Evaluating Cloud-Based ID Management Solutions

The process of managing identity for enterprise applications and services is hard to begin with, but a lack of identity standards across cloud-based applications means that organizations looking to manage employee access to those applications will find it doubly hard.

In the world of on-premise applications, identity management challenges were easily pushed aside, argues Philip Cox, director of security and compliance at RightScale Inc., and author of a new InformationWeek report entitled How to Manage Identity in the Public Cloud. But once an organization sets its sights on cloud-based applications, those challenges take center stage.

Moving to the cloud adds new layers of complexity to the already challenging identity management issue. The more cloud applications a company uses, the greater the challenge, Cox says, because a lack of widely-used single sign-on systems means every application has to be managed independently. And just to throw an additional monkey wrench into the mix, many public cloud apps opt for individual, and not organizational, identity management, making it harder for IT to stay in control of accounts.

And while cloud applications gain popularity in the enterprise, Cox doesn’t see the landscape of challenges around identity management in the public cloud changing much over the next few years

“Right now, it’s a lot of heavy lifting because of the lack of maturity out there,” he says. “You can do it, but it’s not a trivial thing to do.”

Because of that lack of maturity, many organizations will have to use a combination of identity management architectures for the time being, with four main approaches shaping enterprises’ strategies.

The first and simplest approach is to simply use the identity management systems baked in to public cloud applications. Under this approach, all accounts are specific to each individual cloud-based app, with no common provisioning, deprovisioning or password management tools across multiple applications. On the plus side, a compromised user account won’t compromise more than the one cloud service, and this approach is generally the fastest to deploy and the most commonly-used approach today. But most companies will end up having multiple credentials for multiple accounts across multiple cloud services, and users are likely to use the same credentials across multiple applications and services.

The second option is to synchronize cloud identities with the enterprise identity management system, such as Active Directory. Under this approach, cloud services still have separate and distinct accounts, but they are centrally managed and propagated to various services. This allows organizations to keep using familiar identity management workflows and processes, and creates a single point of administration for accounts. But a single point of administration is also a single point of failure, and writing connectors between the enterprise directory and cloud services, and keeping those connectors current over time, poses a significant challenge.The third option Is to go to federated credentials with the use of an external directory extender that makes enterprise credentials available to services outside the firewall. This is most commonly done through Security Assertion Markup Language (SAML) and OpenID protocols. This provides a robust and scalable approach that can match an organization’s governance and compliance needs, and provides a platform for single sign-on, but it’s a complex model to manage and organizations may find supporting SAML and OpenID difficult.

Finally, organizations can opt to hand over responsibility for identity over to a third party altogether and use an Identity as a Service (IDaaS) system. Administrators manage accounts through the IDaaS supplier, which serves as a single interface for adds, removals and changes, and the IDaaS supplier deals with the integration with cloud applications. IDaaS is the most flexible of the four options, and makes it easiest to ramp up multiple applications. But it brings with it the same challenges as many cloud-based services: if the identity manager goes down or is compromised, the organization and its users are down or compromised right along with it.

In building an identity management solution that uses parts or all of any or all of those four models, Cox recommends asking a variety of questions, factoring in the need for government and other regulatory requirements, the number of public cloud apps being used, the number and ability of development resources available, the need or desire for single sign-on capabilities, and more.

There is also the possibility of private cloud-based apps. He points out that integrating applications on your own cloud is necessarily simpler both because of easier and quicker integration capabilities on the infrastructure and application sides, and because there’s an inherently greater level of trust, since IT is in charge of the infrastructure, the application, and the network over which the application is accessed.

“Identity management with the private cloud is usually just a matter of extending your current identity management capabilities,” Cox says.

Learn more about 5 Steps to Building A Private Cloud by subscribing to Network Computing Pro Reports (free, registration required).