Cloud-Enabled Identity Management at Equinix: Data Security


By Brian Lillie (Part 3 of a 3-part series)

In the age of increased mobility and bring-your-own-device (BYOD), many enterprises are struggling with how to maintain the high levels of data security they are accustomed to. In the last part of this three-part blog series, Equinix CIO Brian Lillie discusses how Equinix’s approach to solving these challenges with cloud-enabled identity management will enable the company to better serve its employees and customers.


Today Equinix is fortunate to have this wonderful data center platform that we can build on, and on top of that we have this tremendous network capability. We set our network services on top of that and then, like many firms, we add global server load balancing, so that if you’re traveling and you want to access a service, it’s going to do a reverse lookup on your IP address and say, oh John Doe is in London, so I’m going to re-direct him to London because that’s the most efficient way to do it. But once you have that, you still need global authentication, so how do you authenticate that John Doe is John Doe? How do I make sure that he’s a valid user? Global Active Directory was a step to getting us there. We had Active Directory before, but we had three regions, so we’ve globalized that now, which is a best practice. So now it will do a look-up against a username and password to get on the network, and users typically come in through an SSL VPN tunnel and a soft token for second-factor authentication. So now the user is on the network, but he’s still not approved for individual apps. We still have to go app by app and enable them. We use a technology called SAML, Security Access Markup Language, which is a bit of an older standard, but it’s pretty tried and true, and most of the vendors support it. So what we do is pass a token to an app. It confirms it and says hey, not only is John Doe authenticated because his credentials were passed from the global Active Directory, but he’s authorized to use this app at whatever level that was set, whether it’s on premise or off. So now from one pane of glass, the cloud desktop, you can access on-premise applications or cloud applications at the click of a button. And we’ve tracked what the performance is, and we actually solved the three things we wanted to solve. We still have the lots of applications, but now we have one username and password, single sign-on, so we’ve achieved that. The second thing is whether you’re on premise at Equinix or not-mobile or wired-you have access to on-premise apps and off-premise apps from one pane of glass. And the third thing is that because it’s one pane of glass, find-ability is no longer an issue. We’ve put all our apps in this one place and people can access all those apps from anywhere, anytime. To get a sense of the impact that our cloud identity initiative had on productivity, we compared how long it took to log into each application the old way to how long it takes now to just do one click and you’re in. Just taking Oracle, which we log into about 70,000 times a month, and a number of other apps that we log into anywhere from 2,000 to 9,000 times a month, we saved about 300 employee hours over a period of four months. For very large enterprises, this could be a tremendous number. Next up after global authentication, we’re working on full support for BYOD. We are testing running our virtual desktop on an iPad, so we know that if somebody wants to buy an iPad as their primary device, we will be able to support that. We’ll get there. And beyond BYOD, we’re rethinking and re-engineering all of our global business processes around trying to make the global customer experience consistent and seamless by driving everybody to a common process first and then to a common set of systems to support that common process. We want to make it easier to do business with Equinix, that’s really the primary goal. We’ve built externally facing portals to support our customers, so you can imagine we have an identity challenge there because our customers are not in our Global ID. So we’ve created-and we’re actually going to file a patent for-a concept of simplified identity management. It’s a framework that allows us to support externally facing apps and really support the multitude of security standards. We’re supporting SAML but we are also going to move to an O-Auth, Open Authentication Standard 2.0, and move from SOAP, XML-type APIs, which are very structured and complex, to what are called restful APIs and JSON, which are web 2.0 APIs. This is what we will use to support our customers as well as consumer devices for our employees. So that’s where we’re headed. I love Ben Franklin who said, “Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.” So it is this trade-off between freedom and security-freedom really meaning productivity here-that holds true today, and it’s an exciting time with cloud and with the security changes and with the consumerization of IT. It makes the CIO’s job pretty interesting.