an
identity, all resources are immediately denied to a user. This is regardless of access device, on which no changes are
required.
The rapid provisioning of cloud services for multiple-usersIf an organisation has decided to move over to an on-demand application, for example an email service such as
Google Mail, how does it go about provisioning hundreds of accounts? One way is to use an SSO system, which has
the capability to automate the process and link them with existing known identities.
-
7/29/2019 The identity perimeter
9/13
The identity perimeter
Quocirca 2012 - 9 -
Multi-device support and BYOD (bring you own device)The trend for users to make use of personally owned devices is well reported (Figure 5). SSO helps with this too; the
user can authenticate from any device, be it a company owned one, the employees own or even one that has been
borrowed. As has been said, polices can be created that limit access depending on the device itself or the location of
the user; the important thing is that the user has flexibility of access. Also, of course, when the users relationship
ceases there are no legacy access rights left on any of thedevices they have previously used to access resources.
Compliance reportingMuch of the interaction required between businesses
and their customers and partners involves the exchange
of highly regulated personal data, especially in the
financial services and healthcare sectors. However, as
data protection laws tighten all need to be on their
guard. At times it will be necessary to prove who has
been accessing what resources and what levels of access
given users have historically had. The logs kept by SSO
systems are an important input for this, providing acentral record of the access widely distributed users have
had to various applications and databases.
Service level agreement (SLA) monitoringMany are predicting that the use of SaaS applications will soar. As businesses make more use of such services, they
may not have direct access to information regarding the uptime of the applications they subscribe to; an SSO system
provides a good proxy for this. It can be used to record when problems are encountered by users trying to access
online services. This is essential to make sure that SaaS providers are meeting the SLAs they have committed to, and
also key to ensuring that the organisation itself is able to meet its own SLA commitments.
Ac tivi ty report in g
Users modify their behaviour over time as their needs change. Understanding this helps to adapt resources madeavailable to them; for example, pre-empting scalability issues.
Approaches to SSO
So far, SSO has largely been discussed generically. However, there are different approaches to achieving the goals
and these come with varying degrees of complexity and risk. At the low end are consumer focussed systems that
amount to little more than storing usernames and passwords in an online database with details of the applications
to which access is to be given. If anything, such systems increase risk as there is always a danger that the SSO system
itself is compromised.
Business focussed systems are more robust, but still vary widely. Some are really only suited for implementing SSO
in-house as they are based on proprietary protocols and are primarily capable of supporting the widely understood
goal of SSO of providing single point of authentication for users before opening up applications and other resources
to them. Such systems are usually based around a single internally held directory of users, most commonly
Microsoft Active Directory.
The most advanced SSO systems are standards-based and well suited to achieving the goal of better interoperability
between organisations; allowing users to share resources, including both those from SaaS providers and internally
provisioned ones. This is the concept behind the identity bridge discussed earlier; linking multiple organisations will
usually mean supporting a heterogeneous environment in terms of application platforms, user end-points and
-
7/29/2019 The identity perimeter
10/13
The identity perimeter
Quocirca 2012 - 10 -
sources of identity. Where these also adhere to standards there will be no need for proprietary integrations if the
SSO system itself also supports the required standards.
There are a number of other basic questions that need to be asked of any SSO vendor as part of an evaluation
process. These include:
How are identities transmitted? Any system that does not use some form of encryption or tokenisation,especially when it is communicating over a public network, must be considered insecure. Rather than
transmitting the actual identity, using a secure soft token that represents the identity is far safer. Standards
such as SAML and OAuth (see below) support the secure exchange of identity data.
Where and how passwords are stored? The SSO system authenticates users and gives them access to various
applications. In the most secure SSO systems, login credentials for the target applications are stored in a highly
secure single central location over which the organisation providing SSO has control.
How is login to the target application achieved? Some systems simply replay login forms and insert user names
and password as this is done. This means these details have to be transmitted as clear text and pasted into the
login screen when access is required. Advanced SSO systems use sophisticated login methods such as standards
based tokenisation.
It should also be established which standards are supported by the SSO system as this is key to using multiplesources of identity and linking users with a range of resources. Some of the most important to look for are:
LDAP (lightweight directory access protocol) a standard for storing, reading and sharing identity data; Active
Directory is LDAP compliant
SAML (security assertion mark-up language) an open standard for securely exchanging authentication and
authorisation data, for example between an SSO system and an application. SAML has been well vetted and
provides a secure approach for the exchanging of identities.
REST (representational state transfer) a standard for accessing web-enabled applications. Many of the
resources that SSO systems need to provide access to will have APIs (application programming interfaces) that
are REST compliant. REST has superseded older standards such as WSDL and SOAP, as it is simpler to use.
SCIM (originally simple cloud identity management, now revised by an IETF working group to system for
cross-domain identity management) a standard designed to make managing user identity in cloud-based
applications and services easier when interfacing with SAML and REST compliant applications OAuth (open authentication) a standard that enables users to access resources without having to directly
disclose their login credentials; instead they use tokens
OpenID Connect an emerging standard that extends the consumer-oriented OpenID specification to support
more complex use cases, including REST-based calls.
Furthermore, there are choices about how SSO is deployed. In the past it has mainly been on-premise, but some
vendors now offer SSO as an on-demand service. The benefits of on-premise and on-demand systems need to be
weighed up; some may conclude a hybrid approach is best.
On-premise SSOUntil recently, enterprise-grade SSO systems have been deployed on-premise, often as a pre-configured appliance
primarily aimed at supporting internal users. Even with the increasing need to support external users, internallyprovisioned SSO systems remain desirable for some where there is a need to provide massive scalability that is
entirely in the control of the organisation providing the SSO facility; for example telecoms service providers.
SSO on-demand (identity as a service IDaaS)Recent years have seen the emergence of cloud provisioned on-demand SSO systems. These not only make SSO
available to business of all sizes, but they are also ideal for integrating access by broad communities of users across
multiple organisations where the majority are outsiders. Providing online SSO services meet the requirements
outlined earlier, they should be no less secure than on-premise ones. Indeed, as with any on-demand service, in
many cases they will be more secure and have higher availability than those managed in-house.
-
7/29/2019 The identity perimeter
11/13
The identity perimeter
Quocirca 2012 - 11 -
Hybrid SSOFor some organisations a mix of on-premise deployment for employees with a cloud-based service for outsiders may
prove to be the most effective model. SSO suppliers that support both approaches should be able to provide
seamless integration between the two. Such hybrid deployments help address the diversity and complexity present
in many organisations, for example allowing access to some sensitive internal applications to remain isolated to
internal users only via an internally deployed SSO platform, whilst the growing need to incorporate external, mobileand remote users is well supported by IDaaS.
Conclusions
This report opened by highlighting the desire of CEOs for transparency and the competitive need to open up
organisations to collaborate more [both] internally and externally. Regardless of the technology used, it is clear that
IT is central to achieving this. Two industry trends, the use of on-demand resources and the mobility of users, will
continue to become more widespread. The technology implemented must support this.
That said, individuals still lie at the heart of most business processes and in most cases there is a need to know who
they are, that they are who they say they are, and what resources they have the right to access. It should also be
clear when those access rights no longer apply and that they can be removed safely, quickly and effectively.
Advanced SSO addresses many of these issues and the business case for investing is as much about business
enablement as it is about security and risk reduction. With the advent of on-demand SSO services these benefits are
now available to businesses of all sizes. Those that empower employees, customers and partners to interact online
will have a competitive edge; those that do not will lose out.
References
1 Leading Through Connections, Highlights of the Global Chief Executive Officer Study, IBM Corporation 2012http://www-935.ibm.com/services/uk/en/ceostudy.html
2 Outsourcing the problem of software security, Quocirca, March 2012
http://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-security
3 Next Generation Datacentre Cycle II Cloud findings, Quocirca, April 2012
http://www.quocirca.com/reports/689/next-generation-datacentre-cycle-ii-cloud-findings
4 The data sharing paradox, Quocirca, September 2011
http://www.quocirca.com/reports/620/the-data-sharing-paradox
http://www-935.ibm.com/services/uk/en/ceostudy.htmlhttp://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-securityhttp://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-securityhttp://www.quocirca.com/reports/689/next-generation-datacentre-cycle-ii-cloud-findingshttp://www.quocirca.com/reports/689/next-generation-datacentre-cycle-ii-cloud-findingshttp://www.quocirca.com/reports/620/the-data-sharing-paradoxhttp://www.quocirca.com/reports/620/the-data-sharing-paradoxhttp://www.quocirca.com/reports/620/the-data-sharing-paradoxhttp://www.quocirca.com/reports/689/next-generation-datacentre-cycle-ii-cloud-findingshttp://www.quocirca.com/reports/711/outsourcing-the-problem-of-software-securityhttp://www-935.ibm.com/services/uk/en/ceostudy.html -
7/29/2019 The identity perimeter
12/13
About Ping Identity
Ping Identity | The Cloud Identity Security Leader
Ping Identity provides cloud identity security solutions to over 800 of the world's largest companies, government
organizations and cloud businesses. With a99% customer satisfactionrating, Ping Identity empowers45 of the
Fortune 100to secure hundreds of millions of employees, customers, consumers and partners, using secure, open,
standards like SAML, OpenID and OAuth. Businesses that depend on the Cloud rely on Ping Identity to deliver simple,
proven, and secure cloud identity management through single sign-on, federated identity management, mobile identity
security, API security, social media integration, and centralized access control. Visitpingidentity.com for more
information.
http://www.techvalidate.com/product-research/pingfederate/charts/744-2C4-468http://www.techvalidate.com/product-research/pingfederate/charts/744-2C4-468http://www.techvalidate.com/product-research/pingfederate/charts/744-2C4-468https://www.pingidentity.com/customers/index.cfmhttps://www.pingidentity.com/customers/index.cfmhttps://www.pingidentity.com/customers/index.cfmhttps://www.pingidentity.com/customers/index.cfmhttps://www.pingidentity.com/https://www.pingidentity.com/https://www.pingidentity.com/https://www.pingidentity.com/https://www.pingidentity.com/customers/index.cfmhttps://www.pingidentity.com/customers/index.cfmhttp://www.techvalidate.com/product-research/pingfederate/charts/744-2C4-468 -
7/29/2019 The identity perimeter
13/13
The identity perimeter
About Quocirca
Quocirca is a primary research and analysis company specialising in the
business impact of information technology and communications (ITC).
With world-wide, native language reach, Quocirca provides in-depth
insights into the views of buyers and influencers in large, mid-sized and
small organisations. Its analyst team is made up of real-world
practitioners with first-hand experience of ITC delivery who continuously
research and track the industry and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to
technology adoption the personal and political aspects of an
organisations environment and the pressures of the need for
demonstrable business value in any implementation. This capability to
uncover and report back on the end-user perceptions in the market
enables Quocirca to provide advice on the realities of technology
adoption, not the promises.
Quocirca research is always pragmatic, business orientated and
conducted in the context of the bigger picture. ITC has the ability to
transform businesses and the processes that drive them, but often fails
to do so. Quocircas mission is to help organisations improve their
success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the
correct time.
Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture oflong term investment trends, providing invaluable information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that
ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec
and Cisco, along with other large and medium-sized vendors, service providers and more specialist firms.
Details of Quocircas work and the services it offers can be found athttp://www.quocirca.com
Disclaimer:
This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca has
used a number of sources for the information and views provided. Although Quocirca has attempted wherever
possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errorsin information received in this manner.
Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and
reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details
presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented
here, including any and all consequential losses incurred by any organisation or individual taking any action based
on such data and advice.
All brand and product names are recognised and acknowledged as trademarks or service marks of their respective
holders.
REPORT NOTE:This report has been writtenindependently by Quocirca Ltd
to provide an overview of theissues facing organisationsseeking to maximise theeffectiveness of todaysdynamic workforce.
The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient
environment for future growth.
http://www.quocirca.com/http://www.quocirca.com/http://www.quocirca.com/http://www.quocirca.com/