Cloud computing identity management standards groups are clamoring to ensure the open and secure exchange of identities among cloud providers and their customers.
One of the largest efforts to create cloud computing identity management standards is InCommon, whose participants include more than 116 institutions of higher education, 41 service providers, and six federal agencies and nonprofit groups. The group coordinates common definitions and guidelines for security, privacy and data interchange among identity providers (such as higher-education institutions) and cloud service providers to validate that both parties are who they commit to be and are acting in good faith.
This information then is encapsulated in metadata that is included within certificates, allowing the identity provider and the service provider to share information. InCommon presently uses two community-developed products for exchanging information: Security Assertion Markup Language (SAML), an XML-based standard for communicating identity information between organizations; and Shibboleth, a Web-based single sign-on service that supports authentication for remote service requests.
Standards that ensure the security and interoperability of identity management will be welcome, predicted Ed Bell, interim CIO for the Massachusetts House and Senate and a former divisional CIO for the U.S. Financial Services division of ING Americas. "Standardization has become so strong internally, it is part of the core of any CIO," he said. "They're going to adopt standards [for identity management] externally."
In cloud computing they trust
Another standards group, the Trusted Cloud Initiative (TCI), aims to help cloud providers develop industry-recommended, secure and interoperable solutions. The TCI claims to be a vendor-neutral initiative formed by Novell Inc. and the Cloud Security Alliance (CSA). The TCI hopes to publish the industry's first cloud security certification by year's end.
"How identities are managed, either in the cloud or federated with the cloud, creates significant barriers for enterprise adoption of cloud services," said Alan Boehme, senior vice president of IT Strategy and Enterprise Architecture for ING Americas and a CSA board member. "By building a consensus security reference guide and certification roadmap . . . we expect to accelerate cloud adoption."
The TCI will build on the cloud computing best practices guidelines recently published by the CSA with regard to identity provisioning, authentication, federation and authorization in a cloud environment. Those recommendations are heavily geared to open standards. For example, the CSA recommends:
- Using standard connectors provided by cloud providers that preferably are built on the Service Provisioning Markup Language (SPML) schema. If a cloud provider does not currently offer SPML, the CSA recommends that enterprises request it.
- Evaluating proprietary authentication schemas used by Software as a Service and Platform as a Service providers, such as a shared encrypted cookie. The general preference should be for using open standards.
- Making sure that applications are designed to accept such formats as SAML or WS-Federation, a specification that allows disparate security realms to broker information about identities, attributes and authentication.
- Checking that any local authentication service implemented by a cloud provider is compliant with the Initiative for Open Authentication (OATH), which is a collaboration of device, platform and application vendors that hope to foster the use of strong authentication across networks, devices and applications. Cloud providers should also be able to delegate authentication to the enterprise, for example, through SAML.
Protection beyond the perimeter
Yet another group, the Jericho Forum, has proposed a cloud architecture that uses security and identity management across all levels of the cloud (infrastructure, platform, software, process) in a design it calls collaboration-oriented architecture (COA). This concept involves a computer system designed to use third-party services beyond the "perimeter," or area of control. COA would organize the identification, authentication and authorization credentials of organizations, individuals and systems in a standardized form that could be validated across cloud platforms.
COA is based on the service-oriented architecture (SOA), which is used to integrate widely disparate applications in a Web-based environment that touches multiple platforms. Rather than using a specific application programming interface, SOA defines the interface in terms of protocols and functions, including XML. The goal of SOA is to allow users to "orchestrate" fairly large chunks of functions to form ad hoc applications that are built almost entirely from existing software services.
Not all of these standards are expected to survive or come to fruition, given the infancy of the cloud space and disparate standards efforts, according to Burton Group Inc. analysts. SPML, in particular, has struggled because of its complexity and the performance burden it puts on connections. The OASIS Provisioning Services Technical Committee has tried to improve SPML in version 2, but members failed to agree on a standard user schema.
Another option for provisioning may be a "pull" model using Lightweight Directory Access Protocol (LDAP)-based directory services supported by virtual directories. Notably, both Salesforce.com Inc. and Google Inc. provide a pull capability via LDAP, in which applications query existing enterprise directories for authentication and identity information.
Let us know what you think about the story; email Laura Smith, Features Writer.
This was first published in April 2010