Cloud Security and Identity as a Service (IDaaS)

Friendly colleagues that know I am passionate about new ways to manage identities in the cloud, sometimes send me useful blog posts from like minded people. This is why I spent some time perusing Coby Royer’s blog at http://blog.symplified.com/

Especially the following paragraph echoed the same sentiments about Identity as a Service as the ones I posted in June last year.

But despite the virtues of Cloud Computing, and the fact that the Cloud visionaries are leading the wave with standards, they are often ad hoc standards (e.g., proprietary Authentication and Provisioning APIs). It will take time for the industry standards to shake out, and there remains much scepticism in the industry. So hitching your enterprise IAM strategy to a vendor that only offers one type of solution (e.g., SAML) appears risky at best. The dominant integration standards have yet to reach critical mass among SaaS vendors (e.g., SAML, WS-Fed, SPML)—and IAM Vendors are having difficulty integrating with SaaS vendors that don’t support standards. In effect, the Cloud Computing Permutations present challenges to many IAM vendors.

Now many clever people can put a finger on a sore spot and say “Hey this hurts”. Comedians like Tommy Cooper would say; “Don’t touch it!” which is funny but not very helpful. I cannot stay straight faced about it. I find something cynical about marketing manager’s rewrapping IAM solutions for the perimeterized organisation in a new box with a cloud motive and hope it will sell for a few years longer.

It really is time for a good old paradigm shift, however you may hate the term and find it pretentious, as indeed I do! With a fast disappearing network perimeter also the network people have the wrong end of the stick. They would have us VPN tunnelling the cloud till it again looks like a plate of spaghetti. In other words unmanageable and unscaleable! The old jokes are still the best, so I simply repeat what I said in June last year, and the year before, and the year before.

Personally I see a better future for a different kind of IaaS, namely a scenario where the IdP just issues Information Cards with some role claims, digitally signed. The remote target applications are becoming information card ‘aware’ and they can process the identity claims to create a user ‘on the fly’. In this scenario we have put the responsibility for creating and maintaining the user information back in the application and the Information Card becomes the standard vehicle to assert claims.

So the moat and castle model of the enterprise becomes more like a hotel. Maybe a bit of security on the door, but basically you can walk in of the street. Some conference rooms are open to the public for events and contain public information. The restricted applications are like locked hotel rooms and Information Cards are the metaphor for the plastic key cards that give the user access to whatever business they have there.

Advertisements

About lasancmt

Passionate about Identity Management Disgusted at #ukip and #brexit
This entry was posted in Identity Providers and tagged , . Bookmark the permalink.

One Response to Cloud Security and Identity as a Service (IDaaS)

  1. IDaaS offers a new type of functionality, but are there new kinds of security challenges associated with managing identities in the cloud?

    At the ccskguide.org, we take a look at the security issues surrounding cloud computing and help prepare candidates for the CCSK Cloud Security Certification. Check out our blog post discussing the emergence of identity as a service:
    http://ccskguide.org/2011/03/cloud-identity-as-a-service-idaas/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s