Facebook vs. Salesforce: An Identity Smackdown?

Some say Facebooks growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider

Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers online identities. These days its hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system.
Its pretty much a fact that its becoming a de facto identity source, says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space.
The thought is that the ubiquity of Facebook login and the existing enrollment would make it a natural fit within the enterprise, as would Facebooks investment in the OAuth authentication protocol. But Pingrees predictions are fighting words for some, who believe Facebooks consumer roots, its questionable reputation for privacy, and its historical infrastructure insecurities will keep it from ever taking hold in the enterprise.
[What IAM gaffes are you making? See
7 Costly IAM Mistakes
.]
The biggest concern that people have is Facebook already has this reputation for promiscuity and changing its privacy policies. The way that it implements these changes so routinely, its difficult for ordinary users to determine if what theyre doing is not, in fact, clicking on a link to read a news story, but actually granting permissions to some third-party application to access their data, says Scott Crawford, an analyst for Enterprise Management Associates. That would be a serious problem in the enterprise.
On top of that, says Phil Lieberman, CEO of privileged identity management company Lieberman Software, Facebook is missing a big ingredient to be a credible play within the enterprise.
Theres no question that Facebook can authenticate you, but where I think the breakdown will occur is not the authentication, but the authorization model, he says. And if you cant provide authorization, whats the point?
Lieberman says he and Pingree have been going back and forth on these issues to the point where the two placed a $1 bet with one another at RSA about Facebooks long-term potential as an enterprise IAM play. For his part, Lieberman says Facebook simply cant handle the hierarchical, group-based nature of enterprise identity environments.
It has a richness to it, says Lieberman, of enterprise identity infrastructure. With Facebook authentication, you dont have group memberships, you dont have all of the other things you need.
Some security experts believe that even without Facebook, theres still room for a non-traditional identity provider to take the wind out of the sails of the burgeoning niche of cloud identity services. According to Jackson Shaw, senior director of identity management for Quest Software, a Dell company, these services dont have enough groundswell behind them to sustain widespread success. If an alternative did take root, his money would be on Salesforce to prevail. Theres credibility for Salesforce being an enterprise identity provider, Shaw says. They have a legitimate claim for being an identity provider because so many people use salesforce.com. Its hard not to run into an enterprise thats not using Salesforce to some degree. Even small companies.
Whats more, with Salesforce, some of the authorization questions would be better answered.
If you think of something like Salesforce, as an extension of the enterprise, I could probably be pretty assured that if Jackson leaves Dell, theyre going to get rid of his Salesforce account in Salesforce, Shaw says. Which would mean that I could trust it. If I know that its there, I know hes with Dell, and if its not there, hes no longer with Dell.
But Pingree says that as prevalent as Salesforce may be in the enterprise, it cant match Facebooks base of stored identities.
What I would say to that is that Salesforce isnt already widely used as an authentication mechanism across the Internet, he says.
As for authorization, he doesnt think it’s a stretch that with a little effort, motivated enterprises could make it work through Facebook.
Most enterprise apps reside inside of an enterprise and they could potentially use an OAuth gateway or SOA gateway to be able to transmit the messages for assertion out to Facebook and get a response back that says, Yeah, thats the user, he says. As he puts it, the authorization process is a workflow, so it wouldnt be unfeasible for Facebook to build the means for workflowing authorization out of their service, he says. Te believes that enterprises will have to hold Facebooks feet to the fire to grow up and better support the enterprise with this kind of integration and also a more mature attitude toward internal security. At the same time, enterprises themselves need to recognize the world is changing.
I just think that consumerization and software as a service is driving us to extend our trust boundaries outside of the enterprise, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps