Fundamentals cloud-id-management


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fundamentals cloud-id-management

  1. 1. Next reports Rep or ts.InformationWeek .com October 2012 $99Cloud IDManagementWorried about controlling access to all the cloud applications youremployees use? IT has a variety of options to help managecloud-based identities, including Active Directory synchronization,federation and purpose-built cloud services that providesingle sign-on for online applications.By Randy GeorgeReport ID: S5981012
  2. 2. Previous Next reports Cloud ID Management CONTENTS 3 Author Bio ABOUT US 4 Executive Summary 5 Cloud Apps and Identity InformationWeek Reports’ analysts arm 5 Figure 1: Number of Cloud Providers Used business technology decision-makers 6 Four Approaches, One Directory with real-world perspective based on 6 Figure 2: Cloud Service Concerns qualitative and quantitative research, 8 Identity-as-a-Service business and technology assessment 8 Figure 3: Future Degree of Cloud Use and planning tools, and adoption best 9 Figure 4: Cloud Connection practices gleaned from experience. To 10 User Provisioning contact us, write to managing director 10 Compliance Concerns Art Wittmann at, 12 Related Reports content director Lorna Garey at, editor-at-large Andrew Conry-Murray at, and research managing editor Heather Vallis at Find all of our reports at TABLE October 2012 2
  3. 3. Previous Next Table of Contents reports Cloud ID Management Randy George has covered a wide range of network infrastructure and information security topics in his six years as a contributor to InformationWeek and Network Computing. He has 15 years of experience in enterprise IT and has Randy George spent the past 10 years working as a senior-level systems analyst and network InformationWeek Reports engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point; a BS in computer engineering from Wentworth Institute of Technology; and an MBA from the University of Massachusetts Isenberg School of Management.Want More?Never Missa Report! Follow © 2012 InformationWeek, Reproduction Prohibited October 2012 3
  4. 4. Previous Next Table of Contents reports Cloud ID Management SUMMARY Identity management is tricky business, and that’s especially the case for cloud and SaaS applications. Users often create their own logon credentials to business-related cloud applications. This can lead to a variety of problems, including the use of easy-to-crack passwords and the difficulty of cutting off access when users leave the company. So how do you build an identity management framework for all your cloud applications? There are four choices, all of which involve Active Directory (or another LDAP-compliant directory). AD should be at the heart of your cloud ID management strategy. Leveraging AD to manage access to cloud apps addresses a number of security, risk and compliance issues. It also reduces the administrative burden of adding and removing users, facilities the deployment of single sign-on and lets you do interesting things with role-based authentication. The four approaches you can use for managing access to the cloud are either full or par- tial Active Directory synchronization, federation or identity-as-a-service. Here’s how they work, and the upsides and downsides of each option. October 2012 4
  5. 5. Previous Next Table of Contents reports Cloud ID Management Cloud Apps and Identity When it comes to integrating cloud applica- sign-on mechanism that can be applied Leveraging AD for SSO to a particular cloud tions into a corporate environment, one of the globally to a broad portfolio of applications app is a simple two-step process on the sur- biggest challenges many IT shops face is iden- is increasingly necessary, not only from a face. Step one: Provision a valid account on tity management. It’s easy to authenticate, se- convenience perspective, but from a security your domain for the cloud provider to use to cure and deploy internal applications using and compliance perspective. perform LDAP queries against your directory. your own Active Directory infrastructure. It’s a Figure 1 whole other animal to secure and provide Number of Cloud Providers Used seamless access to an application that resides Regardless of the number of different platforms and options, how many actual cloud providers do you use outside the boundaries of your control. (e.g., Salesforce, Google, Oracle, GoGrid)? The challenges are threefold: How do you build a management framework to provide seamless authentication to all of your cloud ap- 1 plications? How do you avoid the use of weak 27% passwords? And how do you grant access to the appropriate cloud apps to a new user and revoke access when someone leaves? The an- 4% More than 10 swer all comes down to building a strategy for 5% 64% identity management. 6 to 10 2 to 5 For smaller organizations, identity manage- ment probably isn’t a priority, especially when employee count is low and the num- Base: 166 respondents using cloud computing services ber of applications to manage is small. But R4020112/4 Data: InformationWeek 2012 State of Cloud Computing Survey of 511 business technology professionals at organizations with 50 or more for larger organizations, building a single employees, December October 2012 5 R
  6. 6. Previous Next Table of Contents reports Cloud ID Management Step two: Open a hole in your firewall to allow Four Approaches, One Directory share one thing in common: Active Directory. incoming LDAP queries from the cloud There are several ways to manage access to AD, or another LDAP-based directory, should provider. But as you scale, you’ll quickly find cloud applications, but these approaches all be at the heart of your cloud ID management that punching tons of holes in your firewall to Figure 2 allow LDAP queries against AD for a particular cloud app isn’t secure, isn’t scalable and isn’t Cloud Services Concerns When thinking about risks related to using cloud services, what are your top concerns? necessarily a best practice.FAST FACT 2012 2011 Building a scalable management frame-27% 51% 51% 51% work around an entire portfolio of both in- 50% 48% 48% ternal and externally hosted applications is Unauthorized access to or leak of our proprietary information Unauthorized access to or leak of our customers’ informationof respondents to our a major headache for many enterprises to- day, and that’s the business challenge that Business viability of provider; risk company will fail2012 State of Cloud Integration of cloud data with our internal systems Business continuity and DR readiness of providerComputing Survey have identity-as-a-service providers have set out 33% Features and general maturity of technology 31%only one cloud to tackle. 29% Security defects in the technology itself 28% 27% We address the options for managing access 26%application provider. Application and system performance to both internal and cloud-based applications. 22% 21% We discuss the pros and cons of outsourcing 17% identity management, along with some of the 15% 12% underlying technology and standards that are making IDaaS a more attractive option for Vendor lock-in 5% some enterprises. And we’ll touch on how var- 4% Other ious operational tasks and business require- N/A ments, such as efficient user provisioning and Note: Three responses allowed R4020112/9 deprovisioning and attending to compliance Base: 511 respondents in December 2011 and 399 in October 2010 Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more employees issues, are done in an identity October 2012 6 R
  7. 7. Previous Next Table of Contents reports Cloud ID Management strategy. Leveraging AD to manage access to nize all user objects in Active Directory at a nization that only copies the attributes neces- cloud apps addresses a number of security, predetermined interval. sary to identify a user. risk and compliance issues. It also reduces the The benefit is that you’re able to leverage Here’s how it works: When a user logs on to a provisioning and administrative burden of your directory for authentication. The draw- cloud application, the cloud application for- adding and removing users, facilitates the de- back is that you’ll need to punch a hole in wards the logon request to the customer’s own ployment of single sign-on and allows you do your firewall to allow incoming LDAP queries Active Directory domain controller to validate some cool things with role-based authentica- from the cloud provider. You can install an the user. The benefit is that you can still per- tion based on various group memberships or agent on your domain controller that form real-time AD authentication for a cloud user attributes. synchronizes AD outbound over SSL. This is a app, and you negate the security and compli-Identity and Access Broadly speaking, there are four approaches better option because it doesn’t require a ance issues of having a full copy of your direc-Management:An Introduction you can use for managing access to cloud separate port to be opened in the firewall. tory hosted off-site. The negative is that if a do- applications: full synchronization of Active Note that the level of detail that a cloud main controller is unavailable to validate theIdentity access management, orIAM, is not exactly an area that Directory, partial synchronization of Active provider will synchronize can differ. For request in real time, then the user will not beorganizations have addressed Directory, federation and identity-as-a-service. instance, one provider might only synchronize able to authenticate to the cloud app.with focus and consistency. Forthis reason, and because of the We’ll look at each one in turn. the attributes needed to confirm a user’s Federation: Federation is a mechanismsheer scope of related issues and Full AD synchronization: In this scenario, identity, such as the user ID, first and last designed to let employees use their owntechnologies, an IAM project canbe a daunting proposition. But it you leverage AD to authenticate users to a name, and group membership. Another authentication credentials to sign on to appli-doesn’t have to be. With careful particular cloud application. For organizations provider might synchronize your entire direc- cations or access resources hosted by a thirdplanning and a firm understand- that use a small number of cloud apps, or per- tory. That leads to our second option. party. Federation grew out of the need foring of the goals for and chal-lenges of IAM, it is possible to lay haps just one, enterprise single sign-on isn’t Partial AD synchronization: For security companies to provide access to applicationsan IAM foundation that will meet really all that important. According to Infor- and compliance reasons, an organization may for business partners and suppliers. Federa-your organization’s unique iden-tity and access management mationWeek’s State of Cloud Computing Sur- have a difficult time accepting that a full copy tion allows for very granular authenticationneeds now and in the future. vey, 27% of respondents have only one cloud of its entire directory services infrastructure is and access control, and it allows companies to application provider. In this case, you could being put into the hands of a third party. In enforce logon requirements for third parties. Download simply allow your cloud provider to synchro- that case, you can perform a partial synchro- For instance, Organization A may allow October 2012 7
  8. 8. Previous Next Table of Contents reports Cloud ID Management izations B, C and D to use a simple user name service. To provide seamless authentication Identity-as-a-Service and password to access a wiki but require to a hosted mailbox in Microsoft’s cloud, Another option for simplifying ID manage- two-factor authentication to access parts of ADFS will make access completely transpar- ment for cloud applications is to turn to the its ERP system. ent to the user. cloud. A new category of providers now offers The concept of federation is simple, but the Figure 3 implementation … not so much. It’s an ad- Future Degree of Cloud Use ministrative pain to configure and deploy. Looking ahead 24 months, what percentage of your IT services do you predict will be delivered from the cloud? You’ll need to purchase, configure, deploy and 2012 2011Like This Report? manage the infrastructure required in orderRate It!Something we could do to make it work, including dedicated servers to run the federation infrastructure. 75% or more; “IT” is a four-letter word to us 2% 4%better? Let us know. Microsoft offers Active Directory Federation 50% to 74%; if it can be outsourced, we’re looking to do it 11% Services, which is free with the base Windows 14% Rate operating system. ADFS supports many of the 25% to 49%; our core business isn’t IT and we’re happy to use outside services standard identity protocols in use today, in- 18% cluding SAML 1.1 and SAML 2.0, WS-Trust and 17% WS-Federation. IBM and Oracle also offer com- 10% to 24%; some tasks are better done by others 29% prehensive federation productions: IBM’s 30% Tivoli Federated Identity Manager and Ora- 1% to 9%; very limited usage cle’s Identity Federation. 32% Despite the drawbacks, there are some 29% instances where federation makes the most None, we hate the cloud 6% sense. For example, let’s say you’re planning 8% to outsource your Exchange messaging Base: 511 respondents in December 2011 and 399 in October 2010 R4020112/16 environment to Microsoft’s Office 365 cloud Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more October 2012 8
  9. 9. Previous Next Table of Contents reports Cloud ID Management IDaaS. In this service, a company known as an Figure 4 identity provider acts as a broker between Cloud Connection your employees and the cloud services they use. An IDP can make it easier to manage mul- Corporate Firewall tiple cloud services and provision and depro- Web portal vision users. Consider the following scenario: Company A uses, Google Apps, Office SAML,OpenID, nID, Identity WS-Federation, or on, 365, Dropbox and WebEx as part of its com- Employees and service contractors proprietary ary connections ons plement of corporate-issued Web applica- tions. In the absence of an ID management LDAP product or service, each user (or IT) would normally need to create a user profile within each individual cloud application, and em- Plug-in ployees would log on separately to each ap- Other SaaS app plication. While the user’s credentials could An identity service brokers connections between the enterprise and its software-as-a-service providers. In a typical deployment, an certainly be tied to AD, the user would still employee logs in to a SaaS application, usually via a Web portal. The identity service checks user credentials against a corporate LDAP-compliant directory, often Active Directory. The service then passes authentication credentials to the SaaS site to log in the user. need to log on manually to each application. An identity service may support multiple identity standards, including SAML and OpenID, or use proprietary mechanisms. With IDaaS, instead of logging on to each application separately, you instead establish a Like This Report? session with an IDP. With a valid session estab- your cloud application. Many IDaaS providers In an IDaaS scenario, a company still needs Share it! lished, the IDP responds to requests for cre- dentials by a cloud Web application, typically offer a portal, or will connect to a corporate intranet, that lists all the user’s cloud applica- to link Active Directory to the IDP, and for some that’s a drawback. However, cloud iden- Like Tweet via standards such as SAML or OAuth. The re- tions. The user simply clicks the appropriate tity providers do not typically store passwords, Share sult is that you’re automatically logged on to icon and is logged on to the application. only user attributes. That’s a plus if you’re October 2012 9
  10. 10. Previous Next Table of Contents reports Cloud ID Management ried about a breach of the provider compro- spending time building and managing a fed- the APIs that Salesforce exposes for cus- mising the passwords of your users. You can eration server farm, and the SSL and token- tomers for a range of automation tasks, in- minimize the number of user objects that you signing certificates that are required to make cluding user account management. But most sync with an IDP if you have specific access it work, you can just dump that responsibility IDaaS vendors have already integrated those needs. For example, if only the sales and mar- on an IDP. And instead of syncing AD with 10 APIs into their identity clouds. That means keting team needs access to Salesforce, then cloud providers, you can outsource that ad- when you create new users in AD, they will au- you can limit the synchronization of AD to the ministrative burden to a single vendor, or in tomatically be synced to your IDP, and from specific organizational units that contain the this case, your IDP of choice. there an API call can be made by the IDP to user objects needing access to Salesforce. An There are many provider choices if you’re create the new user account within the cloud organizational unit within Active Directory is considering IDaaS: PingFederate, OneLogin, application. The upshot is, you’re ultimately used to group users or departments that share Symplified, ActivIdentity, EmpowerID, Janrain, using AD to control group-based access pol- common security policy requirements. and Intel Cloud SSO are just a few of the ven- icy, and you’re using AD to add and remove Here’s another plus: With IDaaS you get dors that offer help with cloud identity man- users from accessing your cloud apps. some cool security features that would be agement challenges. The user provisioning benefits of IDaaS are more difficult to implement in the absence of compelling, but only if you’re scaling out the an identity management tool. For example, User Provisioning number of cloud apps you need to support to you could configure an access control policy The ability to provision and deprovision user the point where provisioning is becoming a that says if a user is not connecting from one accounts quickly is perhaps one of the biggest major headache. In the absence of that, your in- of your internal subnets (that is, the employee advantages of using an IDP. If you were just us- ternal AD infrastructure is more than adequate is off the corporate network), then force two- ing Salesforce and needed to bulk import 100 to provide efficient account management. factor authentication. new employees, you could certainly do that But here’s where identity providers may re- with the Data Loader tool that Salesforce sup- Compliance Concerns ally be worth their weight in gold. A good IDP plies for its customers. However, that process While IDaaS has many benefits, it can open a has already federated with the most popular is manual and can be cumbersome. can of worms on the compliance front. Com- cloud application providers. So instead of Alternatively, you could leverage some of pliance mandates that deal with October 2012 10
  11. 11. Previous Next Table of Contents reports Cloud ID Management tion and access control, such as PCI and Sar- platform itself that you can access. banes-Oxley, will look closely at an IDaaS im- Cloud applications are now a normal part of plementation, because for all intents and pur- the mix of business applications and tools that poses, you’re exposing critical applications employees require to get their work done. And (that is, Active Directory) to the Internet. An au- given the variety of options that IT has for ditor will scrutinize password complexity pol- managing user access to cloud services, icy, along with your ability to centrally manage there’s no reason any company should leave and review logs. Log management and review identity and access management of business is important because it may provide early applications in their users’ hands. And as more warning of attempts by an intruder to gain ac- IT shops make the transition to cloud apps cess to business systems. Your cloud identity with highly mobile workforces, IDaaS will be- vendor may not have passwords, but it likely come more widely accepted and deployed. has other user attributes tied to your account, including an email address and user name. In many organizations, a company’s email do- main and AD domain namespace are the same. With those two pieces of information alone, an attacker can attempt to use brute-force pass- word cracking techniques. If you have an internal log management in- frastructure (or even a cloud log management infrastructure), the vendor you select should be able to provide logs of user account activ- ity. At the very least, there should be adequate logging features within the cloud October 2012 11
  12. 12. Previous Table of Contents reports Cloud ID Management Want More Like This? MORE InformationWeek creates more than 150 reports like this each year, and they’re all free to registered users. We’ll help you sort through vendor claims, justify IT projects and implement new systems by providing analysis and advice from IT professionals. Right now on our site you’ll find: 9 Vital Questions on Moving Apps to the Public Cloud: The decision to move an application from in-house to the public cloud is a significant one. Organizations have to consider a range of issues, from business drivers to application LIKE THIS availability to compliance and security to user adoption. We have nine questions you should ask and answer to help you pick the right course of action. Compliance in the Cloud Era: Just as we’re finally getting to a good place with controls, a new pressure is emerging, say the 422 respondents to our 2012 Regulatory Compliance Survey. There is good news, too: Most have the resources they need to meet mandates, and just 22% are still ignoring data classification. However, enterprises are placing in- creased reliance on external parties, and 72% of respondents see at least some vendors and partners as a compliance threat. Here’s how to minimize your risk. Buyer’s Guide: Cloud Storage, Backup and Synchronization: The cloud is displacing local physical storage forNewsletter applications as diverse as file sharing, backup and cross-device data synchronization. Both business users and IT areWant to stay current on all new adopting cloud services because of their convenience and low costs. We examine the market landscape and presentInformationWeek Reports? detailed features and pricing from14 providers, including Carbonite, Dropbox and Nirvanix.Subscribe to our weeklynewsletter and never missa beat. PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek 500 and the annual State of Security report; full issues; and much more. October 2012 12