Monday, November 30, 2009

Identity & Access Management In The Cloud

Last week I was asked to give a presentation at the IBM Tivoli User Group on Identity & Access Management In The Cloud to IBM employees, IBM Business Partners and customers of IBM Tivoli Security products. I soon realised that my first problem was going to be defining The Cloud. Not everyone I spoke to in advance of the presentation knew what The Cloud was!

So What Is The Cloud?
The Cloud seems to be a term bandied about all too readily these days and for many people it merely represents everything that happens on the Internet. Others, however, are a little more strict with their definition:

"For me, cloud computing is a commercial extension of utility computing that enables scalable, elastic, highly available deployment of software applications while minimizing the level of detailed interaction with the underlying technology stack itself."

"Computing on tap - you get what you want literally from a socket in the wall."

"Cloud computing is just a virtual datacenter."

Wikipedia, naturally, has its own definition.
Cloud computing is Internet based development and use of computer technology. In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them.

Of course, there are different levels of computing that a provider in the Cloud can offer. The usage of a particular software application (eg Google Docs) is just one such offering. Another would be akin to a software development platform (think Google App Engine, Microsoft Azure and Salesforce's Then, of course, there are the raw infrastructure services - servers provisioned "on-tap" for end-user usage (eg Amazon Ec2).

We are probably all users of Cloud services if we think about it. A quick look inside my Password Safe vault reveals almost 300 different User ID & Password combinations for services on the net including:
  • Blogger [blogging platforms]
  • Twitter [divulging incoherent thoughts]
  • Facebook [staying in touch]
  • LinkedIn [professional networking]
  • Google Docs [MS Office Alternative]
  • Gmail [eMail]
  • Screenr [screencasting]
  • ChartGo [charting application]
The Enterprise Model
While it is easy to see how personal usage of Cloud applications has grown over recent years, it may come more of a surprise to learn how the Enterprise is adopting Cloud usage.

According to EDL Consulting, 38% of enterprises will be using a SaaS based eMail service by December 2010. Incisive Media report that 12% of Financial Services firms have already adopted SaaS, mainly in the CRM, ERP & HR fields. And our friends at Gartner reckon that one-third of ALL new software will be delivered via the SaaS model by 2010.

My guess? SaaS is already happening in the enterprise. It's here and it's here to stay.

With any change to the enterprise operating model there will be implications - some real and, just as critical, some perceived.

In the Perceived Risks category, I'd place risks such as loss of control; storing business critical data in the Cloud; reliability of the Cloud provider; longevity of the Cloud provider. Of course, these are only perceived risks. Who is to say that storing business critical data in the Cloud is any less risky that storing in the enterprise's own data centre? There may be different attack vectors that need to be mitigated against, but that doesn't mean the data is any less secure, does it? And who says the enterprise has to lose control!

Real risks, however, would include things like the proliferation of employee identities across multiple providers; compliance to company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and, of course, user management!

Cloud Standards
As with any new IT delivery methodology, a raft of "standards" seem to appear. This is great as long as there is wide-spread adoption of the standards and the big suppliers can settle on a specific standard. Thanks goodness for:
These guys, at least, are attempting to address the standards issue and I am particularly pleased to see CSA's Domain 13 on Identity & Access Management insisting on the use of SAML, WS-Federation and Liberty ID-FF.

Access Control
And on that point, the various Cloud providers should be congratulated on their adoption of security federation. Security Assertion Markup Language (SAML) has been around for over 6 years now and is an excellent way of providing a Single Sign On solution across the enterprise firewall. OpenID, according to Kim Cameron, is now supported by 50,000 sites and 500 million people have an OpenID (even if the majority don't realise it!)

The problem, historically, has been the problem of identity ownership. All major providers want to be the Identity Provider in the "federation" and Relying Parties were few and far between. Thankfully, there has been a marked shift in this stance over the last 12 months (as Kim Cameron's figures support).

Then there are the "brokers". Those companies designed to make the "federation" process a lot less painful. The idea is that a single-authentication to the broker will allow wider access to the SaaS community, as such:

Symplified ( and Ping Identity ( seem to be the thought leaders in this space and their marketing blurb comes across as comprehensive and impressive. They certainly tick the boxes marked "Speed To Market" and "Usability" but again those perceived risks may be troublesome for the wary enterprise. The "Keys To The Kingdom" issue rears its ugly head once more!

Identity Management
SPML is to identity management as SAML is to access management. Right? Well, almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 with v2.0 ratified in April 2006. My guess? We need another round of ratification! Let's examine the evidence. Who is currently using it? A Google search returns precious little. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What is the point of a standard if nobody uses it?

Compliance & Audit
Apparently, forty times more information will be generated during 2009 than during 2008 AND the "digital universe" will be ten times bigger in 2011 than it was in 2006! Those are staggering figures, aren't they? And the bulk of that data will be quite unstructured - like this blog or my tweets!

The need for auditing the information we put out into the digital universe is greater than ever but there is no standards based approach to Compliance & Audit in the Cloud!

Service Providers are the current custodians of the Compliance & Audit process and will likely continue to do so for the time being. Actually, the Service Providers are quite good at this as they already have to comply with many different regulations across many different legislative jurisdictions. Typically, however, they present Compliance & Audit dashboards tailored to vertical markets only.

It's understandable, I guess, that for a multi-tenancy service there will be complications separating out relevant data for the enterprise compliance check.

Moving To The Cloud
There are providers out there who claim to be capable of providing an Identity Management as a Service (IDaaS) which sounds great, doesn't it? Take away all that pain of delivering an enterprise robust IdM solution? In practice, however, it works well for enterprises who operate purely in the Cloud. These solutions already understand the provisioning requirements of the big SaaS operators. What they can't do quite as well, though, is the provisioning back into our enterprise systems! It's not enough to assume that an enterprise runs everything from their Active Directory instance, after all. Also, we have to remember that using an IDaaS is akin to giving away the "Keys To The Kingdom". Remember our perceived risks?

An alternative is to move the enterprise IdM solution into the Cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favourite vendor here} Identity Manager could be moved to the cloud using the IaaS model - Amazon EC2. The investment in existing solutions would be retained with the added benefit of scalability, flexibility and cost-reduction. Is this a model that can be adopted easily? Most certainly, as long as the enterprise in question can get its head around the notion of moving the "Keys To The Kingdom" beyond its firewall.

The next generation of user is already web-aware - SaaS is here to stay - and SSO is finally within our grasp with only a handful of big players dragging their heels when it comes to implementing standards such as SAML v2.0. It was also intriguing to play with Chrome OS last week (albeit an early prototype version). Integrating desktop sign on with the web just tightens things that bit further (in a Google way, of course).

Provisioning (whether it is Just-In-Time or Pre-Populated) is still the pain-point. Nobody seems to be using SPML and proprietary APIs abound. Nailing this is going to be critical for mass adoption of SaaS solutions.

While Provisioning is the current pain-point, however, Governance, Risk & Compliance will be the next big-ticket agenda item. The lack of standards and proliferation of point solutions will surely start to hurt. Here, though, I run out of ideas.... for now. Seems to me that there is an opportunity for a thought leader in this space!