3. Identity and Access Management
Managing access control and governance within identity and access
management (IAM) to meet today’s business needs in the cloud remains one
of the major hurdles for enterprise adoption of cloud services. IAM
support for business needs ranges from secure collaboration with global
partners to secure access for global employees consuming sensitive
information from any location and any device at any time. Thanks to the
proliferation of consumer technologies (e.g., Apple iPhone) into the
enterprise (consumerization of IT) and the steady dissolution of the
network perimeter, enterprises are faced with greater risks in
protecting their intellectual property and sensitive information as well
as sustaining compliance. Easily accessible, user-friendly Web 2.0
technologies delivered via browsers is one other catalyst that is
accelerating the trend of “consumerization of identity and access
management” services (e.g., consumer-based identity services such as
OpenID). In short, IT is constantly challenged to support today’s
business needs with yesterday’s technologies and static processes. And
the information protection challenges are exacerbated by increasingly
mobile, dynamic, replicated, and scattered data on a variety of media
ranging from USB memory sticks to storage-as-a-service.
On the other hand, IT is grappling with user access management
dissatisfaction issues among business users who are increasingly
frustrated with today’s “user-unfriendly” IAM techniques (e.g., carrying
a token card that performs two-factor authentication, remembering a
variety of user IDs and passwords for various services, and forcing
users to choose a strong password that they write down and carry in a
wallet). And it is no secret that users will do anything to side-step
identity or any other security controls that slow their productivity and
business agility. Hence, IAM solutions need to strike a balance and act
as enablers of security controls to increase user adoption and
compliance.
Although the basic technology building blocks (trusted identity
stores, provisioning processes, authorization and authentication
methods, federation) for IAM exist today, the migration and extension of
those technologies into cloud services in their current form will not
yield the purported IAM benefits of efficiency, efficacy, and business
agility. The sheer volume of dynamic cloud compute resources (compute
nodes, storage, network policies) combined with the magnitude of users
and services accessing those resources are challenging the scalability,
automation, and availability requirements of today’s directory and
identity infrastructure services. The primary reason is that today’s IAM
solutions deployed in the enterprise are complex, require extensive
customization, are expensive, and are not easily extendable to cloud
services. Furthermore, the trusted source of identity in the cloud is
still an issue and needs to be addressed. On the other hand, support for
IAM practices and standards by CSPs is sparse and is not adequate for
most enterprises. Although large SaaS cloud services are showing signs
of support for federation standards such as the Security Assertion
Markup Language (SAML), they are largely absent from PaaS and IaaS
services. A word of caution: viral adoption of cloud services driven by
business units that don’t leverage your own federated identity
management infrastructure and IAM processes risks repeating the mistakes
(e.g., provisioning of multiple credentials per user) that caused you to
implement enterprise identity management solutions in the first
place.
Today’s early adopters—small and medium-size businesses (SMBs)—who
are driven by the economic advantages of cloud computing have silently
embraced the basic low-assurance authentication methods, leaving the
enterprises waiting on the sidelines. Enterprises are hoping that the
CSPs will offer IAM capabilities that are standard within their
enterprise, and have come to expect this in any new service.
Enterprise cloud adoption
barriers include lack of support for federation (single sign-on or SSO),
integration with corporate directories, risk-based authentication,
scalable identity services, and the extension of the IAM practice to the
CSP. Hence, IAM solution design for cloud services will require careful
consideration of cloud use cases, investment in processes and
architecture that address cloud user access provisioning (including
privileged users), service-to-service authentication and user-to-service
authentication, and management of the user and access life cycle.
A small set of CSPs (mostly large SaaS service providers, such as
Salesforce.com) are beginning to pay attention to enterprise IAM
requirements, including support for standards such as SAML that
facilitate SSO using federation. However, given the early adoption cycle
by large enterprises, from an enterprise perspective IAM capabilities
are primitive at best. Customers should continue to demand IAM features,
including support for SAML, user provisioning using the Service
Provisioning Markup Language (SPML) standard, and an open application
programming interface (API) to support various user and access
automation requirements. This IAM capability chasm has given birth to a
new breed of cloud-based identity services; for example, identity
services and frameworks such as secure token services (STSs) from
Microsoft’s Azure support basic federation from Active Directory to
Microsoft’s cloud services and facilitate user SSO from on-premises
Active Directory to Microsoft’s cloud services. Although these
cloud-based identity services are lowering the barriers to entry for
SMBs, they are deemed inadequate to meet most enterprise requirements
such as custom reporting and compliance management. Trust and user data
management are other barriers, and most enterprises are not willing to
store their trusted source for identity outside controlled enterprise
boundaries. This issue is further exacerbated by use cases in which
attribute data associated with identities is either copied or stored in
the cloud service. Synchronizing multiple identity repositories remains
a key challenge for enterprises. Working with cloud-based services and
addressing synchronization issues by way of federation, virtual
directories, and an open API will reduce these barriers.
To avoid costly retrofits and integration with aftermarket
products, organizations looking to adopt cloud-based services should
embed an IAM strategy into the cloud service strategy road map.
Organizations that have been investing in directories, IAM capabilities,
and practices should therefore stand to gain by leveraging an optimized
internal IAM strategy and practice in the cloud. The most important
success factor for an enterprise to effectively manage identities and
access control in the cloud is the presence of a robust directory and
federated identity management capability within the organization (an
internal or cloud-based identity service)—for instance, architecture and
systems, user and access life cycle management processes, and audit and
compliance capabilities. When it comes to authenticating users and
services to the cloud, organizations need to pay attention to simplicity
and ease of use in addition to risk-based authentication methods (e.g.,
look up when sensitive data is accessed). Another premise to keep in
mind is that “all clouds are not created equal,” so enterprises need to
have a strategy for employing risk-based IAM methods, including strong
authentication, automated provisioning, deprovisioning, auditing, and
monitoring to address risks that are specific to a CSP.
Although identification and authentication challenges can be
overcome (when those capabilities are made available by the service
provider) with a well-architected IAM infrastructure and IT processes,
authorization services in the cloud are very basic and evolving. Cloud
users should be aware that granular application authorization is
immature at this point. Where it does exist, it is usually implemented
using CSP proprietary profiles and primitive roles—often CSPs offer primitive roles
such as “user” and “administrator.” As a long-term strategy, customers
should be advocating for greater support of eXtensible Access Control
Markup Language (XACML)-compliant entitlement management on the part of
cloud providers, even if XACML has not been implemented internally.
XACML provides a standardized language and method of access control and
policy enforcement across all applications that enforce a common
authorization standard. At the very least, CISOs should be thinking
about authorization standards and avoid any temptation to customize a
solution based on the provider’s capability.
Business and IT stakeholders should also be advocating
standardization of enterprise roles within the enterprise—in other
words, roles mapped to user business functions (e.g., accounts payable
manager, people manager, and purchase order approver). In the future,
well-defined enterprise roles should be mapped to the cloud service
roles or profiles supported by the CSPs. We believe SPML and XACML will
play a role in that regard. (Currently, we are not aware of any effort
to standardize the naming conventions of enterprise roles.)
IT architects should be advocating externalization of
authentication and authorization components from applications (loosely
coupled) as this can aid in the rapid adoption of cloud-based services
including cloud identity services, policy-based authentication,
centralized logging, and auditing (e.g., OpenSSO from Sun Microsystems
and Microsoft’s Geneva claims-based authentication framework can help
externalize authentication).