Could IDaaS be the olive branch between security professionals and developers?
Developers and IT security have not always seen eye to eye. Actually, they rarely see each other at all. There seems to be all too little interaction between the two disciplines, and when they do interact there can be conflict.
While developers are often concerned with building skyscrapers on tight deadlines, security professionals can seem like the Health & Safety department, holding them back.
It’s not hard to imagine the reasons they might seem distant. Developers have a reputation for writing insecure code and behaving in an insecure way. When apps are released without security oversight, it can cause a lot of headaches for IT security. Moreover, developers can often wield powerful permissions in a network, making them good targets for cyber-criminals.
Security for them is often not high on their list of priorities, especially with the ever diminishing product life cycles and deadlines that they have to deliver to.
IT security on the other hand, has a reputation of being the ‘Department of No’. They point out big problems in otherwise great inventions and the architectural flaws they spot get developers in trouble. Moreover, their interventions often have the unfortunate side effect of slowing down the development process.
Suddenly, a complete piece of work becomes something that’s full of gaping holes, all of which need to be fixed before release. In a time when the pressure is always mounting on businesses to develop new products and meet ever tighter deadlines, security is too often seen as a barrier.
It is also, in part, the product of a different mindset. Development as a discipline is simply not directly concerned with well, security and vice versa. Some might even say that for a developer to take too much interest in security would undercut their critical function, in the same way a security professional too focused on an app launching on time might seem distracted from their job.
It’s an imperfect situation that can leave one party looking like irresponsible children, and the other looking like overbearing parents.
The numbers bear out the alienation between the two disciplines. A ThreatStack survey from last year revealed that 44% of developers cannot code securely. Respondents said that in their organisations, IT security could only be found on 18% of development teams.
In the majority of cases (38%), security staff are on an entirely different team and are called on when needed; which requires development teams to know that security is needed in the first place.
In fact, that separation runs so deep that, in 60% of organisations security is not being brought into the development process.
Perhaps most illustrative of the current pressures on the modern day enterprise and their developers and security staff, is that 68% say their CEOs demand that DevOps and security teams not slow the business down.
Recent developments have eased that relationship considerably. Certain schemes have aimed to plant developers in their counterparts’ shoes by teaching them how to hack. Projects like the Open Web Application Security Project (OWASP), have served as an indispensable resource to developers looking to write secure code.
Some have proposed installing ‘security champions’ on teams of developers to directly help write safer code, others have proposed building automation tools to help secure the development process.
The pressure on both disciplines is rising. Not only has security risen to new levels of importance in recent years, but the speed of technological development has placed new demands on development teams.
The mass migration to the cloud, for example, is driving a whole range of cloud-first digital business initiatives which not only require the skills of developers to build, but the watchful eyes of security professionals to keep them secure.
At the intersection of app developers’ goals of great user experiences and security teams’ goals of security, lies identity and access management (IAM). This encompasses the way that users register and gain access to developers’ applications.
As the front door to meaningful interactions within developers’ apps, it has a huge effect on the first impression those apps make with their users. For the same reason, if done wrong, it can be a weak point that exposes customer data to bad actors.
Just as developers are not security experts, they also aren’t identity experts. IAM has decades of best practices built into it, the nuances of which aren’t usually explored by developers.
When developers have goals of getting login, registration, multi-factor authentication (MFA), and self-service profile management into their app quickly, legacy IAM solutions managed by their IT department can slow their progress.
Identity as a Service (IDaaS)
Identity as a Service (IDaaS) might offer a way of easing that pressure. IDaaS refers to cloud-based authentication and identity management that is delivered through a third party. IDaaS makes it easy for developers to build identity services into their apps quickly and ensure the safe handling of that customer data.
Functions like login, profile management, multi-factor authentication and more can all be outsourced to a more trusted partner and embedded into applications with APIs. Not only can developers be confident in the security of their apps, but app users can be confident in the secure handling of their data.
But IDaaS does more than ease the job of developers. It promises to bridge the gap between development teams, and their security counterparts. IDaaS solutions built for large enterprises can not only be easy for developers to use, but also ensure that integrations, security, scalability, and other aspects that IT cares about are covered.
IT and security teams can take an active role by suggesting IDaaS solutions to their development teams that meet these requirements, so those dev teams don’t go out and find their own, less secure solutions.
The mere fact of not needing an on-premise solution provides further benefits. No longer do businesses need identity dedicated infrastructure on site, but can host identity services in the cloud. In fact, enterprises need very little dedicated equipment to enable IDaaS in their environments.
Security personnel, too, are freed up to deal with the more pressing issues of your business, as opposed to carefully watching over and checking the work of developers or operations personnel. The same goes for maintenance and upgrades, which again are all dealt with through the provider, outsourcing these functions to experts as opposed to weighing down an already heavily burdened organisation.
Security teams can be confident in the fact that dev teams have an easy-to-use solution that can meet the high security, scalability and future integration demands of IT.
A New Forrester report recently laid out the benefits noting that it largely takes that burden out of enterprises’ hands. Because it relieves an enterprise of the need to install on site, not only does it offer a much faster deployment model but a 60 to 80 percent reduction in costs.
IDaaS can prove a fast, approachable solution for those developers that want to focus on their job and not worry about concerns like security or integration. Many are now choosing IDaaS to give them a centralised control over that whole patchwork quilt of cloud applications as well as to bridge their on premise infrastructure and the cloud.
Finally, because an IDaaS provider builds for its customers, it can draw upon a greater breadth of experience. That stems from having a stable of specialised security talent to deal with the identity based woes of an organisation.
But it also means that an IDaaS provider handles this issue for numerous different organisations, endowing them with continuous experience on the real world issues that a whole variety of organisations face in this area.
Ultimately, IDaaS should do what any good identity governance structure should do: manage access securely and provide it in a frictionless manner to those that need it, when they need it. IDaaS can provide that for enterprises which need secure cloud-based Identity Access Management (IAM) as well as developers looking to embed security services within their applications.
The pressure is mounting on developers to create secure revenue-generating apps to ever-tighter deadlines. Those deadlines don’t often leave a lot of time to think about security and integration.
IDaaS offers a way of bridging that wide gap between developers and IT security, using the critical capabilities of an IT security team and embedding them to directly into the development process.
People are realising the promise of IDaaS too – Gartner predicts that by 2022, IDaaS will make up more than 80 percent of new access management purchases around the world. The best security stance offers a frictionless user experience and enables people to do their job, all the while protecting them from the real risks of this age of innovation.
Dustin Maxey, director of product, Ping Identity