Identity – Of, By, In and For the Cloud

13.03.2012 by Dave Kearns

There’s Identity, and there’s the Cloud. While we still can’t quite agree as to what is Identity and what are Cloud Services we also can’t wait until we decide those issues to properly connect the two.

Apps can reside either in the datacenter or in the cloud. They could also reside on our local device (PC, tablet, smartphone, etc.) but we’ll simplify today’s discussion (and leave mobile identity and apps to another day) by concentrating on these two platforms.

Identity services can reside in either place also. Often, in fact, they’ll reside in both places. More on that in a moment.

There’s a lot of confusion when two or more people discuss Identity and Cloud Services, though, because they’ll have different ideas as to what’s being identified and why as well as which direction(s) the identity data flows. Let me break it out for you.

We can have:

A.   Identity Services in the datacenter, apps in the datacenter;
B.    Identity Services in the datacenter, apps in the cloud;
C.    Identity Services in the datacenter, apps in the cloud AND the datacenter;
D.    Identity Services in the cloud, apps in the cloud;
E.    Identity Services in the cloud, apps in the datacenter;
F.    Identity Services in the cloud, apps in the cloud AND the datacenter;
G.    Identity Services in the Datacenter AND the cloud, apps in the cloud
H.    Identity Services in the Datacenter AND the cloud, apps in the datacenter;
I.    Identity Services in the Datacenter AND the cloud, apps in the datacenter AND the cloud!

Today, most corporate users are involved in case I, Identity Services in the Datacenter AND the cloud, apps in the datacenter AND the cloud, simply because most large corporations that are moving applications and data to the cloud are still in the process of doing so. These organizations started in case A (so-called “traditional computing”), moved to case C then on to I with a target – perhaps unreachable – of case G. That is, large organizations start with both identity services and apps in the datacenter then move some apps to the cloud. This is followed by moving some identity services to the cloud (perhaps through federation) and finally moving all, or almost all, services and apps into the cloud.

Join me at the European Identity and Cloud Conference next month to learn more about Federation for cloud services as we explore Federation vs. Synchronization.

Small organizations, though, are following a different timeline, especially those which don’t have what could even loosely be termed a “datacenter”. They start out initially with both identity and apps on a local device. Over time, those devices are brought together into a workgroup which may or may not have centralized identity services and apps. Now they’re being drawn to the cloud – both for identity as well as for apps and services.

Besides location and platform, we need to talk about the purpose of our choices. That is, do we want Identity for the cloud, by the cloud, in the cloud or of the cloud? And what do they all mean?

Identity FOR the cloud is what many organizations have today – authentication in the datacenter then a link (either via a portal or through federation) with cloud services and apps.

Identity BY the cloud is what the consumer, or B2C, market has: customers authenticate to the cloud service (such as Google Docs, Apple’s iTunes, or Netflix or other streaming sites), typically via a username/password combination.

Identity OF the cloud is something which is more honored in the breach today but will become important in the near future. Organizations and individuals interacting with a cloud service need to be assured that they are actually in contact with the cloud service they intended to be in contact with. Protocols such as HTTPS and SSL are useful, but don’t completely mitigate against man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks. Better service authentication will become necessary as data thefts become more apparent.

Finally, there’s Identity IN the cloud. This means that the identity service is, itself, a cloud service. This has been referred to as Identity as a Service, and abbreviated as IaaS and IdaaS. In the near term, IAMaaS (Identity and Access Management as a Service) will become the norm, or at least A norm. IAM is well on its way to becoming just one more outsourced service.

For a number of years it’s been very apparent to me that enterprises have lagged well behind current technology in their IAM services. It’s not for want of desire nor is it from lack of need. It all comes down to a case of missing resources: enterprises don’t have either the fiscal capital or the human capital to keep up with the fast changing IAM landscape.

Google Docs and  Microsoft’s Office365 both make the case that using an office suite “in the cloud” means never having to worry about maintenance schedules, upgrade downtime or software patching – three of the major reasons that datacenter software is often one, two and even three releases behind the current version of a software package. By outsourcing your office productivity software to the cloud there’s a tremendous uptick in your organization’s bottom line. Could outsourcing your IAM to the cloud provide similar savings? And, if so, at what cost?

The quick answer is yes, moving your IAM services to a cloud provider can save time and money. As just one example, take provisioning. There’s little question that provisioning services have saved over non-automated methods, but there’s still the question of installing, maintaining and upgrading the software as well as the costs for integrating it with your corporate apps and services – which might reside in either the datacenter or the cloud. Similar savings can be realized by using cloud services for SSO, Role-/Rule-/Attribute-based access control, regulatory compliance (think, for a moment, about your costs for staying current on regulations), even governance. It does seem like a no-brainer, doesn’t it?

There are a few things to consider, though.

How safe is your data? How safe is your connection to the cloud? What about privacy concerns? How reliable is your IAM as a Service vendor? How reliable is the cloud platform your vendor (or you) has chosen?

Moving IAM into the cloud can present a big reward, but does that imply you have to take a big risk?

I don’t think so. Let’s review:

Identity FOR the cloud is a service to control authentication and authorization of enterprise users to cloud-based apps and services.

Identity OF the cloud encompasses methods to assure users that the cloud service they desire to connect to is the one they actually connect to.

Identity IN the cloud, also known as Identity as a Service (IDaaS) is a method of providing Identity services which reside in the cloud but are used for on-premise authentication and authorization.

We’ve made gains over the years even while keeping these different technologies separate – but wouldn’t it be easier for all of us if we could combine the functionality into one Identity Service which is For, Of and In the cloud? Join me and Vikas Jain, Director of Product Management with the Application Security and Identity Products Group at Intel, on March 29 at 11 AM EST for a thorough discussion of how identity services for, of and in the cloud can work to deliver better security with lower cost and easier manageability for your organization. It promises to be a very informative discussion.


Services
© 2014 Dave Kearns, KuppingerCole