新行動化混合世界的存取控制
This post is adapted from Jay Kelley's posthere. 企業正跨入一個嶄新的世界。許多新的典範和「淘金熱潮」般的新機會出現在眼前,但同時也伴隨著新的挑戰,它們如同閃電般的貫穿企業組織。 今天乃至於未來的工作人口仍將繼續朝行動化發展。根據IDC調查,全球37%工作人口將在2015年底邁入行動化。這相當於全球有13億行動工作者,當然行動裝置數量將是這個數字的二或更多倍。再者,Orange Business Services報告指出,到了2018年,全球55%的商業IP流量將屬於行動商業網際網路流量。行動化時代已來臨,並且將繼續存在。 IDC預期亞太地區的攜帶自有裝置(bring your own device; BYOD)市場將繼續呈現強大成長。根據2014年調查,亞太區估計有1.55億支智慧型電話和超過400萬台平板電腦在使用中,而年成長率分別為40.4%和62.7%,形成支撐BYOD趨勢的基礎。而且,這項預測還沒包括新興的穿戴式裝置。 行動人口如火箭衝天般的加速成長,智慧型電話、平板電腦和穿戴式裝置大量湧現,這些現象使得雲端和軟體即服務(SaaS)應用數量呈現令人驚訝的成長速度。根據SkyHigh Networks最近的調查,今天的企業平均使用759種雲端服務。然而,最讓人困惑的並不是這些雲端應用與服務的數量。根據Cloud Security Alliance的一項調查,大多數企業IT團隊相信他們使用中的雲端應用少於50種。也就是說,平均超過700種雲端應用與服務在企業內使用 - 但除了使用者本身之外,沒有任何人可控制那些應用、服務、以及在其上分享的企業資訊。問題是,你無法捍衛那些你並不知道的東西! 最後,企業新典範的最後一片拼圖就是混合網路(hybrid network),亦即藉由一些代管私有、公共與雲端基礎設施,將資料中心與雲端應用和資料混合在一起。Gartner報告指出「儘管實際的混合雲端運算部署相當稀少,但將近四分之三的大型企業預期將在2015年擁有混合部署」。行動工作人口將帶動基礎設施改變,需要處理更分散化的裝置生態系統。而支援行動化的基礎設施則需要在雲端應用與服務方面投入更大的投資,以支援擴充中的裝置生態系統。因此,可以預見的是,混合網路將在可見的未來成為主流。 面對新典範的行動化、雲端與混合網路,企業如何解決網路、應用與資料存取問題?如此眾多行動化但僅受到公司有限度管控的新裝置,加上散佈在網路、各種雲端與SaaS環境的應用與資料,企業該如何確保快速、適當、驗證與授權的存取? 在這麼多變數當中,有一項常數仍維持不變:身分識別。使用者(和他們的身分識別)將成為今天與未來的企業「新疆界」。 傳統網路邊界已被破除、斷片化、甚至瓦解成許多小片段,身分識別因此變成新的邊界。應用、資料、甚至網路都快速朝雲端轉移,使用者控制的BYOD行動生態系統呈指數成長,這些無不使得企業管控變得更為困難、分散、並且必須仰賴他人維護 - 而很多情形下,這裡所指的「他人」正是那些對於安全性欠缺警覺或者不關心的使用者。然而,使用者身分識別永遠不會改變。透過認證、授權與計費(authentication, authorization, and accounting; AAA)機制,身分識別已成為現在確保企業存取安全的第一道防線。 不過,身分識別只是管控存取的先頭部隊。使用者請求存取的當下情境,以及他們提出存取請求時所處的環境,同樣都是確保安全存取的要素。若能夠適當的管控「何人」、「何事」、「何時」、「何地」、「為何」與「如何」,就可以確保、強化和區分使用者對網路、雲端、應用與資料的安全存取,而不論那些資源駐留在何處或如何組成。 確保有效率且安全的在網路、雲端、應用程式和資料之間分享使用者身分識別(不論他們身在何處),是現在的一項必要工作。然而,這有許多挑戰,例如身分識別孤島、雲端與SaaS應用和資料的企業內部(on-premise)身分識別、以及使用者密碼疲勞(導致較弱的使用者名稱與密碼)等都很容易被破解。解決之道就是要構築一個身分識別橋梁。聯合識別(federation)透過業界標準例如SAML,在網路、雲端、應用程式之間建立一個信任的鏈結,不再需要繁雜的身分識別目錄複製與插入。身分識別與存取由企業管控,並且在企業、雲端與SaaS服務供應商之間進行認證。企業能夠集中化的管控使用者認證與終止。聯合識別提供了存取能見度與管控能力。 利用身分識別進行存取控制以及識別橋梁的建立,是企業現在必須做的工作,因為應用程式轉移到企業領域之外,工作人口和他們的裝置日趨行動化並且群體離開企業,而企業領域本身也已移動。這就是新典範。
Access Control in the New Mobile, Hybrid World
There is a brave new world dawning for the corporate world. There are many “new norms” – and a gold rush of new opportunities, but also new challenges with which they come – streaking like lightning throughout organizations. The workforce of today and into the future is, and will continue to be mobile. Consider that according to analyst IDC, 37 percent of the worldwide workforce will be mobile by the end of 2015. That’s about 1.3 billion mobile workers, worldwide – not to mention there will be two or more times as many mobile devices as mobile workers! – by the end of this calendar year! Then, consider this: According to Orange Business Services, 55 percent of worldwide business IP traffic will be mobile business Internet traffic by 2018. Mobility is here, and it’s here to stay. (In the Asia Pacific region, IDC anticipates the bring your own device (BYOD) market will continue its robust growth. There were an estimated 155 million smartphones and over 4 million tablets in use supporting BYOD initiatives across the region last year (2014), with year-on-year growth of 40.4 percent and 62.7 percent, respectively. And, that’s not even considering the burgeoning area of wearable devices, either.) As the mobile workforce accelerates like a rocket into the stratosphere, cascading torrents of smartphones, tablets, and wearables across organizations in its wake, the number of cloud- and SaaS-based applications used within organizations is also skyrocketing at a breakneck pace. According to a recent study sponsored by SkyHigh Networks, there are on average 759 cloud services in use by today’s organizations. The most puzzling piece isn’t the magnitude of in use cloud apps and services. Instead, its that, according to a Cloud Security Alliance study, most organization IT teams believe they have fewer than 50 cloud-based apps in use. That means that over 700 cloud apps and services on average are in use within enterprises – but no one (but the user) has control over those apps and services, and any corporate information shared with them! The problem is, you cannot defend what you don’t know about! Finally, the last piece of the “new norm” puzzle for organizations is the hybrid network, an eclectic mix of data center and cloud-based apps and data, with a stew of hosted private, public and cloud infrastructures. According to analyst Gartner, “while actual hybrid cloud computing deployments are rare, nearly three-fourths of large enterprises expect to have hybrid deployments by 2015.” Consider that a mobile workforce will drive infrastructure changes, needed to address a more diverse device ecosystem. Then consider that infrastructure addressing mobility requires greater investment in cloud-based apps and services to support that expanding device ecosystem. So, as you can see, the future of the network fabric for the foreseeable future will be hybrid. So, with a “new norm” of mobility, cloud, and hybrid networks, how can organizations address network, application, and data accessibility? With so many new devices that are mobile and are under limited corporate control, and applications and data scattered about the network and in various clouds and SaaS deployments, how can an enterprise be assured of fast, appropriate, authenticated and authorized access? With so many variables, there is one constant that remains: Identity. The user – and their identity – is, arguably, the “new perimeter” for the enterprise, today and onward. As the traditional network perimeter has been broken, fragmented, and in many instances shattered into many pieces, identity has become the new perimeter. As applications, data, and even networks move faster toward the cloud, and the user-controlled, BYOD-driven mobile ecosystem expands exponentially, corporate control has become more difficult, dispersed, and dependent on others – and many times, that’s the security uninformed and apathetic user. User identity, though, never changes. And, backed by authentication, authorization, and accounting (AAA), identity is now the first line of defense for secure corporate access. But, identity is just the tip of the spear for controlling the new parameters of access. The context of a user’s access request, and their environment at the time of access request, follow identity; inarguably, they have as much to do with securing appropriate access as identity. The ability to address the 5 w’s and 1 h (who, what, when, where, why, and how) assures, enhances, and differentiates secure access to networks, clouds, applications and data – wherever they may reside and however they are comprised. Insuring user identity is efficiently, securely shared between networks, clouds, applications, and data – wherever they live – is now a necessity. Yet, there are challenges: Identity silos, on-premise identity with cloud- and SaaS-based apps and data, and user password fatigue leading to weak user names and passwords – which are easily compromised. That’s where building an identity bridge comes in. Federation builds a trusted chain of user identity between two entities – networks, clouds, applications, etc. – through industry standards, such as SAML. The cumbersome duplication and insertion of identity directories becomes unnecessary. Identity and access is controlled by an enterprise, with authentication occurring between the enterprise, and cloud and SaaS providers. Instant user authentication and its termination is centralized and under enterprise control. Identity federation delivers access visibility and control together. Leveraging identity for access control, and building identity bridges are now imperative for organizations, as applications move outside the enterprise domain, the workforce and their devices are more mobile and leave the enterprises in droves, and the enterprise domain, too, has moved. It’s the “new norm”.