In a typical organization where applications are deployed within the organization’s
perimeter the “trust boundary” is mostly static and is monitored and
controlled by the IT department. In that traditional model, the trust
boundary encompasses the network, systems, and applications hosted in a
private data center managed by the IT department (sometimes third-party providers under IT
supervision). And access to the network, systems, and applications is
secured via network security controls including virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and multifactor
authentication.With the adoption of cloud services, the organization’s trust
boundary will become dynamic and will move beyond the control of IT. With
cloud computing, the network, system, and application boundary of an
organization will extend into the service provider domain. (This may
already be the case for most large enterprises engaged in e-commerce,
supply chain management, outsourcing, and collaboration with partners and
communities.) This loss of control continues to challenge the established
trusted governance and control model (including the trusted source of
information for employees and contractors), and, if not managed properly,
will impede cloud service adoption within an organization.
To compensate for the loss of network control and to strengthen risk
assurance, organizations will be forced to rely on other higher-level
software controls, such as application security and user access controls.
These controls manifest as strong authentication, authorization based on
role or claims, trusted sources with accurate attributes, identity
federation, single sign-on (SSO), user activity monitoring, and auditing. In particular, organizations need to pay attention
to the identity federation architecture and processes, as they can
strengthen the controls and trust between organizations and cloud service
providers (CSPs).
Identity federation is an emerging industry best practice for dealing with the
heterogeneous, dynamic, loosely coupled trust relationships that
characterize an organization’s external and internal supply chains and
collaboration model. Federation enables the interaction of systems and
applications separated by an organization’s trust boundary, e.g., a sales
person interacting with Salesforce.com from a corporate
network. Since federation coupled with good IAM practice can enable strong
authentication by way of delegation, web single sign-on, and entitlement management via centralized access control
services, it will play a central role in accelerating cloud computing
adoption within organizations.
In some cases, the practice of IAM within an organization may suffer
due to a lack of central governance and identity information architecture.
More often than not, identity storage is managed via manual entry by
multiple administrators, and user provisioning processes are not well
orchestrated. This process is not only inefficient, but it will also
propagate existing bad practice to the cloud services. In such cases, the
weak access model will extend excess privileges for unauthorized users to
cloud services.
IAM is a two-way street. CSPs need to support IAM standards (e.g., SAML) and
practices such as federation for customers to take advantage of and extend
their practice to maintain compliance with internal policies and
standards. Cloud services that support IAM features such as federation
will accelerate the migration of traditional IT applications from trusted
corporate networks into a trusted cloud service model. For customers,
well-implemented user IAM practices and processes will help protect the
confidentiality and integrity and manage compliance of the information
stored in the cloud. Cloud services that support IAM standards such as
SAML can accelerate the adoption of new cloud services and migration of IT
applications from trusted corporate networks into a trusted cloud service
model.