When compared to the traditional applications deployment model within the
enterprise, IAM practices in the cloud are still evolving.In the current state of IAM technology, standards support by CSPs
(SaaS, PaaS, and IaaS) is not consistent across providers. Although large
providers such as Google, Microsoft, and Salesforce.com seem to demonstrate basic IAM capabilities,
our assessment is that they still fall short of enterprise IAM
requirements for managing regulatory, privacy, and data protection
requirements. Table 1
illustrates the current maturity model, based on the authors’ assessment,
generalized across SPI service delivery models.
Table 1. Comparison of SPI maturity models in the context of IAM
| Level | SaaS | PaaS | IaaS |
|---|
| User Management, New
Users | Capable | Immature | Aware |
| User Management, User
Modifications | Capable | Immature | Immature |
| Authentication
Management | Capable | Aware | Capable |
| Authorization
Management | Aware | Immature | Immature |
The maturity model takes into account the dynamic nature of IAM
users, systems, and applications in the cloud and addresses the four key
components of the IAM automation process:
User Management, New Users
User Management, User Modifications
Authentication Management
Authorization Management
Table 2 defines
the maturity levels as they relate to the four key components.
Table 2. Comparison of maturity levels for IAM components
| Level | Immature | Aware | Capable | Mature | Industry-leading |
|---|
| User Management, New
Users | Manual, ad hoc, with no
formal process | Manual, ad hoc, following
established processes | Automated where
appropriate
Disparate processes | Automated using more than
one process | Automated using a single
provisioning process |
| User Management, User
Modifications | Manual, ad hoc, per
application | Manual, ad hoc, per
application group | Manual or automated per
application group | Automated per class of
application and resource | Automated across the
application space |
| Authentication
Management | Manual, ad hoc
No common security policy | Addressed per
application
No common authorization
mechanism | Common authentication
mechanism
No common authentication
module | Common authentication
module
Minimal credentials
Common
security policy | Common authentication
mechanism as a component service to applications
Common security policy |
| Authorization
Management | Manual, ad hoc
No rule- or role-based authorization | Addressed per
application
No common authorization
mechanism | Common service
No common module | Common module
Application-specific attributes disparately
maintained | Common mechanism
Centrally managed attributes
Support
role
Rule-based |
By matching the model’s descriptions of various maturity levels with
the cloud services delivery model’s (SaaS, PaaS, IaaS) current state of
IAM, a clear picture emerges of IAM maturity across the four IAM
components. If, for example, the service delivery model (SPI) is
“immature” in one area but “capable” or “aware” in all others, the IAM
maturity model can help focus attention on the area most in need of
attention.
Although the principles and purported benefits of established
enterprise IAM practices and processes are applicable to cloud services,
they need to be adjusted to the cloud environment. Broadly speaking, user
management functions in the cloud can be categorized as follows:
We will now discuss each of the aforementioned practices in
detail.
1. Cloud Identity Administration
Cloud identity administrative functions should focus on life cycle management of user identities
in the cloud—provisioning, deprovisioning, identity federation, SSO, password or credentials management, profile management, and administrative management.
Organizations that are not capable of supporting federation should
explore cloud-based identity management services. This new breed of
services usually synchronizes an organization’s internal directories
with its directory (usually multitenant) and acts as a proxy IdP for the
organization.
By federating identities using either an internal Internet-facing
IdP or a cloud identity management service provider,
organizations can avoid duplicating identities and attributes and
storing them with the CSP. Given the inconsistent and sparse support for
identity standards among CSPs, customers may have to devise custom
methods to address user management functions in the cloud. Provisioning
users when federation is not supported can be complex and laborious. It
is not unusual for organizations to employ manual processes, web-based
administration, outsourced (delegated) administration that involves
uploading of spreadsheets, and execution of custom scripts at both the
customer and CSP locations. The latter model is not desirable as it is
not scalable across multiple CSPs and will be costly to manage in the
long run.
