KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good morning. Again, this is Al welcome to our copy. Call webinar, thriving and change today. I'll be joined by Travis Spencer of ping identity, but before we start just a few organizational facts, if you have a question, please use a go to webinar tool set. There is in the lower part of your bar section that called questions. You can post questions that during our presentation and Trevor and I are going to answer those at the end of our joint presentation. So just a few words of introduction. My name is Sebastian.
I'm a senior Analyst at co Cole, and today I'll be joined by Travis Spencer of ping identity. He is a senior technical architect there. We will be diving into the changes that the new cloud models will bring to it. And I will be giving some introductions on the facts and figures. And after that, Trevor Spencer will show you how to actually use that change and thrive in that change. So we will just start off with some public service announcement. I'll just wanted to give that German slide here. Few of ion here, SGO in NOK I'm and workshop somet in cloud computing patent tot via.
We will also have a event on security and data protection in the cloud on the event, cloud computing here, and that Schutze zip in a in Frankwood. And finally our European identity and cloud conference, 2012, April 17th to twenties in Munich, be aware. This is two weeks earlier than we usually have that conference. We have a large trade fair in Munich coming up during the normal time of EIC. So please take note that we will be earlier in April next year. So up to the webinar itself, you are now all muted centrally. So if you have questions, you are not able to unmute yourself.
So only we control that feature. We will record this webinar and we'll probably podcast it anytime tomorrow, there will be a Q and a session at the end. So use the question section in your go to webinar tool set and write down any questions you may have. So the first part of our presentation will be by me. I'll give you an introduction to the delivery models in it that have been there that are established, and that are now challenged by new cloud technologies. I'll be explaining how to reach out to the cloud and finally how the embracing of a cloud could actually happen.
And that will be the point where I hand over to Travis, who will shortly explain his part to right now. Welcome Travis Spencer.
Thank you, Sebastian. So Travis will be presenting on the minimization of costs and staying secured during use of cloud technologies. He will give a reference architecture, which will allow you for a short time to value and also how to manage and decrease the complexity of cloud environments. And as I said, at the end, we will have a question and answer session where we will answer all your questions that arise during our presentation. So let's jump right into the action.
What we have seen during our consulting mandates is that the service delivery and information security are the two things that the business really wants. They just want the service. They need to do their job, AKA their SAP or their sales force. And hopefully they want to keep their corporate information protected adequately. And the adequately is something that is really, really important here because we don't want to overdo security because when it gets into the way of doing business, people tend to find ways around those security obstacles.
What I find to be a very, very interesting thing is how it technology and delivery have changed over the years. So from the 1960s on, we had mainly in-house centralized mainframe as the delivery technology. It was a company by mid house, the mid-size technology in D it, which was also mainly in-house. We then had the client server architectures. They have been in-house for long time, and now tend to be outsourced to service providers that are maintaining your infrastructure.
We move to flying server web applications, and there we have a split that goes toward being outsourced or hosted somewhere else. And for some years already, we had those application service providers in the map web that provided managed service all the way. So you had nothing to do was the infrastructure itself. And that somehow evolved into as a service delivery models.
Like we see them today that could be software that could be platform infrastructure, and the like, so if you compare how delivering it to the business has been and how it has changed, we definitely see that this has been a core function of the internal it for decades. As we just saw on the previous slides, it has seen many changes in the way it was deployed and the way it was delivered. We had waves of outsourcing out tasking and manage services for different applications, but what all those models had in common that they have been mostly reactive to fulfill the business needs.
And this reaction was usually very slow in response. It required lots of planning. It had to fit into the architecture of your internal it, and it was reluctant to deploy just another application because it wasn't running on their beloved sun or Oracle systems because they used Microsoft and Ms. SQL databases.
So it was always a bit of a fight between the business guys and the it guys, if it was really necessary to deploy that new app for the business today, things change a bit and the business crunches their thirst for, for, for new delivery models, for new applications, for new services directly. So what, what they do is actually abusing the infrastructure that is provided by it internally to access cloud services.
And the it department does not even see that their company is actually an earlier quick cloud adapter because the provisioning of these cloud services, the procurement of these cloud services is not funneled through it. It is a direct connection between the business units and the cloud service provider. So there is definitely a little bit of a problem here and with kind permission by my friend, professor F faba, I stole that slide here, which will help us to analyze how the cloud delivery models and the traditional delivery models of it have changed.
You see here on the right inside in the dark gray shiny sections, there is a distinction between the lower layers, which say one to one and the upper layers, which say one too many. This multi-tenancy of cloud services is the main distinction in, in that slide here in the pink areas. On the left hand side here, you see that the delivery models also change between the data center of the customer or the data center of the service provider. And it is also in, in two models, split here between one data center of the provider and multi data center distributed around the globe.
So the infrastructure becomes more shared if you move up all those levels and you see that the layers that are being consumed definitely are getting thinner and sooner. So if you compare that the upper models here, that we moved into the cloud software as a service platform, as a service infrastructure, as a service, they all have a, a decent cut between the traditional models of hosting managed services, monitoring and support services that have traditionally been consumed.
So you see here that the applications are shared between multi customers and they are also being provided through multiple data centers that are distributed around the globe. That is actually what we see as the deployment of cloud computing structures. The problem here is that if you compare these layers here, you have a decrease in control and knowledge of what is happening.
If you move up the layers and you have an increase of possible attack, vectors and threats, if you move up those layers and it is very, very important that you prepare your organization to lose that control and be aware that they are going to lose a little bit of knowledge of what is actually being used inside the corporation, and that they will be made aware that there are more attack rectors and threats to the applications and data they use if they move to the cloud. And this is what we're going to discuss in the next few slides. So the cloud, is it just another delivery model?
Well, taking into the account, what we just saw on the previous two slides, you may say yes at first site, but the main difference is that there is system level multi-tenancy. So you actually share all that's been provided by your cloud service provider, with other people using the same service. There's also the fuzziness of the location of your data.
And that will definitely bring you some legal issues because data that you are totally allowed and required to gather regarding your customers here in the European union, you may not be allowed to gather if you go to Latin America or to let's say Southeast Asia. Also, if you may be able and allowed to gather data in Southeast Asia, you may not be allowed to share that data globally and move it outside the country. So there are definitely some legal issues that we need to take care of on demand. Scalability is what most of the cloud providers are promising us.
And this is very, very important because this is the main objective. In most cases where you deploy cloud services, you do not need to procure lots of it. Power computing power to keep inside your data center, which will only be used twice a month. If you have a payroll run, so this can be outsourced and somebody else will provide this it CPU power to you when you need it. And it's not idling away. 90% of the time.
One thing I already mentioned is the direct service to the business units and the it department not being aware that new it services are being procured, that there are no requirements put out to the it department and the negotiations are going on between the business units and the cloud service providers. So it's hard for it to come up with an it strategy for the organization. If it services are procured around them and not through them. Another nice fact is that the internal resources are used to consume those cloud services, but being produced outside. So this is a little strange.
If you, if you think about it, if you decrease the infrastructure and it hardware budgets that you are allowed to, to spend in your it department, your hardware gets older and older. And if you want to use all those flashy, nice web services and cloud services that require you to have all those AJE components installed, you probably end up having a, you are sorry. You can use our service because you're using internet Explorer six, which is mainly the case in large organizations, because they have internal applications that are too old to run on newer versions of internet Explorer.
Say that might be another problem here, too. The absence of it, demand definition, make it known that you want a new service and that you want a new application and the absence of it integration, making it integrate what you are going to use. Definitely gives us little bit headache here, because we are talking about identities inside your organization all the time and getting those identities that will be inside your cloud services that you are going to procure managed from internally. That is definitely a big problem.
And we need to take care that those accounts and those excess rights are going to be managed internally. And this is something we will dig into later on. So by bother with the cloud anyway, well, there is still the promise of the very, very low total cost of ownership for almost all types of cloud services. There is little to no set up cost at all. So you'll just go to the internet up to the side of the new provider that you fancy. You'll just enroll and probably you'll just use your corporate credit card to do so. So there's no contract, there's no billing.
You just enroll and click yes, to some Mueller. That's going to be presented to you. And there you are, your enroll with your email address, put up a password and you are good to go. This is definitely a plus. If you want to have a service regarding contract management, it might be a little nightmare. So the usage of that service is something that is definitely a plus because you only pay for what you actually consume or use.
Well, at least most of the most, if not all of the services provide you that model of payment for the services. The big fun fact of using cloud services is that there are usually no updates. And down times, if you use a service and it needs some updating, well, the next time you connect to the service, you will just be connected to one of those instances that has already been patched. You usually don't see anything changed. And the servers that are currently being updated are just not inside the cloud that is actually serving or providing the services to you. So there's no updates.
And down times is definitely a very big plus for all the cloud services. And last but not least, it reduces the processing power overhead that you usually have in your data centers. I explained that a little bit earlier already. So what are the benefits?
Well, it's often a plug and play approach. You don't need to prepare, you don't need to plan. You don't need to go to your it service department and try to explain those it guys, what you and the business actually want and how you want to have that look like and how the UI is going to look like and stuff. You just hook up to the internet, do a test drive of one of those services. And if you like it, you just enroll and use it. This ease of use is something that lures employees into using those services.
Especially if those services can not only be used on your laptop, on your desktop machine, but provides a special mobile user interface also. And you all know that those sales guys and those business guys out there are the first to adopt the new iPhones in new Android phones and their brand new shiny rim blackberries that are being put out there. As I already explained, there is no it budget request to enroll in most of those services. Sometimes it's absolutely okay to have that as a personal credit card expenditure and have that reimbursed by your boss directly.
So this is really convenient and saves you a lot of headache. Well at first sight. So there must be a benefit if you are unsure while you could always brag about using the cloud in the pub, you say, it's so cool to use a cloud. And that is if it makes you giggle, definitely something that people say, well, yes, I'm up to date. I have that new iPad. I use cloud services.
It's definitely something that makes people go use cloud services, but seriously, what do we have to consider if we are going to the cloud, if you are going out there and trying to prepare your internal it, your whole organization to use cloud services, planning and preparation are absolute key. That has been the case for internal it deployments. And it must be the case for cloud deployments. What are your internal goals? What do you expect as benefits? If you move to the cloud, is there defined benefit?
If not, well, you should probably think about doing it internally. What are the business requirements? What are compliance laws, regulations that you have to take into account when you move to the cloud, if you had a one-to-one outsourcing agreement with one of those large providers, then it was pretty much sure you had a contract running and it said, well, we are here in the European union. We want you to use a data center in the European union. You usually can make your cloud service provider use only European or German or Swiss data centers.
If you move to the cloud, it usually says, oh yeah, well, I can actually tell you where your data is. It's somewhere in one of my data centers, but where it is. I don't really know.
Again, there are many, many providers of cloud services already, and some of them compete directly. Do you have selection process defined? The risks identified, make risk management and security management, part of your selection process for those cloud services. And if you do so, the best way to confirm that everything is in order is to ask tricky questions. How do you do identity management am either one who creates accounts for my employees, or are you doing that? How do I manage? Who accesses, what data, if they use your cloud services, how can I manage sales access rights?
And how can I make sure that somebody who takes care of customer a is not able to take a look at customer B? How can I make sure that a supervisor has only the supervisory rights to monitor what their employees do and not what the neighboring department does?
And the, where question is something that should come up here, again, identify the legal issues and make sure that you are aware of the differences in jurisdiction of the geographic locations, where the data centers of your cloud service providers are. There's one big thing going on around the discussions of certain us based companies that act as cloud service providers, they had established European data centers. So they split up the cloud into a European and an American based cloud data center.
But the problem was that certain agencies in Northern America could make them take a look at the data that is located in European data centers, due to the fact of Homeland security and stuff like that. So make sure that you choose wisely what you do and ask those questions internally. It's absolutely necessary that you are ready your own organization to use cloud services, to procure cloud services.
So you should run by your procurement guys and explain them what the difference is between procuring a cloud service and a normal outsourcing agreement that they are used to, or that they have been setting up for years and years create specific service contracts and security requirements for the cloud. Those need to be adopted, and those need to be tweaked to meet those issues that the cloud services might provide.
If you forgot to ask those tricky questions and also you have to prepare your policies and audit guidelines, and it's absolutely important that you talk to your auditors before going into the cloud and make sure that you are on the same page with those guys regarding how to audit what you are doing in the cloud, and how to make sure that your auditors are allowed to go to the cloud service provider and audit their technology, audit their processes and conduct and audit regularly. It's absolutely important.
And it only that way you can make sure that your cloud service provider is feeling that you are really, really concerned about security and that you want to make sure everything is in order. The last point here is already your infrastructure. It's absolutely necessary that you talk to your identity management guys, your security guys, and make sure that you find ways how to provision users to those new services, how to manage those services.
And especially if you are able to manage access and usage of those services centrally from resources that you have available in your internal, it departments, lots of identity management companies that dealt with internal identity management now provide updates or enhancements or extensions to their internal products that enable them to deal with cloud services already. If that is not the case, you need to make sure that your internal it guys are equipped with the right tools and that they are educated how to use those tools or choose the right tools for the stuff that they need.
So we made sure that we can reach out to the cloud. What do we need to embrace the cloud?
Actually, the cloud has become part of your it face it. You may not be aware that your organization is using cloud services, but in some tiny business unit, somebody may already have procured a service and uses that services, maybe even for a longer period in time. And you have not seen it because it's running on the credit card of one of your employees.
The cloud definitely provides lots of new potential and options for your internal it department, but you have to make sure that your internal it department is prepared part of the selection process and part of the management process for those cloud services. The cloud definitely accelerates the adoption of new technology. Be it years of mobile devices, be it device independency, or those bring your own device technologies. If you move from a traditional delivery method of it technology, then you could definitely use cloud services easier.
And the only thing that you need to take care here is that your security policies and guidelines are up to date and that they actually fit those new requirements. And that's definitely something that holds true for contracts and legal. If I just said move by your it department, move by your procurement department, consult with your legal advisors, take a look at your contracts, make sure that those standard agreements that you usually have with your outsourcing providers are brushed up, that they are reflecting. The special needs that you have. If you want to go into the cloud.
And if you want to procure those services, if you want to use the cloud, the only thing that you really need to care about is who accesses the data in the cloud. And how do I make sure that only those guys who are allowed to access the data actually can use that data. So it must be integrated with your identity and access management tools and your governance.
And that's something we will dive deeper in the next half hour and something that is absolutely true if you run business critical services in the cloud, but also if it's a minor services, all those services need management and monitoring. You usually have SLAs with your outsourcing providers. You need to have SLAs with your cloud service providers also. So the change has come, and that is the point where I will hand over to Trevor Spencer. I hope that I gave you brought overview of the it development methods and the deployment methods that we had and how that changed with the cloud.
Now welcome Travis Spencer, who will take you to the next half hour of the presentation. And let me remind you of the question section here. If you have any questions regarding my slides or what Travis showed, it's gonna be at the end of the show that we answered those. Thank you very much. Great.
Thank you, Sebastian. Sebastian, did you want to change control over to me?
Yes, that should be done by 11. Hold on a second.
So As, as Sebastian has been saying, cloud computing introduces a lot of change and in order to successfully adopt it and thrive in this changing environment, as Sebastian mentioned, you need to ready your infrastructure and make certain preparations. And with regard to identity and access management, the changes that need to be made is to look at the existing infrastructure that you have for managing those identities already. You have things like authorization in place to control, who can access those resources.
You have provisioning and creation of accounts when new employees come on, or if they change roles within your organization or leave your company, you have authentication for actually verifying who they are properly identifying them before they access those resources. You have audited in place to ensure that you have a, a record of who's been doing what in case problems occur. You can go back and look at that and then Federation for doing cross application across organization or use of those identities.
And the key here really in adopting cloud computing is to take those existing identity access management Systems they have. Hold on second, Travis.
I, I think we don't see your slides. You need to show your screen up on that, on that tools.
Ah, now, okay, so you, you, you may switch back one slide and, and, and repeat quickly because sure. We weren't able to see those. Sorry. Apologize for that. All I was saying is that you have these existing systems of authorization, provisioning, authentication, audit, and Federation already in place. And in order to successfully adopt the cloud computing and thrive in these changes need to take those systems and push them out into the cloud so that they encompass these new cloud services.
So your provisioning workflows, for example, need to not only create accounts in the internal services, but in the cloud services, when you authenticate users, it needs to not just be to internal resources, but to those cloud resources, when an employee or a user within your system goes and uses an internal application, that's audited, those same controls need to be put in place when they access cloud services. And Federation is really key in this because it allows you to bring it back to your local organization where those employee identities are.
So now, if you're here with your identity and access management program, there's all these different cloud services out there that you want to begin taking advantage of. How do you even do that? How do you extend that into the cloud?
Well, one of the key aspects of this is using a security token service. The security token service or STS is a piece of software that will allow you to take those identities that you have and push them out into the cloud. And as you do that, access will go through the security token service. And there you can audit, who's doing what, which cloud services are being accessed. You can make an authorization decision about whether or not that particular person or entity should be accessing those cloud services.
And you can have that control that you need to ensure that cloud computing is adopted in the way that is in line with your business requirements. So now all this change that Sebastian's been talking about, there's a lot of things that I repeatedly see people trying to do with that. And these are some of them, and I'm gonna drill into a few of them that we have time for some of the things that people commonly want to do as they adopt cloud computing is to use the accounts that they already have to single sign onto these cloud services.
So take those identities that you have in your local directory and use them be the same user, essentially in the cloud, so that you don't have to sign back in again, when you access them. And people are also trying to use the identities within social networks for various needs. And I'll talk about what those are and how that can be done. And another frequent thing that people are trying to do is they adopt cloud computing is to allow seamless access to data, both from within the corporate network.
And when they're outside of it, organizations are also trying to expose data that they already have as APIs and cloud services themselves and provisioning accounts into the cloud is something that companies who are adopting cloud computing are, are struggling with and wondering about and trying to do. Also a lot of investment has been made into existing software and hardware. And while the cloud offers a number of benefits, as Sebastian talked about, there is the need to reuse that existing investment. And so that creates a need for something called a hybrid cloud.
And I'll talk about how you can successfully adopt that model of cloud computing and many, many people as they look at cloud computing are wondering about how to use mobile together with cloud. And so I'll touch on some of the challenges there and some the recommendations I have. So now looking at that first one where you're trying to project those identities into the cloud, a lot of the challenges that people run into here is they want to reuse their existing password policies.
So if you sign up for some sales or some cloud service, it might have a password policy that allows people to use what you would consider an insecure password, or allows them to change it to a password that they previously had. And that might not be up to your policy. So how do you control that? How do you enforce multifactor authentication? How do you ensure that only certain people should be accessing that?
Well, if you use the security token service, like I mentioned in the previous slide, you're able to actually bring the employees back to your own organization as they authenticate, and then push those identities up in a standard space way. And there also that helps you avoid vendor locking because you're using standards and you're reusing your existing infrastructure and authentication system that you already have in place for your internal applications.
And by going through the security token service, you can ensure that only the proper people who should be accessing that cloud service get a token that they'll need to single sign on into those cloud services. Another thing that people are trying to do is they adopt cloud computing is take advantage of the benefits of social networking by allowing employees or prospects or customers to log in with any identity that they have from one of those social networks. And in many scenarios, what people are trying to do is, is move the customer down the, the customer corridor.
So making a prospect or converting a prospect into a customer by reducing the friction and need for another login within your own website. And once they do decide to begin doing business with you, by filling out a, an order form or requesting more information, it could take advantage of the information that was provided through the social network to prefill forms that will allow for quicker access and streamline the process, which is very beneficial in increasing conversion rates.
And also some organizations are trying to actually authenticate their employees and their customers using social networks. There are a number of challenges with all of this. And some of those are that the various social networks all support slightly different versions or completely different protocols entirely. And so that creates a lot of variation. And in order to use the broadest number of them will require quite a bit of coding and investment to receive identities from all those social networks.
And so there, the, the recommendation that we would give is to I integrate and harmonize those various protocols in the Federation server in the security token service. And then the applications then only have to understand one protocol. And also one of the challenges associated with social login is that the identities in those social networks are self asserted. And by that, I mean, you can go to someone like Facebook or Google or whoever sign up for an account and say that your name is whatever you'd like it to be. So how much can you really trust that information?
Well, it, it might not be as trustworthy as you need, but it is no less, or it it's the same way in which someone types into an order form, right? They're asserting that their name is Travis Spencer and that their postal address is what it is. And you are mailing it out to them under the assumption that they wouldn't provide you the false information and have a package sent to the wrong address. So depending on, on your use case and what you're trying to solve, self exerted might be the same thing that you're already doing.
So taking that identity and that information from a social network and just pre-filling, it could be very beneficial and helpful to your customers and prospects, but it does introduce other challenges around account hijacking, for example, where users will oftentimes use the same username and password that they have all over the web. So if you have an, a Gmail address or a Hotmail address, and some website asked you to create an account, you use your, your email address and use the same password that you have at Google or at Hotmail.
So then if that site is compromised, they can use those credentials to log into the Google account or the hot Hotmail account. And then if you're doing SSO from them, they'll be able to SSO into your cloud service in, in effect that account hijacking has now breached your data as well.
So, one thing that you can do here that many organizations are doing is adding in an extra factor. So when you bring an employee on, you say, okay, you, when you, when you completed the application for employment, you logged into the website using your Facebook account. Now come on in and we'll do an interview.
And yes, we'd like you to work with us. So here is show us your government issue ID.
Yes, you are who you said you were, and here's a pin when you access services continue to use your, your Facebook account, but then you're gonna also have to enter this pin. So now, if the social networking account is hijacked, the Hijacker will not have this pin that the employer issued to the employee. So in that way, it allows the organization to use the identities that those people have, but add an extra layer of protection onto them. Another challenge associated with social login is around migration. It it's a new thing, social login, and using those identities hasn't been done before.
People might already have accounts in your, your services. So when they come in, it it's important to link those to the accounts they already have and have them ate with the local credential and then associate those two accounts. Another thing that people are trying to do is they adopt cloud computing is take the data that they already have and expose it as cloud services and as APIs. And these are organizations who are not just trying to glue two web applications together on the screen and make it seem as if they're one, but these are people who have seen that.
They have data sitting around that has monetary value, and they want to expose that to the broadest number of people. And they want to do it in a cloud based manner so that they don't have a lot of CapEx or any CapEx as they set this up. And as people begin using this new API, they want to take advantage of the clouds, elasticity, and scalability to meet that increased demand. And it also allows for increased penetration into the market by exposing the data in a mobile friendly way. So these are some of the problems that people are trying to do.
And some of the challenges associated with that is achieving large scale adoption. And so they're recommended people use rest so that they can be easily. Those APIs can be easily used from an iPhone or an Android, or even a feature phone that might not have the technical capabilities to create soap messages or more complicated XML based messages, and achieve that large scale, that option in market penetration. Some of the challenges around that though, is that rest APIs have traditionally lacked the ability to make them as secure as alternatives.
And there, if you use oof, then you will be able to make those APIs more secure. And also some of the challenges there is, is transitioning from existing backend systems into these new APIs. So a lot of times what people are trying to do is take internal services that already created, and then expose those in new forms and the new ways through this external API. And there, we recommend that people use a security token service to translate the identities and a gateway to transition the data from the new API. That's being exposed more broadly to the internal services that already exist.
And another challenge is around authentication of the end user and the clients. And there, we suggest that you create a single source of, of trust by using the Federation server and the security token service that I showed in the previous slides. Another thing that that is challenging people as they try to adopt cloud computing is, as I mentioned before, the use of existing investments and the need for specialized hardware, in some cases, people will need things like video servers that a general cloud provider won't wouldn't have in their data center.
So how do you couple a niche private cloud that can cater to those things with cheap public clouds that expose data and resource resources at a very low cost? How do you take advantage of both a private cloud and a public cloud and your existing infrastructure? This is what's called hybrid hybrid cloud computing, and there are some challenges associated with that. Some of those include the complexity because of the number of organizations that are involved, the actual architecture and deployment of that, and the security associated with that, that is needed to make it trustworthy.
And they recommend that Federation be used so that these identities can be propagated around those different organizations. And that the messages actually be secured as well as protecting information at the transport level. So that proxies in the middle can't view that, but only the end recipient, another challenge is around elasticity and networking. So needing to discover and communicate information across those different organizational boundaries and networking boundaries. And there we suggest good enterprise architecture and the use of rest.
Many, many people that I talk to are trying to use cloud computing with mobile devices. People are trying to use mobile to keep customers and acquire new customers, to make them sticky, trying to take advantage of social networking on mobile devices. The immediacy that is available through these, these mobile devices, taking payments, location information, employees are bringing their own devices.
As Sebastian was talking about with bring your own device or B Y O D increasingly workforces are on the go and they're working from outta the office and the staff and their, the processes around that need to be optimized for the mobile and for these changing behaviors and read those mobile workforces, they need real time data so that they can have the actionable intelligence that they need to make the right decisions. And that data has to be high quality. So how do you deal with, with mobile?
These are some of the challenges, or these are some of the things that people are struggling with as they look at adopting cloud computing, and by using a security token service and extending that identity and access management infrastructure that you already have into the cloud, you can overcome some of these, the challenges associated with these and the other things that I mentioned, but in all of this, it does require change.
And in order to thrive in that, it's important to recognize that as in anything, not just cloud computing changes a particular point in time, and in order to cope with that change, there needs to be transition both before the change and after it, and getting educated like this in a webinar is part of that transition up to the change and having that recognition so that you can prepare your organization and plan for that point where you begin taking advantage of cloud computing to overcome some of these things is important. Yeah.
Thank you so much, Travis, for, for that deep dive into the possibilities that the new technologies like FTS bring us and how that helps us to adopt cloud services and, and thrive in that change, that the business units are actually giving us through using those services. And we are open up now for some questions. And I have one question here, I'll read that aloud. Are there any references or success stories for social network identities combined with corporate identities for employees using an STS? Yeah.
So when I was at the cloud identity summit in July, I heard of betel doing this and they described it in their presentation. And so I don't know that they've written a, a white paper describing it, but I know that they have, they have given that presentation. So if you look at the cloud identity, summit.com there, you'll see the slides from, from tels presentation and you can look at those.
Okay, wonderful. Thank you. Any more questions from the audience, please feel free to use the questions section and just type in what you are about to learn stuff that you want to have clarified stuff that you need to dig deeper into. That would be interesting for us while we give our audience a chance to type in questions. One question from, from me, Travis, you, you talked about the, well, the architect, the possibilities that you could have using those technologies, I'd be interested in, in, in the actual positioning of, of, of such a server. It communicates with systems internally.
It communicates with systems externally. Well, would you put such an STS? So the STS does need to be protected because it is the thing that's asserting identities to those cloud services. So it would be in a, in a protected network and then proxy out using a reverse proxy typically into the internet so that those cloud services can actually connect with it. And then that STS is gonna have connections into your directory server and your databases and things like that, so that it can get the information that it needs about who the person is. And so that's a bit of it.
I mean, there's certainly more details that I could go into, but Okay. We have another question that, oh, that's a tricky one. I've been asking myself that one, how important is SPM L in the wildlife today? I would say not important at all With, I think the, the, the, also of that question thought into the same direction, because you just put in another question. So what is the facto standard for provisioning and deprovisioning in the cloud? Is there any, Right? So most of the cloud services that are out there already have an API for creating accounts in them.
I'm thinking of things like Salesforce and Google and WebEx and other major market leaders. And because they all have these APIs that do similar things, many of them have gotten together and said, well, let's, let's just create a unified API that does the same things that we're all doing already in a uniform way. And the outcome of this is something called simple cloud identity management or ski.
And the, the difference between ski and spin is that skim is being created with a lot of the actual service providers taking part in it, creating the standard together with the vendors. So the adoption of it is already happening. And we'll see more of that interoperability testing, which we saw a bit of at cloud a summit next month at I, I w where Salesforce and Google and paying identity and others will be testing their implementations of that. Okay. We have another great question from my point of view, assuming that multifactor authentication is used to confirm social network identity.
Is there any factor that is particularly promising to look at? And I'd like to take a shot at that first when PayPal and epay eBay introduced their, the token to log into their solutions.
I, I, I jumped at the opportunity and got myself one for five euros. They stopped that service, and now they are providing SMS based OTPs. So I definitely say that with our world being mobile, mobile, mobile, like Travis just said, if you register giving out your mobile phone number would be a nice way to do it because everybody now has one. And what is more personal than your smartphone? I guess nothing. Everybody has one and they're using it all the time and while they are losing it all the time also, but that's a different question here. So I personally fancy mobile fans.
What would be your choice, Travis? I think that, that, that's definitely a good idea because then the pin is one time use, but some of the people who have done this and are just giving a one pin that remains used for the entire time, which makes it quite easy for the employee, because they just have to remember the pin, like they remember a pin for their credit card. So I think it depends a lot on the risk posture that you're comfortable with the resources that you're securing and in order to make that decision of which waves best.
Okay, good. So I think we are right on time. We would have another question here, but currently I don't see any so last chance for the audience to type in a question here. Anybody.
No, I don't see any more questions. So we are right at the end of our session today. Thank you very much for attending today's session. Thriving in change with ping identity and Travis Spencer. It was a pleasure having you here and being such a great audience and coming up with really good questions here. Thanks to Travis for presenting on how to thrive on that change. And thanks for answering the questions, see you all next time and have a great day and a great rest of the week. Thanks. Thanks Sebastian. Thanks all.