Ping enlists Google to spin the steel thread of identity

Profile picture for user pwainewright By Phil Wainewright November 30, 2015
Summary:
Ping Identity is helping Google establish a rival to Microsoft Active Directory, anchoring security to what Ping's CEO calls the 'steel thread of identity'

andre durand
Andre Durand, Ping

Just as it's mainstream today to run email in the cloud, it will become the norm in the future for enterprises to run identity and access management in the cloud, using providers such as Microsoft or Google to authenticate their users. That's the firm belief of Ping Identity's CEO Andre Durand — and he has on-demand movie streaming service Netflix as a showcase customer to prove his point, with Google as an ally.

I met Durand earlier this month in London, on the final stop of a customer event that had toured New York and San Francisco last month. It's been a couple years since I last caught up with Durand. In that time, Ping has expanded its product range beyond federated access management into user management, provisioning and service orchestration. In the course of its tour, the company has launched an alliance of best-of-breed vendors to provide an integrated, 'identity-defined' security platform, and has become one of the first eight vendors to be named by Google as 'Recommended' for use with its Google Apps for Work cloud productivity suite.

This is all of a piece with Ping's longstanding mission to get enterprises to put identity at the center of their security gameplan, instead of relying on increasingly porous perimeter-based security models. Durand told his audience:

The concept of inside and outside is disappearing. Security management was very much focused on the secure 'green zone'. That has now shifted ...

Identity will be the steel thread that connects people to resources. We believe if we can control identity then we can control access.

The concept of the steel thread is borrowed from software design thinking, Durand told me, and it denotes a single element that runs through all of the components of an end-to-end system, and which should be designed in right from the start.

Google cloud directory

Google is already a convert to identity-defined security, with its own internal BeyondCorp initiative centering access on user credentials and devices rather than trusting the network. Now it is stepping into the directory services field to enable others to do likewise. Netflix is an early adopter, and was presenting at the Ping event to explain how it is using Google, mediated through Ping, as the central sign-on service for access to all its cloud applications, including corporate applications hosted on Amazon Web Services. As Durand told me:

What Netflix is doing is extremely new. Netflix was the first. They've pressed the needle on what does it mean to use Google's cloud directory and the Google login for corporate use. Those services haven't existed prior to this.

In this role, the Google infrastructure is fulfilling the exact same need that is more usually fulfilled by Microsoft's Active Directory, he added:

That's 3,500 employees that have no Active Directory. They've outsourced the infrastructure of the directory, essentially, and the authentication service, to Google. All the user management is done on the Google platform.

[Netflix] are still responsible for proofing the identities and the creation of the accounts. What they're not responsible for is the active authentication — Google's infrastructure manages the authentication event.

While Google and Netflix are far out in front of mainstream enterprise adoption patterns, Durand believes others will follow in their footsteps. The new Identity Defined Security Alliance brokered by the company is designed to offer a ready-made set of best-of-breed solutions that extend the 'steel thread' of identity into other aspects of security such as threat intelligence (represented by Threatmetrix), mobile device management (VMware's AirWatch unit) and cloud access security brokerage (Netskope). He told me:

What does the larger solution look like? How can we create a blueprint, instantiate a solution with multiple vendors, and just make it really easy to purchase? That's the goal.

It's the new stack, but it's all best-of-breed components. All the interfaces are standards-based. You don't need proprietary integration to make it all work.

Economies of scale

Increasingly complex security demands will likely accelerate adoption of cloud services, Durand told me. In an earlier presentation, Ping's CTO Patrick Harding had discussed the direction of identity and access management — a future in which machine intelligence will play an ever-larger role.

Authentication will become contextual, said Harding, which means the access management service will vary the level of authentication it asks for, depending on its risk assessment of factors such as the user's location, time of access and behavior. In due course, static policies will give way to adaptive authentication, in which the system will continue to evaluate context, behavior and threat levels and dynamically modify access or request additional authentication.

This increasing complexity will demand greater economies of scale, which will inevitably drive adoption of cloud-based services, Durand told me, just as happened in the past decade with email servers.

The infrastructure is getting more complicated, but the necessity for a seamless user experience at the same time is rising. That will be the driver for certain pieces of the infrastructure to be outsourced — because it's hard, it's expensive, and at some point, it becomes an economies-of-scale game.

For the really complicated stuff that has to be done really well, and that has to be done at scale, we're going to be able to consume bits and pieces of that infrastructure as a service.

Identity as a service

That provides an opportunity for Google to build on its presence in corporate email to become a directory services provider, in the same way that Microsoft was able to establish Active Directory on the back of its installed based of Exchange email servers.

It's very natural for the cloud email providers to offer very basic identity-as-a-service offerings on top of their email and collaboration offerings.

People licensed Exchange and were required to use Active Directory. The same thing holds true with Office 365 — Azure Active Directory is required. That coupling is really tight. Google will do the same thing.

It's our prediction that, for the simple use cases for most companies, we call it the SMB to mid-market, they will use Google or Microsoft for their basic identity services.

As a partner of both Google and Microsoft, Ping remains neutral in this battle. It will also work with larger enterprises that want to resist the trend in order to retain more control and independence, said Durand, citing Ping customer GE as an example.

GE very specifically is not going to center their identity on anyone else's cloud identity service. They're going to run all of their own identity and security infrastructure in a few highly secure data centers.

They don't want to get locked into any one cloud provider. They want a fully abstracted control layer, and then they can use anyone else's clouds or applications.

My take

I have a sense of déjà vu, in that the trajectory for identity-based security sounds remarkably similar to the adoption pattern of cloud computing. It starts out with just a few enterprises doing it, while the majority remain skeptical and stick with their old habits. Smaller companies are the first to follow the early adopters, while large enterprises start planning to build out their own private infrastructures.

Give it a few years, and the skepticism melts away as the convenience and economies of scale of the cloud-based iinfrastructure prove irresistible. Suddenly the new model becomes mainstream — with Google an unexpected challenger in an arena where Microsoft had previously been dominant.

[Updated:] An earlier version of this article omitted explicit mention of Ping's partnership with Microsoft.

Image credits: Steel cable © LaCozza - Fotolia.com; Andre Durand portrait by @pingidentity.