In-Depth

Going Cloud: Identity Management as a Service

Keeping data secure in the cloud requires a new approach to authentication and authorization.

• By Jeffrey Schwartz
• 08/07/2012

Traditional identity management systems have evolved to provide SSO to authenticate and authorize access to multiple premises-based networks and enterprise apps. As more organizations turn to SaaS apps and other public cloud resources, managing access can become an even greater challenge.

Consider when an employee or contract worker leaves your organization. How do you ensure that person is cut off from access to all systems in-house, as well as the array of SaaS apps? Or as a person's role changes, how do you make sure that user's privileges are aligned with that new function?

These are key issues facing any enterprise using cloud services. Consequently, there's no shortage of industry efforts to standardize how employees use their enterprise credentials to access data and software in the cloud. There are a growing number of identity and access management vendors that offer both premises-based and online services, which provide secure authentication and authorization to in-house and cloud-based resources. Many envision a day when all SSO is hosted and managed in the cloud, a scenario known as Identity Management as a Service, or IDaaS.

Single Source of the Truth
For most enterprises, a Lightweight Directory Access Protocol (LDAP) repository and Microsoft Active Directory are the common first points of authentication. The directories host user credentials that authorize access to network resources, file shares and applications. At the same time, each application has its own directory and many organizations use their human resources systems to manage user roles.

It's common for enterprises to populate user information into the HR system and extend it into Active Directory or vice versa, says Lina Liberti, vice president for security management at CA Technologies. "In most environments, Active Directory is very much a norm -- the single source of truth," Liberti says.

To extend authentication across organizational domains, Microsoft also offers Active Directory Federation Services (ADFS). ADFS provides SSO to applications and services using claims-based identity standard WS-Federation and, more recently, the broadly supported Security Assertion Markup Language (SAML). The XML-based SAML standard, which is widely supported (though Microsoft held off for years in favor of WS-Federation), provides a common method of passing authorization and authentication data between partners.

"ADFS is being widely used for single sign-on within Microsoft environments such as multidomain and multiforest environments, as well as with SharePoint deployments," says Nick Nikols, chief technology officer at Quest Software Inc., which offers a family of cross-platform identity and access management tools. "But beyond that, it's usually acting as an integration point, basically via SAML, with third-party single sign-on providers that support more than just the Microsoft ecosystem and integrate with other platforms and application environments."

ADFS Destination: The Cloud
ADFS only runs on-premises today, though it can be used to provision and manage users in Microsoft Office 365. Microsoft has recently begun articulating its vision for pure, cloud-based identity management. Announced and currently under development is Windows Azure Active Directory, or WAAD, aimed at providing IDaaS. "Organizations will find they need new identity management capabilities to take full advantage of the cloud," said Kim Cameron, chief architect of identity at Microsoft, in a May blog post.

That's a vision that Cameron says will take years to play out. For those with more immediate requirements, scores of third parties have recently started to offer software- and cloud-based services aimed at providing SSO. Many are designed to grant access based on privileges assigned by an administrator or based on a user's role within an organization.

Among those that offer identity and access management middleware and tools are CA, Courion Corp., IBM Corp., Intel Corp., Okta Inc., Oracle Corp, Ping Identity Corp., Quest, Radiant Logic Inc., SailPoint Technologies Inc., Symantec, Symplified Inc., UnboundID Corp. and VMware.

CA, a longtime provider of identity management software, offers both a premises-based solution called IdentityMinder and a cloud-based offering called CloudMinder. Customers pressed CA to allow users to authenticate to SaaS services -- provided by companies like Salesforce.com Inc. and Workday Inc. -- the same way that users accessed apps running in their datacenters.

Later in the year, Liberti says CA will add a broader set of applications from a federated SSO perspective, as well as tight integration with existing directories -- all while providing tools for a self-service identity management. "As an end user, I'll be able to go into CloudMinder and request access to an application. Then, by a workflow process, I'll automatically get a list of apps I have access to and I can initiate access to them very easily," she says.

For its part, Salesforce.com has placed a strong emphasis on identity management. In addition to its partnership with Intel, Salesforce.com has played a key roll in gathering momentum for cloud standards. Most notable is its effort to create support for the Simple Cloud Identity Management (SCIM) standard, a specification for providing common user- provisioning attributes. In June the IETF accepted SCIM as a draft spec. Also supporting SCIM are Google Inc., the Cisco Systems Inc. WebEx division, Ping, Okta, VMware, SailPoint and UnboundID, among others.

Chuck Mortimore, Salesforce.com senior director of Product Management for Identity and Security, believes building consensus will ultimately expand use of SaaS-based apps. "If we can get people into our cloud and others people's clouds quickly and seamlessly in a standardized way, that benefits everyone, and we'll get lift from it," he says.