Identity Crisis in the Cloud

by [Published on 8 Jan. 2015 / Last Updated on 8 Jan. 2015]

Identity management is a concept that has plagued organizations since the beginning of the computer age and especially as computers became connected through networks and those networks were connected to other networks through the grand mesh of the Internet. As the computing paradigm morphs again, to a cloud-based model, identity takes on even greater importance.

A corporate network may have thousands of users. A cloud service may have millions. Microsoft’s Office 365 Home Premium service passed the one million user milestone only 100 days after its release. Google claims 5 million businesses use Google Apps. Gartner predicted that by 2022, there would be 695 million users of cloud-based office productivity services such as these. And office productivity is just the tip of the iceberg.

Software as a Service (SaaS) of all kinds is steadily gaining traction, although recent reports show cloud adoption isn’t quite living up to all of the predictions. Interestingly, those same reports indicate the number one reason that companies of sizes are holding back has to do with concerns over security.  Despite the proclamations of some industry experts that the fears related to cloud security have been overblown, many organizations are still uncomfortable with the idea of putting sensitive data in the cloud. With stories about cloud-related security breaches and NSA spying constantly making headlines, it’s no wonder they’re wary.

Companies in regulated industries have additional worries; for them, security is not just smart business – it’s legally mandated by the government or their industry oversight bodies. Going “to the cloud” requires the assurance that they can still meet compliance requirements.

The basis of all computer security is controlling access – limiting the ability to view or change data or settings to only those persons and/or devices that are authorized to do so. That control begins with properly identifying everyone who attempts access. Centralized identity management systems based on directory services have been in place for a long time within organizations, and have grown to span multiple organizations in the form of identity federation. Now identity management has expanded its scope again, to encompass cloud services with a global user base.

The problems that are basic to managing user identities – assigning the proper rights and access permissions to users (following the principle of least privilege for best security), updating those rights and permissions when needed, and revoking them when users leave the organization or change jobs – becomes even more complex when enterprises combine cloud services with their own on-premise network services. Yet many sources indicate that the majority of enterprises see the hybrid cloud model, mixing private and public clouds, as the future toward which they are moving.

Users don’t like complexity (IT pros aren’t crazy about it, either, but they’re paid to deal with it). And ultimately, simplifying the process for users to access the resources they need will reduce headaches for admins and support personnel, too.

It’s difficult enough for many users to keep up with one password; handling multiple passwords for cloud and in-house applications can be a nightmare. Single Sign-On (SSO) is the holy grail, and there are a number of ways to achieve this.  The key is standardization, and cloud providers need to support such standard protocols as SAML, OAuth and OpenID so that users can access multiple cloud accounts through a single set of credentials.

One way that this can be accomplished is by leveraging group membership in Active Directory/LDAP, for example. Users in specific AD groups are allowed to access specific cloud based applications, as well as internal applications. This makes it easier for admins to provision and deprovision users and is more transparent to the users themselves.

There are numerous companies offering cloud single sign-on (SSO) and federated identity solutions that can use organizations’ existing identity stores for authentication and authorization. Selecting the right one is an important part of your cloud strategy. 

See Also

The Author — Deb Shinder

Deb Shinder avatar

DEBRA LITTLEJOHN SHINDER, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.