Should Online Security Procedures Run Independent of Users?

Recent disclosure of additional details about the highly publicized compromise of Target’s customer data repositories support an argument for less manual effort to operate methods of securing confidential, user specific data, across online communications. Is this argument plausible? and, if the answer is yes, then to what extent?

I think the best answer to this question is a qualified “yes”. Perhaps online security best practices should be revised. It may make sense to remove the user from the direct application of single sign on technology as cloud, SaaS processes are consumed. If the authentication step can be handled with greater precision, and success, by delegating the actual management of logging into, and then out of a host of applications to another piece of software — another SaaS dedicated to securing the exchange of online credentials between applications and specific users — then, this argument goes, we can have more confidence in at least this step in the online systems processing experience for typical SaaS users.

Identacor is an example of a SaaS targeted to the identity and access management market. These consumers need a better method of managing credential exchange between users and SaaS processes. I recently spoke with Sandy Dalal, CEO of Identacor. Anyone visiting the Identacor site will note the importance of a unique markup language, Security Assertions Markup Language (SAML), to the Identacor solution. As Dalal sees it, implementing Identacor on a SAML core directly satisfies a growing SaaS user requirement for a method of actually removing passwords, altogether, from an online authentication process. Once passwords are relegated to a less important role in the process, then the administrative burden is reduced, as well.

But Dalal explained Single Sign On (SSO) is simply a part of the solution Identacor offers to its customers. He let me know Identacor is ” . . . really in the business of managing [our customers’ online] identities. From the time an employee, or even an external partner joins your company, to the time they leave your company, in all the, sort of, life-cycle access security events transpiring from this association, we can help secure that . . . ”

Identacor has been built with hooks to popular human resources management SaaS offers (he mentioned Workday). He claims these hooks can be used to remove access rights to important, organization-specific applications, as required, as personnel transition out of a client’s company. These hooks operate entirely transparent to the user.

If, as it presently appears, poorly architected, managed, and, finally, implemented, operational risk management controls where at the center of the Target hack, then systems like Identacor are worth a close review by any business looking to remove some of the human factor from these online interactions.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved

One reply on “Should Online Security Procedures Run Independent of Users?”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.