Two major identity management companies are forging ahead with products designed to satisfy what a cloud-computing consortium calls one of the trickiest problems preventing secure and automated connections between internal IT infrastructures and external service providers: identity and authentication.
Last week at The Burton Group's Catalyst Conference, Novell demonstrated a pre-release version of its Cloud Security Service, designed to synchronize login and authentication data between external clouds and internal systems without exposing internal security data.
At the same conference, CA demonstrated a product called Federation Manager, designed to provide single sign-on across several internal and external cloud or SaaS applications.
The problem the two are offering to solve is federated identity management-the need to connect and synchronize user data between external service providers and internal IT security measures.
Without external services managed by identity management specialists such as Novell, CA and others, use of cloud-computing services could get snarled in a web of manual updates and processes that are too much trouble to implement and present far too much potential for error, according to Rich Mogull, a former Gartner analyst who now runs the Securosis, L.L.C security consultancy.
“Managing user authentication internally is not that big a deal, and it's not a big problem services you log into over the Web or FTP or whatever, because you're using a single user credential to sign in to something,” Mogull says. “With SaaS and cloud environments you're extending your infrastructure, which essentially means you'd have to manually recreate all your users in that cloud and synchronize all the changes manually as well.”
Whose Identity Answer Looks Promising?
Both Microsoft and VMware have promised their own takes on identity management for cloud computing, but a host of third parties is also beginning to crowd the market.
Relative small fry such as Radiant Logic, for example, touts its RadiantOne Identity and Context Virtualization Platform as a two-part solution to identity management. Its Identity Correlation and Synchronization Server aggregates and synchronizes identity data from end-user and cloud organizations, while its Virtual Directory Server provides authentication and access control.
Others, such as PingIdentity take a tighter focus, providing secure single sign-on to one or two SaaS applications at a time.
“People don't think of it that way, but SaaS is as much a cloud environment as other cloud services,” Mogull says.
In addition to specific products, OASIS and other standards organizations have been working on security specifications such as the Security Assertion Markup Language (SAML), the Web Services Federation Language (WS-Federation), or earlier Liberty Identity Federation Framework (ID-FF).
Others, such as the Cloud Security Alliance (CSA) have also been working on the technology putting out white papers mapping out security best practices.
CSA calls the need for a robust and standardized federated-identity management structure, and services to take advantage of it “the key critical success factor to managing identities at cloud providers.”
“The current state of granular application authorization on the part of cloud providers is non-existent or proprietary,” the CSA goes on to say. CSA also recommends that:
• End users require cloud providers provide stronger authentication between them and their customers than the cloud providers use internally; • End users consider using third-party single-sign-on services to authenticate to the cloud; • End users realize that the third parties to which they outsource some part of their identity management will become criticalinfrastructure providers, not just ways to link more conveniently with cloud services by federating identity and authentication mechanisms.
Today's Problem: Lots of List Maintenance Needed
Most cloud or SaaS services have either proprietary identity mechanisms, or require customers to make the change both on an internal access list and on the cloud configuration list every time a new employee is hired, one is fired, or permissions are changed.
“There's a lot of effort involved in that if you're talking a couple of thousand users,” Mogull says. “It's really easy to screw it up, and if it's not a standard way of doing it, there's no guarantee whatever you're doing will be compatible with what you'll do to manage identities in the future.”
Forgetting to delete an e-mail account or access to a particular application inevitably creates security and configuration headaches. Because cloud providers usually charge per user, an uncancelled account also keeps costs higher than they should be, for no benefit.