Marc Benioff, Salesforce Identity, Good thing or Bad thing for IAM Security?
Ok, so how many accounts do you have? You know, for things like Facebook, LinkedIn, corporate IDs, loyalty programs (e.g., airlines, credit cards), banks, etc. How many different combinations of usernames and passwords is that? Do they all have the same rules for password combinations? Probably not.
Well, some good news for those suffering in the corporate/enterprise landscape. OK, well, only for Salesforce customers.
At Dreamforce 2012, the annual Salesforce conference, it was announced that Salesforce will launch a “New Salesforce Identity – a single, social, trusted identity in the cloud across all enterprise apps.”
A “Facebook-like identity for the enterprise,” Salesforce clearly recognizes that enterprise identities, especially in the cloud, are a pain to manage. Some of the key issues of managing multiple identities in a corporate environment include:
- The need to login to multiple apps/systems
- Managing multiple accounts, with different usernames and passwords, all with different rules/reset dates, etc.
- Orphaned accounts that aren’t used that often, or not at all. These can be a huge security risk!
So, what exactly is Salesforce offering? The new Salesforce ID includes:
- SSO (Single Sign On) — The ability to use one ID to seamlessly log in to multiple apps/services Social Identity — More connections into Chatter to help spread information
- Centralized Platform — Identity and Access Management “light,” or Centralized Identity and Access management, to control IDs from a single platform
While that may potentially help Salesforce customers — and help Salesforce embed themselves more into their accounts — there are still some open questions. How will Salesforce identities work with other clouds? How extensive will the centralized administration be? And how many partners will be a part of the Salesforce ecosystem? Time will tell.
One ID to manage – But Does that make you more Secure?
So, the dream is to have one trusted ID to rule them all. OK, but do we still want to have usernames and passwords being the main authenticator? Really? Because, that’s what I fear it will be for many.
This shines a huge spotlight on strong authentication. If your Salesforce ID becomes compromised, then all of your services utilizing that ID are at risk. Really! If true SSO is achieved, then an attacker, if they compromise your ID, will also inherit the ability to seamlessly log in to multiple apps/systems. Oh, joy! Thus, turning that huge benefit of SSO into a major security vulnerability. Pretty much, an Achilles heel.
Am I sounding the alarm bells? Well, no, but we do need to realize that there has been an increase in attacks on simple username and password login methods. Breaches today are commonplace. And with cloud services like LinkedIn, Dropbox and others having leaked usernames and passwords, how can we confidently TRUST them?
There has to be more weight behind them. We’ve got to step it up. It would be nice to know that all cloud app providers encrypt the usernames and passwords, but security should come in layers. Amongst the array of security measures they likely have, they should also layer in identity-based security by leveraging strong authentication (e.g., 2FA or second-factor authentication)
That being said, after the breach that Dropbox suffered, they are rolling out 2FA. It’s clearly apparent that one of the weakest links today are usernames and passwords.
But back to Salesforce Identity. Many organizations today have invested a lot of time, effort and resources into their current strong authentication solutions and will likely want to leverage them. Will they be able to leverage their investment to integrate with Salesforce? That will certainly increase the security beyond the Salesforce default authenticator today: the broken username and password.
Overall, I do think this is a move in the right direction for Salesforce customers. But, we need to keep in mind the security risks. SSO and single IDs are simple and great, but they must be properly protected in a user friendly, flexible and secure manner that can extend past today’s threats and help meet security and business needs down the road.