Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?
July 13, 2012 Leave a comment
- Business users are pushing companies into a multi-cloud environment.
- The automated mechanisms for handling multi-cloud access securely are not yet in place.
It’s not just the European summer weather that’s cloudy; so too is the future IT paradigm. In this emerging multi-cloud near-future, business users will want easy access to corporate cloud resources from their private cloud, as well as the ability to launch apps in a platform-as-a-service (PaaS) environment and the ability to access a variety of ever-changing external SaaS clouds. Users would prefer not to have to log in to these clouds individually with different passwords and log-in procedures, which just results in people keeping lists of passwords on yellow stickers or Word files on their desktop computers, clearly breaching any corporate security policy. Public cloud destinations such as Amazon mostly rely on user-centric passwords (i.e., not aligned with the password used for corporate data site access), and even if a cloud site such as Salesforce.com (SFDC) is linked to a specific corporate account, it will still not sync with the user’s corporate password. If the company wants to make such cloud access easy and safe (and keep password lists off user desks), the solution lies in storing individual passwords in the company’s Active Directory (AD) and subscribing to a federated identity service that automates access to multiple clouds based on the user information in AD. With a federated identity service, users get a single sign-on service that may be either single-factor or require two-factor authentication for access to sensitive data.
There are two issues relating to federated identities: first, whether it scales, and second, whether the SaaS cloud supports SAML2. Scalability is an issue if the number of clouds increase significantly and need frequent updating in the directory system, or if users shift their cloud priorities often. We do not currently have credible metrics documenting the ability of the existing federated identity solutions on the market. The other issue pertains to SAML2, which is a standard for exchanging authentication and authorization between security domains. Some sites such as SFDC are SAML2-compliant, and thus interface well with federated identity servers, whereas others such as Microsoft 365 are not. This illustrates the maturity issues that more widespread cloud adoption still faces. Where are you as a corporate cloud planner in this process? Are you adopting the federated identity approach or managing the access issue in some other way?