Last week I was asked to give a presentation at the IBM Tivoli User Group on Identity and Access Management in the Cloud to IBM employees, IBM business partners, and customers of IBM Tivoli security products. I soon realized that my first problem was going to be defining The Cloud. Not everyone I spoke to before the presentation knew what The Cloud was!

So what is the cloud?

The cloud seems to be a term that is too easily used these days and for many people it simply represents everything that happens on the internet. Others, however, are a bit stricter with their definition:

“For me, cloud computing is a business extension of utility computing that enables highly available, elastic, and scalable deployment of software applications while minimizing the level of detailed interaction with the underlying technology stack itself. “.

“Computing on tap: you get what you want literally from a socket in the wall.”

“Cloud computing is just a virtual data center.”

Wikipedia naturally has its own definition.

Cloud computing is the development and use of Internet-based computing technology. In concept, it is a paradigm shift whereby details are drawn from users who no longer need knowledge, experience or control over the technology infrastructure “in the cloud” that supports them.

Of course, there are different levels of computing that a cloud provider can offer. The use of a particular software application (eg Google Docs) is just one of those offers. Another would be similar to a software development platform (think Google App Engine, Microsoft Azure, and Salesforce force.com). Then, of course, there are the raw infrastructure services: servers provisioned “instantly” for end-user use (for example, Amazon Ec2).

We are probably all users of cloud services if we think about it. A quick look inside my Password Safe vault reveals nearly 300 different user ID and password combinations for services on the network, including:

• Blogger
• Twitter
• Facebook
• LinkedIn
• Google docs
• Gmail
• Screenr
• ChartGo

The business model

While it’s easy to see how personal use of cloud applications has grown in recent years, it may be more surprising to learn how the business is embracing use of the cloud.

According to EDL Consulting, 38% of companies will use a SaaS-based email service in December 2010. Incisive Media reports that 12% of financial services companies have already adopted SaaS, mainly in the fields of CRM, ERP and HR And our friends at Gartner estimate that one-third of ALL new software will be delivered via the SaaS model in 2010.

My guess? SaaS is already happening in the enterprise. It is here and it is here to stay.

With any change in the business operating model there will be implications, some real and, equally critical, others perceived.

In the category of Perceived Risks, I would place risks such as loss of control; store critical business data in the cloud; cloud provider reliability; longevity of the cloud provider. Of course, these are just perceived risks. Who can say that storing business-critical data in the cloud is less risky than storing it in the company’s own data center? There may be different attack vectors you need to mitigate against, but that doesn’t mean your data is less secure, does it? And who says that the company has to lose control!

The real risks, however, would include things like the proliferation of employee identities across multiple vendors; compliance with company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and, of course, user management!

Cloud standards

As with any new IT delivery methodology, a number of “standards” seem to appear. This is great as long as there is widespread adoption of the standards and large vendors can set a specific standard. Thank God for:

• The Open Cloud Manifesto (http://www.opencloudmanifesto.org/)
• Cloud Security Alliance (http://www.cloudsecurityalliance.org/)

These guys, at least, are trying to tackle the standards issue and I’m particularly pleased to see that CSA’s Domain 13 on Identity and Access Management insists on the use of SAML, WS-Federation, and Liberty ID-FF.

Access control

And at that point, the various cloud providers are to be congratulated for their adoption of the security federation. Security Assertion Markup Language (SAML) has been around for over 6 years and is an excellent way to provide a single sign-on solution through the enterprise firewall. OpenID, according to Kim Cameron, now supports 50,000 sites and 500 million people have an OpenID (even if most don’t realize it!)

The problem, historically, has been the problem of identity property. All major providers want to be the Identity Provider in the “federation” and the Relying Parties were few and far between. Fortunately, there has been a marked shift in this stance over the past 12 months (as supported by Kim Cameron’s figures).

Then there are the “runners”. Companies designed to make the “federation” process much less painful. The idea is that a single authentication for the broker will allow broader access to the SaaS community.

Symplified and Ping Identity seem to be the thought leaders in this space and their marketing blurb seems comprehensive and impressive. They certainly check the boxes marked “Speed ​​to market” and “Usability,” but again those perceived risks can be problematic for the cautious company. The “Keys to the Kingdom” theme rears its ugly head once again!

Identity management

SPML is for identity management as SAML is for access management. Right? Well almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 and version 2.0 was ratified in April 2006. My guess? We need another round of ratification! Let’s examine the evidence. Who is currently using it? A Google search returns very few results. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What good is a standard if no one uses it?

Compliance audit

Apparently, forty times more information will be generated during 2009 than during 2008 And the “digital universe” will be ten times bigger in 2011 than in 2006! Those are staggering numbers, right? And most of that data will be pretty unstructured, like this blog or my tweets!

The need to audit the information we publish in the digital universe is greater than ever, but there is no standards-based approach to compliance and auditing in the cloud.

Service providers are the current custodians of the audit and compliance process and will likely continue to do so for the time being. Actually, service providers are quite good at this as they have to comply with many different regulations in many different legislative jurisdictions. However, they typically feature audit and compliance dashboards tailored only for vertical markets.

It is understandable, I suppose, that for a multi-tenancy service there will be complications in separating the relevant data for the business compliance check.

Moving to the cloud

There are vendors claiming to be able to provide identity management as a service (IDaaS) which sounds great, doesn’t it? Take all the pain out of offering a solid IdM solution for businesses? In practice, however, it works well for companies that operate exclusively in the cloud. These solutions already understand the provisioning requirements of large SaaS operators. However, what they can’t do as well is provisioning in our business systems. It is not enough to assume that a business works everything from your Active Directory instance, after all. Also, we must remember that using an IDaaS is similar to giving away the “Keys to the Kingdom”. Remember our perceived risks?

An alternative is to move the enterprise IdM solution to the cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favorite provider here} Identity Manager could be moved to the cloud using the IaaS model: Amazon EC2. Investment in existing solutions would be sustained with the added benefit of scalability, flexibility, and cost reduction. Is this a model that can be easily adopted? Certainly, provided that the company in question can understand the notion of Moving the “Keys to the Realm” beyond your firewall.

Conclution

The next generation of users are already web-savvy (SaaS is here to stay) and SSO is finally within our grasp with only a handful of big gamers trailing their heels when it comes to implementing standards like SAML v2.0. It was also intriguing to play with Chrome OS last week (albeit an early prototype version). The integration of desktop login with the web just tweaks things a bit more (Google’s way, of course).

Provisioning (either Just-In-Time or Pre-populated) is still the problem. Nobody seems to be using SPML and proprietary APIs abound. Achieving this will be critical to the mass adoption of SaaS solutions.

While provisioning is the current issue, however, governance, risk and compliance will be the next big item on the agenda. The lack of standards and the proliferation of point solutions will surely start to hurt. Here, however, I am running out of ideas … for now. It seems to me that there is an opportunity for a thought leader in this space!