Trending Now

Ebocalm.com

Enhance your Tech need

Menu
Search
Headline
What is a Surface Mount PCB?
What materials are commonly used in the construction of print pcb board?
Can Flex PCBs Be Used in Medical Devices?
How Do You Design PCB Assys for High-Reliability Applications?
What Is the Importance of Component Placement in a PCB Layout?
How Are Circuit Boards Manufactured?
Can I mix different brands of refrigerant in my car’s AC system?
Are elic PCBs Compatible With Lead-Free Soldering?
Employee Rights in Constructive Dismissal

Cloud identity and access management

Technology
admin

Cloud identity and access management

Last week I was asked to give a presentation to the IBM Tivoli User Group on Identity & Access Management In The Cloud for IBM employees, IBM Business Partners and customers of IBM Tivoli Security products. I soon realized that my first problem was going to be defining The Cloud. Not everyone I spoke to before the presentation knew what The Cloud was!

So what is the cloud?
The cloud seems to be a very used term these days and for many people it simply represents everything that happens on the Internet. Others, however, are a bit stricter with their definition:


“For me, cloud computing is a business extension of utility computing that enables the deployment of highly available, elastic, and scalable software applications while minimizing the level of detailed interaction with the underlying technology stack itself. “.

“Barrel computing: You literally get what you want from a plug in the wall.”

“Cloud computing is just a virtual data center.”

Wikipedia, of course, has its own definition.


Cloud computing is the Internet-based development and use of computer technology. In concept, it is a paradigm shift whereby details are abstracted away from users who no longer need knowledge, experience, or control over the “cloud” technology infrastructure that supports them.

Of course, there are different levels of computing that a cloud provider can offer. The use of a particular software application (for example, Google Docs) is just one of those offers. Another would be akin to a software development platform (think Google App Engine, Microsoft Azure, and Salesforce’s force.com). Then, of course, there are the raw infrastructure services: servers provisioned “on-tap” for end-user use (for example, Amazon Ec2).

We are probably all users of Cloud services if we think about it. A quick look inside my Password Safe vault reveals nearly 300 different user ID and password combinations for online services, including:

  • blogger
  • Twitter
  • Facebook
  • LinkedIn
  • google docs
  • gmail
  • screenshot
  • GraphGo

The business model
While it’s easy to see how personal use of cloud applications has grown in recent years, it may be more surprising to learn how enterprise use is embracing the cloud.

According to EDL Consulting, 38% of companies will use a SaaS-based email service by December 2010. Incisive Media reports that 12% of financial services companies have already adopted SaaS, primarily in the fields of CRM, ERP and HR. And our friends at Gartner estimate that a third of ALL new software will be delivered via the SaaS model by 2010.

My guess? SaaS is already happening in the enterprise. She is here and she is here to stay.

With any change in the company’s operating model there will be implications, some real and, just as critical, some perceived.

In the category of Perceived Risks, I would place risks such as loss of control; store business-critical data in the cloud; cloud provider reliability; cloud provider longevity. Of course, these are just perceived risks. Who’s to say that storing business-critical data in the cloud is less risky than storing it in the company’s own data center? There may be different attack vectors that need to be mitigated, but that doesn’t mean the data is less secure, does it? And who says that the company has to lose control!

However, real risks would include things like the proliferation of employee identities across multiple vendors; compliance with company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and of course user management!

cloud standards
As with any new IT delivery methodology, a number of “standards” seem to emerge. This is great as long as there is widespread adoption of the standards and large vendors can set a specific standard. Thank God for:

  • The Open Cloud Manifesto (http://www.opencloudmanifesto.org/)
  • The Cloud Security Alliance (http://www.cloudsecurityalliance.org/)

These guys are at least trying to address the standards issue and I’m particularly pleased to see that CSA Domain 13 on Identity and Access Management insists on the use of SAML, WS-Federation and Liberty ID-FF.

Access control
And at that point, the various cloud providers should be congratulated on their adoption of the security federation. Security Assertion Markup Language (SAML) has been around for over 6 years and is a great way to provide a single sign-on solution across the enterprise firewall. OpenID, according to Kim Cameron, is now supported by 50,000 sites and 500 million people have an OpenID (even if most don’t realize it!)

The problem, historically, has been the problem of ownership of identity. All the major providers want to be the identity provider in the “federation” and the parties they trust were few and far between. Fortunately, there has been a marked change in this stance in the last 12 months (as Kim Cameron’s figures back up).

Then there are the “intermediaries”. Those companies designed to make the “federation” process much less painful. The idea is that a single sign-on for the broker will allow wider access to the SaaS community.

Simplified and Ping Identity seem to be the thought leaders in this space and their marketing blurb looks comprehensive and impressive. They certainly tick the boxes marked “Speed ​​to Market” and “Usability,” but again, those perceived risks can be problematic for the cautious company. The “Keys to the Kingdom” problem rears its ugly head once again!

identity management
SPML is to identity management what SAML is to access management. Right? Well almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 with v2.0 ratified in April 2006. I guess? We need another round of ratification! Let’s examine the evidence. Who is currently using it? A Google search returns very little. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What good is a standard if no one uses it?

Compliance audit
Apparently, forty times more information will be generated in 2009 than in 2008 AND the “digital universe” will be ten times larger in 2011 than it was in 2006! Those are staggering numbers, aren’t they? And most of that data will be pretty unstructured, like this blog or my tweets!

The need to audit the information we publish in the digital universe is greater than ever, but there is no standards-based approach to compliance and auditing in the cloud!

Service Providers are the current custodians of the Compliance and Audit process and are likely to continue to do so for the time being. Service providers are actually quite good at this as they have to comply with many different regulations in many different legislative jurisdictions. Typically, however, they feature Compliance and Audit dashboards tailored solely to vertical markets.

It’s understandable, I suppose, that for a multi-tenancy service there will be complications in separating the relevant data for company compliance verification.

Moving to the cloud
There are vendors out there claiming to be able to provide identity management as a service (IDaaS) which sounds great right? Take all the pain out of delivering a robust enterprise IdM solution? In practice, however, it works well for companies that operate solely in the cloud. These solutions already understand the provisioning requirements of large SaaS operators. What they can’t do as well, however, is provisioning our business systems. It is not enough to assume that a company works all of your Active Directory instance, after all. Also, we must remember that using an IDaaS is like giving away the “Keys to the Kingdom”. Remember our perceived risks?

An alternative is to move the enterprise IdM solution to the cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favorite provider here} Identity Manager could be moved to the cloud using the IaaS model: Amazon EC2. Investment in existing solutions would be maintained with the added benefit of scalability, flexibility and cost reduction. Is this a model that can be easily adopted? Certainly, as long as the company in question can understand the notion of moving the “Keys to the Kingdom” beyond his firewall.

conclusion
The next generation of users already knows the web: SaaS is here to stay, and SSO is finally within our grasp with only a handful of big players holding back when it comes to implementing standards like SAML v2.0. It was also intriguing to play around with Chrome OS last week (even though it was an early prototype version). Integrating desktop login with the web just makes things a bit tighter (Google-style, of course).

Provisioning (either just-in-time or preloaded) remains the critical point. Nobody seems to be using SPML and proprietary APIs abound. Nailing this down will be critical to mass adoption of SaaS solutions.

While provisioning is the current flashpoint, however, governance, risk and compliance will be the next big thing on the agenda. The lack of standards and the proliferation of point solutions will surely start to hurt. Here, though, I’m out of ideas…for now. It seems to me that there is an opportunity for a thought leader in this space!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top