As the cloud becomes more vital for CIOs, there exists another problem -- or, shall we say, a challenge -- that needs to be addressed: cloud identity management. How can we verify that
Dealing with identity on-premises is difficult enough. You have generally disparate systems. Years ago, the big push was to enable your host integration service to talk to Novell Directory Services, while your accounting or payroll system utilized NDS as well. Such integration makes user provisioning simple when employees come and go. It also makes security policy application more consistent and enables complete control over monitoring and auditing controls. The integration was made possible with protocols like Lightweight Directory Access Protocol and the use of central directory services like Active Directory. Those protocols and serious investments each made more efficient use of centralized user information in the private data center.
Get ready to reinvent the wheel when it comes to the movement to cloud-based computing. Cloud identity management presents an entirely new set of challenges. Why? There are a couple of reasons. First, different providers have different internal systems. Imagine that you're considering purchasing a cloud-based CRM solution. If you've already migrated your email and calendaring groupware solution to a cloud provider, how do you integrate identities among these providers? User conveniences like password integration and single sign-on might not be possible with disparate providers. You may also have trouble with logging and service support and provisioning. Maintaining a single identity among different providers using different systems can be challenging, to say the least.
The other reason involves compliance and auditing. Just think about how you're handling on-premises data center now. How do you fulfill compliance requirements for your regulators, financial institutions and business partners? What is the impact of identity across all of your business systems? How will you know who can do what? Cloud-based computing magnifies these obstacles, but with the added complexity of different user interfaces, reporting platforms, data security and geographical residency attributes.
Some vendors have an eye toward integrating identities across various providers. You may have already seen this with popular social networking sites as the bedrock: Many upstart cloud providers and consumer service providers allow users to create accounts and be authenticated using Twitter, Facebook, LinkedIn and other sites. Obviously, enterprise and business corporate customers are not going to be interested in forming the basis of their online identity systems using Facebook accounts, but this is an area that CIOs should watch in coming years.
The future of Cloud Identity as a Service
As 2012 and 2013 unfold, you'll see an increase in the utility of Federation as a Service. Organizations -- in particular, larger corporate customers -- will decide that given the current state of affairs, they should become the service providers for identity: authentication, authorization and accounting. Businesses will invest in systems that allow users to federate their identities among on-premise systems, mainframes that are still in use as line-of-business applications, and cloud services -- in effect, reversing the roles of customer and provider. Businesses of all sizes will demand of their cloud providers the ability to consume identity information from their on-premises directory services. "Being their own customers" allows midmarket companies to solve challenges in several ways.
More cloud computing resources for CIOs
First, they will maintain the ultimate control of identity centrally, and permit services to consume the information necessary to provide services on an ad hoc basis. Companies will also keep data safeguarded within the confines of the corporate network, and allow services to get only "yes or no" information from the on-premises federation service. They will also enable smoother rollout of other cloud-based services by exposing standardized application programming interfaces that those services can consume, and then authorizations that those services can exchange with others. Finally, by adapting this method, they will permit assurance that regulatory and compliance requirements are still being met. The customer is still in control of authorization and accounting, as well as ensuring that the appropriate logging is taking place and ensuring full transparency.
All in all, don't jump into cloud identity management anytime soon. Identity Management as a Service is not ready for primetime. Instead, look for ways to expose your current identity services through federation, and then push cloud-based service vendors to consume that information from your on-premises resources.
Jonathan Hassell is president of 82 Ventures LLC. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at firstname.lastname@example.org.
This was first published in January 2012