Identity and access management in the cloud

Last week I was asked to give a presentation at the IBM Tivoli User Group on Identity & Access Management In The Cloud for IBM employees, IBM Business Partners and customers of IBM Tivoli Security products. I soon realized that my first problem was going to be to define The Cloud. Not everyone I spoke to before the performance knew what The Cloud was!

So what is the cloud?

The cloud seems to be a very thrown around term these days and for many people it just represents everything that happens on the internet. Others, however, are a bit stricter with their definition:


“For me, cloud computing is a business extension of utility computing that enables the deployment of highly available, elastic, and scalable software applications, while minimizing the level of detailed interaction with the underlying technology stack itself. “.

“Computing on tap: You literally get what you want out of a plug in the wall.”

“Cloud computing is just a virtual data center.”

Wikipedia, of course, has its own definition.


Cloud computing is the Internet-based development and use of computer technology. In concept, it’s a paradigm shift whereby the details are abstracted away from users who no longer need knowledge, expertise, or control over the “cloud” technology infrastructure that supports them.

Of course, there are different levels of computing that a cloud provider can offer. The use of a particular software application (for example, Google Docs) is just one of those offers. Another would be similar to a software development platform (think Google App Engine, Microsoft Azure, and Salesforce force.com). Then, of course, there are raw infrastructure services: servers provisioned “on-tap” for end-user use (for example, Amazon Ec2).

We are probably all users of Cloud services if we think about it. A quick look inside my Password Safe vault reveals almost 300 different user ID and password combinations for services on the web, including:

  • blogger
  • Twitter
  • Facebook
  • LinkedIn
  • Google Docs
  • gmail
  • screenshot
  • ChartGo

The business model

While it’s easy to see how personal use of cloud applications has grown in recent years, it may be more surprising to learn how business is embracing cloud use.

According to EDL Consulting, 38% of companies will use a SaaS-based email service by December 2010. Incisive Media reports that 12% of financial services companies have already adopted SaaS, mainly in the fields of CRM, ERP and HR. And our friends at Gartner estimate that a third of ALL new software will be delivered via the SaaS model by 2010.

My guess? SaaS is already happening in the enterprise. She is here and she is here to stay.

With any change to the company’s operating model there will be implications, some real and, just as critical, some perceived.

In the Perceived Risks category, you would place risks such as loss of control; store business-critical data in the cloud; cloud provider reliability; cloud provider longevity Of course, these are just perceived risks. Who’s to say that storing business-critical data in the cloud is less risky than storing it in the company’s own data center? There may be different attack vectors that need to be mitigated, but that doesn’t mean the data is less secure, does it? And who says the company has to lose control!

However, the real risks would include things like the proliferation of employee identities across multiple vendors; compliance with company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and of course user management!

cloud standards

As with any new IT delivery methodology, a number of “standards” seem to appear. This is great as long as there is widespread adoption of the standards and large vendors can set a specific standard. Thank God for:

  • The Open Cloud Manifesto (http://www.opencloudmanifesto.org/)
  • The Cloud Security Alliance (http://www.cloudsecurityalliance.org/)

These guys, at least, are trying to address the issue of standards and I’m particularly pleased to see CSA Domain 13 on Identity and Access Management insisting on the use of SAML, WS-Federation and Liberty ID-FF.

Access control

And at that point, the various cloud providers should be congratulated on their adoption of security federation. Security Assertion Markup Language (SAML) has been around for over 6 years and is a great way to provide a single sign-on solution to your enterprise firewall. OpenID, according to Kim Cameron, is now supported by 50,000 sites and 500 million people have an OpenID (even if most don’t realize it!)

The problem, historically, has been the problem of ownership of identity. All the major providers want to be the Identity Provider in the “federation” and Relying Parties were few and far between. Fortunately, there has been a marked shift in this stance in the past 12 months (as supported by Kim Cameron’s numbers).

Then there are the “middlemen”. Those companies designed to make the “federation” process a lot less painful. The idea is that a single sign-on for the broker will allow broader access to the SaaS community.

Simplified and Ping Identity seem to be the thought leaders in this space and their marketing blurb looks comprehensive and impressive. They certainly check the boxes marked “Speed ​​to Market” and “Usability,” but again, those perceived risks can be problematic for the cautious company. The “Keys to the Kingdom” problem rears its ugly head once again!

identity management

SPML is to identity management what SAML is to access management. Good? Well almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 with v2.0 ratified in April 2006. I guess? We need another round of ratification! Let’s examine the evidence. Who is currently using it? A Google search returns very little. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What good is a standard if no one uses it?

Compliance audit

Apparently, forty times more information will be generated in 2009 than in 2008 AND the “digital universe” will be ten times bigger in 2011 than it was in 2006! Those are staggering numbers, aren’t they? And most of that data will be pretty unstructured, like this blog or my tweets!

The need to audit the information we publish in the digital universe is greater than ever, but there is no standards-based approach to compliance and auditing in the cloud!

Service providers are the current custodians of the Compliance and Audit process and will likely continue to do so for the time being. Actually, service providers are quite good at this, as they have to comply with many different regulations in many different legislative jurisdictions. Typically, however, they feature Compliance and Audit dashboards uniquely tailored to vertical markets.

It’s understandable, I suppose, that for a multi-tenancy service there will be complications in separating the data relevant to the company’s compliance check.

moving to the cloud

There are vendors claiming to be able to provide Identity Management as a Service (IDaaS) which sounds great, doesn’t it? Take all the pain out of delivering a robust enterprise IdM solution? In practice, however, it works well for companies that operate solely in the cloud. These solutions already understand the provisioning requirements of large SaaS operators. What they can’t do as well, however, is provisioning our business systems. It is not enough to assume that a company works all of your Active Directory instance, after all. Also, we must remember that using an IDaaS is like giving away the “Keys to the Kingdom”. Remember our perceived risks?

An alternative is to move the enterprise IdM solution to the cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favorite provider here} Identity Manager could be moved to the cloud using the IaaS model: Amazon EC2. Investment in existing solutions would be maintained with the added benefit of scalability, flexibility and cost reduction. Is this a model that can be easily adopted? Certainly, as long as the company in question can understand the notion of moving the “Keys to the Kingdom” beyond your firewall.

Conclusion

The next generation of users already knows the web: SaaS is here to stay, and SSO is finally within our reach with only a handful of big players holding off when it comes to implementing standards like SAML v2.0. It was also intriguing to play around with Chrome OS last week (although it was an early prototype version). The integration of desktop login with the web only makes things a bit tighter (Google-style, of course).

Provisioning (whether just-in-time or preloaded) remains the critical point. Nobody seems to be using SPML and proprietary APIs abound. Nailing this down will be critical to mass adoption of SaaS solutions.

While provisioning is the current pain point, however, governance, risk and compliance will be the next big topic on the agenda. The lack of standards and the proliferation of point solutions will surely start to hurt. Here, however, I’m running out of ideas…for now. It seems to me that there is an opportunity for a thought leader in this space!

Related Posts

Be realistic about cross referencing

As you build your business, you naturally explore different avenues of networking for new opportunities. One such source is cross referencing. Cross-references are strategic agreements, either formal or informal, between companies that provide services in similar markets to exchange contact information of […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Wild Baby Mice Care

July 7, 2023

A Guide to Buying Stainless Steel Jewelry

July 7, 2023