The cloud is a big part of Symantec’s business model, as the company provides many of its core capabilities-message filtering, data loss prevention, backup, recovery and encryption-as cloud-based services. Now the company is counting on the cloud to drive innovation in authentication and identity management.
Since it acquired VeriSign’s security business, Symantec has offered a hosted authentication service that verifies users’ identities before giving them access to computer systems. Customers also use this technology in soft tokens based on user smartphones as part of a two-factor authentication mechanism.
However, there’s an “opportunity for further innovation,” Enrique Salem, the CEO of Symantec, told eWEEK. “How do we have the big breakthrough in authentication?” he asked. Ideally, he said, the Symantec employee logging on to Salesforce.com should be able to use the same password as the one used to log on to the corporate network.
That is the vision behind Symantec O3, the cloud security service Salem unveiled earlier this year at the RSA Conference. It’s expected to launch officially in 2012. Symantec rolled out the early access program for select customers at its Vision conference in Barcelona, Spain, on Oct. 4.
Intended for public, private and hybrid cloud infrastructures, Symantec O3 creates a single “control point” for all the enterprise’s cloud applications and systems, employing the same identity and information security profile for each employee across each system. Essentially, O3 collects credentials for all cloud applications in one place and provides employees with a Web-based universal log-in service.
Identity needs to be federated out to the cloud, according to Salem. Symantec is basing its new platform, which will be available both on-premises and on-demand, on the VeriSign authentication technology.
The O3 service-which combines access control, information protection and compliance control-sits on top of multiple cloud offerings and allows administrators to apply internal security policies to external clouds. Symantec said it expects to support the top 200 cloud applications in O3 at launch, including Microsoft Active Directory, Google Docs, Concur and Salesforce.com.
Salem said he’s a “big believer in single or reduced sign-on,” in which there is “as close to one password as possible” for corporate assets. However, he doesn’t think one blanket password policy should be applied to all Websites, and noted that it is not as critical for employees to change passwords on a site like United.com every 90 days.
Looking to the Future
The impetus for O3 came a few years ago, as Symantec looked at the future of technology. Management saw emerging trends such as mobility, cloud, virtualization and the consumerization of IT having an impact on customers, Ken Schneider, Symantec’s vice president of technology strategy, told eWEEK.
Employees are increasingly more mobile, accessing corporate data while outside the office, he said, adding that many are using their own personal devices to access that information.
Though the volume of data stored in clouds continues to increase, recent studies have shown that while embracing the lower costs and increased efficiency gained by moving to the cloud, organizations are still hesitant to shift critical applications there for fear of losing tight control over their data. The O3 service is designed to alleviate enterprise concerns about the amount of data being stored on cloud infrastructures beyond IT’s control, according to Schneider.
“We will give users access to all different clouds based on that credential,” he added.
Instead of forcing organizations to create new identity information for employees, O3’s policy engine integrates with the existing system-whether that’s passwords alone or stronger mechanisms such as two-factor authentication tokens. The cloud access control layer enables companies to link that identity information against all the cloud services and authorized devices.
IT administrators are no longer just infrastructure managers, according to Schneider, but information managers who need to ask, “Does this person have the right to access this kind of information at this time?” He added that they also must track information as it moves around.
O3 lets an employee use whatever device he or she wants to use to get the job done. Therefore, Schneider noted, if the work phone fails, the employee can use the personal phone.
In addition, administrators will have better control over employee access rights, Schneider said. By turning off the Active Directory record for an employee who has left the company, an administrator automatically terminates that person’s access to all applications and infrastructure. Disgruntled former employees can’t log back in to sabotage corporate assets or steal proprietary data.
Information Security Layer
The information security layer in O3 will draw on Symantec’s comprehensive data-loss prevention (DLP) and Pretty Good Privacy (PGP) encryption portfolio to protect the data, but it will not be available at the product launch, Schneider said.
The DLP component handles user and device authentication before granting access to the cloud. It also checks on what information is being sent out. If a piece of data is subject to Payment Card Industry Data Security Standard (PCI DSS) requirements, that information is protected accordingly before being sent out.
All confidential information leaving the organization is encrypted before being stored in the cloud, offering businesses an extra layer of security while using cloud applications. Since O3 manages the user, employees cannot sidestep the security controls by logging in from a nonauthorized device-such as a home computer or a mobile device-since the data will remain encrypted.
O3 also offers monitoring capabilities, and it alerts administrators and appropriate business stakeholders of any significant security events, as well as providing a full picture of what is going on across all cloud services. Organizations also can see how internal policies, such as password length and how information is being stored, are being enforced. Then the system generates documentation proving regulatory compliance.
“In time, there will be more and more features and functions exposed to the cloud so that you can have exactly the same visibility and control that you have today,” Schneider said.