When it comes to identity management and authorization, “All the vulnerabilities we have seen ‘on the ground’ we
now see also in the cloud,” says Gartner analyst Perry Carpenter. But the cloud introduces its own flavors and issues.
He says Gartner views cloud identity management as having three different aspects. One would be identity management to the cloud – being able to send something from the enterprise to the cloud. The second would be identity management from the cloud – being able to send something that exists somewhere else, to your organizations. And the third would be identity management within the cloud to cloud.
Each of those aspects affords different risks. The adoption of identity management services themselves is relatively low among enterprise organizations. Where it is happening is in support of specific business activities but not, he notes, simply for the sake of having ID management in the cloud.
“We have a hard time putting security stuff out in the cloud. It means more exposure and the technology needs more maturity first,” he says. On the other hand, he says, some SMBs are starting to get on board.
Legal expectations and SLAs
It is a multi-faceted challenge. ‘There are things in the cloud like Google Apps and Salesforce.com and Workday “where the identification component is an afterthought and the fact that it is an afterthought brings with it inherent vulnerability,” says Carpenter.
Carpenter notes that a lot of cloud security issues come down to legal expectations and service level agreements. It is less about the technology. “We call it cloud because that makes it sexy but these fundamental issues have been around for a while.” But cloud does add its own set of issues. For one thing, he notes, almost every cloud provider has its own proprietary identification management system. “So there is no surefire way that if I get identity management right in one context it will be right in another,” he says.
Furthermore, he says, the history of IT has shown that when you deal with multiple incompatible systems it can lead to a breakdown. “The good thing is that I think customer will start to force the idea of a standard interface and more of a plug-and-play approach.
SAML, Oauth, more
In the meantime, however, Gartner analyst Gregg Kreizman has been looking at navigating the world as it is. He uses the term identity and access management (IAM) to describe the challenge. Echoing Carpenter, he notes, the same kind of identity islands or silos that have existed previously, are being replicated in the cloud.
As a consequence, he says, SaaS providers have begun to reinvent IAM functions, for instance applying APIs for federation and authentication to achieve something resembling single sign on.
“Enterprises that have deployed IAM now have to extend what they have done into the cloud and their SaaS apps,” he says. According to Kreizman there has been some maturity around the authentication aspects of that challenge. However, he notes, to be successful in the public cloud there need to be APIs or a web service that the enterprise infrastructure can all.
Kreizman says traditional IAM vendors have been extending their products for federation, to extend with connectors that can engage with cloud resources such as Google Apps and SalesForce. The other trend is the emerging market of IAMaaS – IAM as a service – whereby an assortment of smaller vendors delivers core IAM function to the cloud or from the cloud. The IAMaaS companies implement a connector piece or provide a gateway at a customer’s site and join that with their service in the cloud to connect to SaaS vendors.
Traditional IAM vendors have also created services in the cloud that can function much like a gateway vendor’s service. For instance, he notes, Lighthouse Computer Services has taken IBM’s Tivoli Software stack and “put some wrappers around it to make it easier to use.” They can provide a similar capability to internal apps, he notes.
But for the time being, Kreizman says there is no one winning formula. “There is some trepidation regarding adopting these services. There are organizations that won’t put identification data or other sensitive information in the cloud, period. However, some are ‘kicking the tires.’”
Kreizman says those wrestling with IAM should become familiar with some of the relevant technologies, such as:
- On the authentication side Security Assertion Markup Language (SAML), which has been the major winner in terms of federation because it provides for single sign on capability. OpenID Connect (a successor to OpenID, based on the OAuth 2.0 protocol) is also emerging and could be useful. OpenID Connect is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs.
- OAuth is established as a means to access resources in the cloud and it has buy-in from major players such as Facebook and Twitter.
- Simple Cloud Identity Management (SCIM) is a specification espoused by several vendors that, (according to its boosters), will build upon experience with existing schemas with the goal of reducing the cost and complexity of user management operations.
- There is also U-MA – User Managed Access. According to the Kantara Initiative, U-MA's home base, with U-MA, “a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a "personal data store" service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager).”