IAM is Essential for Hybrid Clouds

As the traditional hard edge of the network with its known points of entry and exit devolves into a much softer focus, as mobile devices and similar means of access proliferate, user identity has grown in importance, to the point where identity is now considered the new network perimeter. It will be even more important with hybrid cloud.

It already speaks to user fears about cloud security. A recent survey of the 250,000-plus members of LinkedIn’s Information Security Community revealed unauthorized access through misuse of employee credentials and improper access controls as the major cloud security concern of nearly two-thirds of them. The ability to set and enforce consistent security policies across clouds was the number one method seen by 50 percent of those surveyed for “closing the security gap” in the cloud.

But it’s easier said than done. Managing identities, group security policies and access with, for example, Microsoft’s Lightweight Directory Access Protocol (LDAP) and Active Directory (AD), has been a well-known technique in traditional enterprises, with applications hosted in on-premise systems. In the cloud, however, it’s much more difficult for IT departments to know which users are accessing which applications and services.

Nevertheless, says the Cloud Security Alliance (CSA), “extending an organization’s identity services into the cloud is a necessary pre-requisite for strategic use of on-demand computing resources.” It identifies four identity and access management (IAM) functions—identity provisioning/deprovisioning, authentication and federation, authorization and user profile management, and support for compliance—as the essentials for successfully managing identities in the cloud.

Federated identity management is seen as the best way to go for hybrid cloud, using hierarchical, identity-based cryptography. Single sign-on solutions can use the AD and LDAP systems an organization has already been using for its internal access management, which should mean minimal disruption in extending that to the cloud. No one will be able to access cloud apps and services without having an account in AD, and use of those apps and services can be tracked just as they can be for traditional access.

However, integrating traditional, on-premise IAM solutions with those needed for the cloud is not simple, plus the Windows-centric AD and LDAP don’t easily translate to the kind of Web-based apps more often found in the cloud. That’s prompted the recent rise of possible solutions such as Identity-as-a-Service (IDaaS).

IDaaS is a generic term that covers one or many of the services that comprise an identity ecosystem, according to the CSA, such as policy enforcement points, policy decision points, policy access points, services that provide entities with identity and that provide reputation.

They also “need to include people, processes and systems that are used to manage enterprise resources by assuring the identity of an entity is verified, then granting the correct level of access based on this assured identity.”

Major cloud vendors have already jumped into this market, with Microsoft itself offering Azure Active Directory as a way of providing a cloud-based directory that synchronizes with on-premises AD, but also to non-Microsoft cloud apps. Market researcher Gartner has predicted a major adoption for IDaaS over the next five years, but so far its take-up has been slow, with many organizations cautious about moving IAM functions to the cloud.