Review: Ping Identity brings identity management to cybersecurity defenses

Enterprise networks have grown too complex to easily manage all user credentials through something like Active Directory, and letting apps handle logins creates silos that can become a security nightmare. Ping Identity offers a good alternative to these two scenarios.

login credential - user name, password - administrative controls - access control - single sign-on

For many organizations, even those with advanced cybersecurity maturity, the concept of identity management has always been a bit of an afterthought. Logging into a network is normally handled by Active Directory, while each individual application like Salesforce or internal company apps carry their own login information.

The problem with letting every program or application handle its own login information is that it creates what is essentially a series of siloed systems. On a large enterprise network, it can add hundreds or thousands of separate, unmanaged silos for granting access to various resources. This gives clever or persistent attackers a huge footprint to try and quietly breach security.

One solution that has been offered in the realm of identity management is to create a data vault to store credentials, and then have every program check with the vault to verify users. That kind of solution works, but is very difficult to scale because of the amount of data pushing and updates that need to occur. It also poses a large vulnerability in itself, the literal keys to every lock in the kingdom should it ever be compromised.

Ping Identity is different. The heart of the solution, though it is by no means required to run any of the other components, is PingFederate. Unlike data vaults that store credentials, PingFederate acts as a manager and a bridge, allowing administrators to tightly control what credentials are required to access various resources, and linking those data storehouses with the programs and apps that users require.

pingfederate layer policy John Breeden II/IDG

PingFederate can easily bridge the gap between applications and the authentication methods used to identify users without storing any credential information itself.

The idea is that all applications, both common commercial ones and unique programs being developed in-house, will use PingFederate to verify users. Blocking any other forms of access, such as a user trying to skip around Ping to login directly, can be accomplished in one of two ways. First, firewall and other traffic rules can be created to prevent non-Ping access requests. Or, Ping can deploy agents that sit on top of applications and force the interaction with Federate for all access requests. The Ping software works with either configuration, so companies can choose the one that offers an easier configuration and less management.

To continue reading this article register now

Microsoft's very bad year for security: A timeline