Identity Management for the cloud: Taking the next step

Identity and Access Management (IAM) in its present do a pretty good job dealing with internal users and systems. Unfortunately, that isn’t what most companies really need the age of cloud computing. They want their customers and external partners to have access to core business processes. Mobile users want to connect through their Smartphone or other devices. And increasingly, important business applications no longer run on servers within the corporate network, but live in remote datacenters operated by external services providers. Managing identities, roles and privileges for “virtual” environments like these is a major challenge in terms of governance and overall security.

It wasn’t long ago that protecting a company’s IT systems for external threats was relatively easy. After all, there was only one doorway for outsiders to enter the internal network, so a simple firewall could do the job. But the days of perimeter defense are coming to an end. Managing access by internal users to internal systems is child’s play compared to the task of overseeing secure and compliant access rights by dozens or hundreds of suppliers within a complex digital value chain or flexibly adapting to the demands of potentially millions of customers availing themselves of services from within your corporate network. This will call for a completely new approach to Identity and Access Management.

Take for instance the tightly regulated finance sector. Today, established players may find themselves joining up with new and unfamiliar partners to provide potentially lucrative value-added services to customers or to simply boost their transaction volumes. This calls for some very strict monitoring indeed as new groups of users over which the company has no jurisdiction suddenly avail themselves of applications subject to tightest possible oversight both by law and by internal auditing guidelines.

Many companies choose to establish online portals which allow only limited access by registered users to certain internal applications and mask the rest from outside eyes. Experience shows that isolated, case-by-case solution like these seldom live up to expectations, besides the fact that setting up new projects with other partners means setting the whole business of project planning and implementation in train again from the beginning. Duplication of effort is always the most costly form of project management.

Things like mobility, home offices and of course cloud computing all represent the final straw. Eternalizing internal services places pressure on existing IAM infrastructures they were never designed to withstand. Besides, they slow down the whole system, making it next to impossible for IT to respond in a timely fashion to urgent requirements from the business side.

“Cloud IAM” is not enough
Change often drives innovation, and this holds true for cloud computing, too. Not that every new idea being peddled as “cloud innovation” will fly, especially in the area of Identity and Access Management in and from the cloud. It makes no sense to deploy a purely cloud-based single sign-on solution if you still have to worry about internal legacy systems. Another case is identity provisioning where systems developed only for internal use fail to scale in the cloud, so you wind up needing two.

The challenge is not so much in externalizing things. That may or may not make sense, depending on the case. Neither does it lie in creating new infrastructures for external services. Those problems can be dealt with individually. No, the true challenge lies in tearing down the barriers that separate inside and out by in fact eliminating the definitions of “internal” and “external” user altogether.

There are good reasons for doing this. One is the demand for accountability and the capability to track access rights and compliance with SoD (segregation of duties) policies. There is a mandate here for companies to hit upon solutions that give them complete control of identities and access privileges for every user in every system, no matter where it’s located.

The -žfour A’s” of user management
Already, examples of this comprehensive approach to Identity and Access Management are cropping up in the market today. Some Web Access Management products support the integration of external user groups, albeit in a generally more or less isolated form. Identity federation which allows for management and authentication of external users by trusted third parties has passed the hype phase and is rapidly entering the mainstream. A growing number of external cloud services now support the SAML (Security Assertion Markup Language) standard that lies at the very heart of modern identity federation systems. They can be used to administer users within each company and to give the information cloud providers need to authenticate before providing access to externally hosted applications and data.

But that isn’t enough. Administration and authentication only cover two of the “Four A’s” of Identity Management. The others are authorization and auditing (the “what?” as opposed to the “who?”). IT departments must be able to perform all four tasks simultaneously: Manage users, identify them, let them use the system and keep a record of everything they did.

Sadly, that means that relying on SAML alone is not enough if you want to provide cloud-based services. You also must be able to adapt user privileges to different situations while maintaining absolute control. Systems that delegate these functions to the proprietary web interfaces of the cloud services themselves are doomed to fail in this respect. Instead, IT departments should consider adopting standards such as SPML (Service Provisioning Markup Language) as to create open interfaces to provisioning systems, XACML (eXtensible Access Control Markup Language) for granular control of privileges through policies, or connectors for important cloud services as part of existing identity provisioning solutions. These are capable of controlling the proprietary web service interfaces of most vendors. Individual provisioning vendors already have implemented such solutions for cloud services like salesforce.com and Google Apps.

In the field of auditing, such solutions are still nonexistent. Here, work needs to be done on simple audit logs that provide anything from straightforward access information to highly differentiated analysis of access activity with the help of so-called “access governance” products.

This will not happen overnight, and it may actually take quite a while before the necessary interfaces are readily available. In the meantime, users and vendors of cloud services on the one hand and identity management tools on the other would do well to think in this direction.

How to deal with legacies
As the technology advances, companies are well advised to scrutinize their existing IAM infrastructures and to question their ability to perform across the boundaries of today’s corporate networks in a truly open IT environment. Two aspects are important here. One is the necessity to administer and maintain external users with a minimum of effort and cost. The other is the need for control and auditing of external services. In the first case, focus lies on storage of user date as well as on processes for requesting user and access privileges and for authentication. This involves such details as the ability to handle multiple user IDs, scalability issues as well as separating different user groups for reasons of security and regulatory compliance (“Chinese walls”). There are technical solutions available in the market to solve these problems. Provisioning products can handle most of these processes, and most modern architectures provide options for combining provisioning solutions from different vendors below the process layer. For instance, virtual directories are capable of integrating different directories in different systems efficiently and accurately.

The second question must be answered by the vendors since only they can tell us if and when they plan to support individual external services. First they need to deal with the cloud providers and their interfaces. Integrating SAMLv2 into Enterprise-Single-Sign-On (E-SSO) solution in order to provide easy simplified sign-on to cloud services isn’t exactly rocket science, nor is the development of additional connectors for provisioning products or cloud-based web services.

The good news, too, is that all this does not require a fundamentally new approach to IAM infrastructure, but instead about incremental improvement. However, it is necessary to plan ahead in order to avoid creating a brand-new generation of future IAM legacy systems that will be obsolete almost as soon as they are installed.