Retrofitting the Internet for identity

Phil Wainewright Profile picture for user pwainewright August 9, 2013
Andre Durand, founder of identity and access management vendor Ping Identity, describes a future when standards will eliminate the need to use passwords in the cloud

andre durand
Andre Durand, Ping

Andre Durand, founder and CEO of Ping Identity, is in the second decade of a multi-year mission to simplify identity management in the cloud era.

Back in 2002, not many of us were thinking about digital identity as the key to online online services. Durand was one of the few. He founded Ping with the aim of giving individuals and enterprises the tools to access resources online through a federated identity infrastructure — one that doesn't require a different ID and password for each separate application and site.

Rising adoption of cloud applications and now mobile devices has since raised the profile of access and identity management, allowing Ping to grow its customer base to more than 800 companies today. A $44 million funding round announced last month brings its total funding to $90 million and puts it on a firm path to an ultimate IPO.

"Our message hasn't changed at all. It's just the world is more receptive to it," Durand told me when we caught up by phone late last month. "The need to solve identity is just becoming apparent to more and more people ... the environment that makes identity critical becomes more obvious."

Bigger picture

Durand is still looking to the future, though. Despite more awareness of single sign-on and the SAML standard for exchanging access credentials, many people are still missing the bigger picture, he says:

"It's not just about employees going to the cloud and having too many passwords or having mobile phones and needing security outside the firewall.

"You also have scenarios where large businesses that are offering applications to their customers or partners do not want to manage the identities of those customers or partners. They want to enable single sign-on and offload the identity management they have to do today ...

"We have companies such as banks offering applications over the Internet to their customers. Their websites are becoming increasingly federated websites — sometimes what's on the website is coming from partners. It appears as though it's coming from Bank X or Company Y, but it's actually a big mashup of websites.

"They need infrastructure to support the aggregation of all of those websites to make sure it looks like one website."

Eliminating passwords

Eliminating multiple access and identity protocols will end the proliferation of user IDs and passwords that are causing user frustration, management headaches and security risks today.

"It's not password management: it's eliminate," he says, in what sounds like an allusion to business re-engineering guru Michael Hammer's clarion call, Don't Automate, Obliterate.

"We're playing a little bit of whack-a-mole with passwords. One of the tenets of good security that Ping stands by is that we need to eliminate passwords.

"Let's not forget what the real priority is in identity. That is to wire the world to talk standards so that we can eliminate the password altogether."

Standards that allow applications and services to securely exchange user credentials are the key to that future, but those standards still need to win adoption, says Durand:

"It'll take time but we are getting there. I think we'll define the [equivalent of the Internet's] TCP/IP stack for identity in the next 18 months.

"It's like renovating a house, it's a lot more work to renovate it than to start from scratch. We have to retrofit the Internet to speak the language of identity and that just takes a while.

"When we succeed at that, we're going to live in a different world, where identity is not siloed, where it's free to move and follow a transaction, no matter how many boundaries it passes — you don't have to enter a new password every time you hit a boundary."

Security '2.0'

It's up to enterprises and software developers to build those standards into their applications and services to make this vision a reality, he explains:

"The only way to scale any of our security use cases is by getting behind standards. There's no other way to do it, period.

"... Companies that want to engage the security '2.0' future — where boundaries still exist but are transparent, meaning we can move across boundaries without friction — have to implement these identity standards. There is no other path to that future.

"They have to write their applications to not embed identity into their application but leverage the existing identities that exist either in the enterprise or out in the cloud. They have to make calls out to an externalized identity infrastructure. Today they just embed it in their application."

Emerging standards

Durand described the standards that are emerging and the roles that they play.

  • Security Assertion Markup Language (SAML) is an established XML-based standard designed to underpin federated single sign-on. "SAML is really what's deployed today in the enterprise," says Durand.
  • OAuth came into use as a standard that allowed social media users to use their credentials for one site, such as Twitter, to log in to a third-party site without divulging their ID and password to the third party. "OAuth is foundational," says Durand. "It's increasingly important for APIs in mobile."
  • System for Cross-domain Identity Management (SCIM) is a new proposed standard that removes the need for each separate application joining an identity and access management infrastructure to have its own proprietary connector. "We have to solve that problem, SCIM is our best hope to do that," says Durand. "It solves a major pain — standardizing provisioning and deprovisioning to cloud applications."
  • OpenID Connect is a new web-based single sign-on protocol based on OAuth that adds some functions often found in SAML. Although it borrows the name of the consumer app world's OpenID standard for identity federation, it shares none of OpenID's original protocols. "OpenID Connect will play an important role," says Durand. "It holds the promise of connecting the consumer and business single sign-on use cases."

Universal infrastructure

Durand has always believed that converging the consumer and business identity worlds would be essential to completing the vision of a universal, federated identity infrastructure. "That vision hasn't changed nor my belief in its inevitability," he says.

Making it work is a matter of building confidence and trust in a shared, standards-based infrastructure for identity:

"The ecosystem of trust around these higher constructs of identity — they don't yet exist. But we're beginning to see small glimpses of what I described occur ...

"There are learning and educational issues to overcome with how the consumer behaves in these scenarios. And there are practical realities with bringing these things together."

Extend to the cloud

Meanwhile, Ping continues to work with enterprises to simplify identity and access management in their existing applications and web infrastructure. Durand explains:

"It's not like we live in an all-cloud world. Lots of business applications run in datacenters run by enterprises and they need to be as accessible as SaaS applications.

"What we've done for a decade is take the existing identity and access management systems and extend them to the cloud. Our customers want to leverage things that are working.

"Some companies don't have anything and they need a way to manage identities. The bigger, more established organizations have invested a lot of time and effort to build the procedures and mechanisms they have around identity and control. They now need a seamless way to do that without a lot of headaches ...

"Our whole value proposition is that we make that easy. We largely exist because we built a bridge between everything that has been deployed and everything that is now being deployed with the cloud or mobile. Ping offers a simple, elegant way to connect those."

Ping is not alone in offering such solutions but the company probably has the longest track record of all the startups vying for visibility and market share in the identity and access management field. It has made a valuable contribution in helping to shape and promote standards, which Durand evidently feels about passionately.

Growing enterprise interest in this type of solution certainly vindicates his long-held conviction that identity is the linchpin of productive, convenient access to cloud resources.

Photo credits: Door and clouds © sakura -; Andre Durand courtesy of Ping Identity.

A grey colored placeholder image