The biggest challenge to IT security is marketing
by David Meyer - VP of Engineering at OneLogin - Monday, 13 January 2013.
Common marketing apps like Salesforce, SugarCRM, Dropbox, Marketo, WordPress, HootSuite, KnowledgeTree, UserVoice and Lithium already support SAML as standard. Putting formal rules in place around user log-in to accounts on those sites is fairly easy. Others like Twitter, Facebook and LinkedIn use forms of OAuth for controlling sign-on to applications. Access to these services can be automatically linked to the user’s identity within Active Directory; all access can then be put through a secure channel based on single sign-on (SSO).

For applications that don’t support the SAML standard, there are several options:
  • Start shouting at your vendors for SAML support as part of their development road-map – there are open source SAML toolkits out there, so implementing this should not be difficult for the tool provider. Getting this in place should also help them in the long run, as it aids the provider in other sales situations.
  • Explore other options – these include checking for WS-Federation, Kerberos or OAuth support. Building authentication support based on these standards instead could be suitable.
  • Help find another tool that is SAML-compliant – There are so many available to marketing professionals that it is often easy to find a replacement. As they are SaaS or cloud apps, there should not be much lock-in to those applications either from a technology perspective.
  • For apps that don’t support a standard like SAML you can use a password vaulting solution that encrypts the passwords and allows IT to manage them from a central location. There’s no reason why a social media manager should ever know the credentials for the company’s Twitter account. A side benefit is you can give many more employees access to things like Twitter in a very safe way.
While these options might seem like more work, it does give IT a chance to get involved in the decision-making process. Rather than running the continued risk of “shadow IT” implementations building up, getting involved in the process ensures that rules are at least being followed in future.

Once this situation has been looked at, there is then the question of ongoing management. After all, there is no value in solving the problem once only for things to then drift back to being unmanaged again in the future. The point here is whether marketing retains the management of the tools that its users require, or if this shifts back into IT’s domain again.

At this point, IT should be able to automate much of the management side too. By providing guidance on processes and collaboration as well as taking on the management responsibility around security, IT can help marketing be more productive. Use of SSO and identity management tools can help here, particularly as more applications move over to being hosted in the cloud.

Looking further into the future, the shift of applications and services over to the cloud will not stop. Marketing is a strong outlier as the teams here tend to take up new technologies and applications quickly; other functions within the business will also start their journey over to cloud apps too, if they have not done so already. Being able to keep pace with this move and help users across the business to keep secure should be a long-term goal for security professionals.

As a department, marketing wants to use the best tools open to them in order to carry out innovative campaigns and drive business. For IT, looking at standards and cloud identity management tools together can help marketing achieve its goals.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th