1. Report ID:S5981012
Next
reports
CloudID
Management
Worried about controlling access to all the cloud applications your
employees use? IT has a variety of options to help manage
cloud-based identities,including Active Directory synchronization,
federation and purpose-built cloud services that provide
single sign-on for online applications.
By Randy George
Reports.InformationWeek.com O c t o b e r 2 0 1 2 $ 9 9
2. Previous Next
reports
CO
NTENT
S
reports.informationweek.com
TABLE OF
October 2012 2
3 Author Bio
4 Executive Summary
5 Cloud Apps and Identity
5 Figure 1:Number of Cloud Providers Used
6 Four Approaches,One Directory
6 Figure 2:Cloud Service Concerns
8 Identity-as-a-Service
8 Figure 3:Future Degree of Cloud Use
9 Figure 4:Cloud Connection
10 User Provisioning
10 Compliance Concerns
12 Related Reports
ABOUT US
InformationWeek Reports’ analysts arm
business technology decision-makers
with real-world perspective based on
qualitative and quantitative research,
business and technology assessment
and planning tools,and adoption best
practices gleaned from experience.To
contact us,write to managing director
ArtWittmann at awittmann@techweb.com,
content director Lorna Garey at
lgarey@techweb.com, editor-at-large Andrew
Conry-Murray at acmurray@techweb.com, and
research managing editor HeatherVallis at
hvallis@techweb.com. Find all of our
reports at reports.informationweek.com.
C l o u d I D M a n a g e m e n t
4. October 2012 4
Previous Next
Identity management is tricky business,and that’s especially the case for cloud and SaaS
applications.Users often create their own logon credentials to business-related cloud
applications.This can lead to a variety of problems,including the use of easy-to-crack
passwords and the difficulty of cutting off access when users leave the company.
So how do you build an identity management framework for all your cloud
applications? There are four choices,all of which involve Active Directory (or another
LDAP-compliant directory).AD should be at the heart of your cloud ID management
strategy.Leveraging AD to manage access to cloud apps addresses a number of security,
risk and compliance issues.It also reduces the administrative burden of adding and
removing users,facilities the deployment of single sign-on and lets you do interesting
things with role-based authentication.
The four approaches you can use for managing access to the cloud are either full or par-
tial Active Directory synchronization,federation or identity-as-a-service.Here’s how they
work,and the upsides and downsides of each option.
EXECUTIVE
reports.informationweek.com
reports
SUMMARY
C l o u d I D M a n a g e m e n t
Table of Contents
5. October 2012 5
When it comes to integrating cloud applica-
tions into a corporate environment,one of the
biggest challenges many IT shops face is iden-
tity management. It’s easy to authenticate, se-
cure and deploy internal applications using
your own Active Directory infrastructure. It’s a
whole other animal to secure and provide
seamless access to an application that resides
outside the boundaries of your control.
The challenges are threefold: How do you
build a management framework to provide
seamless authentication to all of your cloud ap-
plications? How do you avoid the use of weak
passwords? And how do you grant access to
the appropriate cloud apps to a new user and
revoke access when someone leaves? The an-
swer all comes down to building a strategy for
identity management.
For smaller organizations,identity manage-
ment probably isn’t a priority, especially
when employee count is low and the num-
ber of applications to manage is small. But
for larger organizations, building a single
sign-on mechanism that can be applied
globally to a broad portfolio of applications
is increasingly necessary, not only from a
convenience perspective,but from a security
and compliance perspective.
Leveraging AD for SSO to a particular cloud
app is a simple two-step process on the sur-
face. Step one: Provision a valid account on
your domain for the cloud provider to use to
perform LDAP queries against your directory.
Previous Next
Regardless of the number of different platforms and options,how many actual cloud providers do you use
(e.g.,Salesforce,Google,Oracle,GoGrid)?
27%
4%
5% 64%
Number of Cloud Providers Used
Base: 166 respondents using cloud computing services
Data: InformationWeek 2012 State of Cloud Computing Survey of 511 business technology professionals at organizations with 50 or more
employees, December 2011
R4020112/4
R
2 to 5
1
6 to 10
More than 10
reports.informationweek.com
Cloud Apps and Identity
reports C l o u d I D M a n a g e m e n t
Table of Contents
Figure 1
6. October 2012 6
Step two:Open a hole in your firewall to allow
incoming LDAP queries from the cloud
provider. But as you scale, you’ll quickly find
that punching tons of holes in your firewall to
allow LDAP queries against AD for a particular
cloud app isn’t secure, isn’t scalable and isn’t
necessarily a best practice.
Building a scalable management frame-
work around an entire portfolio of both in-
ternal and externally hosted applications is
a major headache for many enterprises to-
day, and that’s the business challenge that
identity-as-a-service providers have set out
to tackle.
We address the options for managing access
to both internal and cloud-based applications.
We discuss the pros and cons of outsourcing
identity management,along with some of the
underlying technology and standards that are
making IDaaS a more attractive option for
some enterprises.And we’ll touch on how var-
ious operational tasks and business require-
ments,such as efficient user provisioning and
deprovisioning and attending to compliance
issues,are done in an identity cloud.
Four Approaches,One Directory
There are several ways to manage access to
cloud applications, but these approaches all
share one thing in common:Active Directory.
AD, or another LDAP-based directory, should
be at the heart of your cloud ID management
Previous Next
When thinking about risks related to using cloud services,what are your top concerns?
Cloud Services Concerns
Note: Three responses allowed
Base: 511 respondents in December 2011 and 399 in October 2010
Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more employees
R4020112/9
R
2012 2011
Security
defects
in
the
technology
itself
Unauthorized
access
to
or
leak
of
our
customers’
information
Unauthorized
access
to
or
leak
of
our
proprietary
information
Application
and
system
performance
Integration
of
cloud
data
with
our
internal
systems
Business
viability
of
provider;
risk
company
will
fail
Business
continuity
and
DR
readiness
of
provider
Vendor
lock-in
Features
and
general
maturity
of
technology
Other
51%
51%
48%
51%
48%
50%
31%
33%
29%
N/A
26%
27%
22%
28%
15%
12%
4%
21%
17%
5%
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
Figure 2
FAST FACT
27%
of respondents to our
2012 State of Cloud
Computing Survey have
only one cloud
application provider.
7. October 2012 7
Previous Next
strategy. Leveraging AD to manage access to
cloud apps addresses a number of security,
risk and compliance issues.It also reduces the
provisioning and administrative burden of
adding and removing users,facilitates the de-
ployment of single sign-on and allows you do
some cool things with role-based authentica-
tion based on various group memberships or
user attributes.
Broadly speaking,there are four approaches
you can use for managing access to cloud
applications: full synchronization of Active
Directory, partial synchronization of Active
Directory,federation and identity-as-a-service.
We’ll look at each one in turn.
Full AD synchronization: In this scenario,
you leverage AD to authenticate users to a
particular cloud application.For organizations
that use a small number of cloud apps,or per-
haps just one, enterprise single sign-on isn’t
really all that important. According to Infor-
mationWeek’s State of Cloud Computing Sur-
vey,27% of respondents have only one cloud
application provider. In this case, you could
simply allow your cloud provider to synchro-
nize all user objects in Active Directory at a
predetermined interval.
The benefit is that you’re able to leverage
your directory for authentication. The draw-
back is that you’ll need to punch a hole in
your firewall to allow incoming LDAP queries
from the cloud provider. You can install an
agent on your domain controller that
synchronizes AD outbound over SSL.This is a
better option because it doesn’t require a
separate port to be opened in the firewall.
Note that the level of detail that a cloud
provider will synchronize can differ. For
instance,one provider might only synchronize
the attributes needed to confirm a user’s
identity, such as the user ID, first and last
name, and group membership. Another
provider might synchronize your entire direc-
tory.That leads to our second option.
Partial AD synchronization: For security
and compliance reasons,an organization may
have a difficult time accepting that a full copy
of its entire directory services infrastructure is
being put into the hands of a third party. In
that case, you can perform a partial synchro-
nization that only copies the attributes neces-
sary to identify a user.
Here’s how it works:When a user logs on to a
cloud application, the cloud application for-
wards the logon request to the customer’s own
Active Directory domain controller to validate
the user. The benefit is that you can still per-
form real-time AD authentication for a cloud
app, and you negate the security and compli-
ance issues of having a full copy of your direc-
tory hosted off-site.The negative is that if a do-
main controller is unavailable to validate the
request in real time, then the user will not be
able to authenticate to the cloud app.
Federation: Federation is a mechanism
designed to let employees use their own
authentication credentials to sign on to appli-
cations or access resources hosted by a third
party. Federation grew out of the need for
companies to provide access to applications
for business partners and suppliers. Federa-
tion allows for very granular authentication
and access control,and it allows companies to
enforce logon requirements for third parties.
For instance,Organization A may allow Organ-
Identity and Access
Management:
An Introduction
Identity access management,or
IAM,is not exactly an area that
organizations have addressed
with focus and consistency.For
this reason,and because of the
sheer scope of related issues and
technologies,an IAM project can
be a daunting proposition.But it
doesn’t have to be.With careful
planning and a firm understand-
ing of the goals for and chal-
lenges of IAM,it is possible to lay
an IAM foundation that will meet
your organization’s unique iden-
tity and access management
needs now and in the future.
Download
Download
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
8. October 2012 8
izations B, C and D to use a simple user name
and password to access a wiki but require
two-factor authentication to access parts of
its ERP system.
The concept of federation is simple,but the
implementation … not so much. It’s an ad-
ministrative pain to configure and deploy.
You’ll need to purchase,configure,deploy and
manage the infrastructure required in order
to make it work, including dedicated servers
to run the federation infrastructure.
Microsoft offers Active Directory Federation
Services,which is free with the base Windows
operating system.ADFS supports many of the
standard identity protocols in use today, in-
cluding SAML 1.1 and SAML 2.0,WS-Trust and
WS-Federation.IBM and Oracle also offer com-
prehensive federation productions: IBM’s
Tivoli Federated Identity Manager and Ora-
cle’s Identity Federation.
Despite the drawbacks, there are some
instances where federation makes the most
sense. For example, let’s say you’re planning
to outsource your Exchange messaging
environment to Microsoft’s Office 365 cloud
service. To provide seamless authentication
to a hosted mailbox in Microsoft’s cloud,
ADFS will make access completely transpar-
ent to the user.
Identity-as-a-Service
Another option for simplifying ID manage-
ment for cloud applications is to turn to the
cloud.A new category of providers now offers
Previous Next
2012 2011
Looking ahead 24 months,what percentage of your IT services do you predict will be delivered from the cloud?
Future Degree of Cloud Use
75% or more;“IT”is a four-letter word to us
50% to 74%;if it can be outsourced,we’re looking to do it
25% to 49%;our core business isn’t IT and we’re happy to use outside services
10% to 24%;some tasks are better done by others
1% to 9%;very limited usage
None,we hate the cloud
Base: 511 respondents in December 2011 and 399 in October 2010
Data: InformationWeek State of Cloud Computing Survey of business technology professionals at organizations with 50 or more employees
R4020112/16
4%
2%
11%
14%
18%
17%
29%
30%
32%
29%
6%
8%
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
Figure 3
Like This Report?
Rate It!
Something we could do
better? Let us know.
Rate
Rate
9. October 2012 9
IDaaS.In this service,a company known as an
identity provider acts as a broker between
your employees and the cloud services they
use.An IDP can make it easier to manage mul-
tiple cloud services and provision and depro-
vision users.
Consider the following scenario: Company
A uses Salesforce.com, Google Apps, Office
365, Dropbox and WebEx as part of its com-
plement of corporate-issued Web applica-
tions. In the absence of an ID management
product or service, each user (or IT) would
normally need to create a user profile within
each individual cloud application, and em-
ployees would log on separately to each ap-
plication. While the user’s credentials could
certainly be tied to AD, the user would still
need to log on manually to each application.
With IDaaS, instead of logging on to each
application separately,you instead establish a
session with an IDP.With a valid session estab-
lished, the IDP responds to requests for cre-
dentials by a cloud Web application, typically
via standards such as SAML or OAuth.The re-
sult is that you’re automatically logged on to
your cloud application.Many IDaaS providers
offer a portal, or will connect to a corporate
intranet, that lists all the user’s cloud applica-
tions. The user simply clicks the appropriate
icon and is logged on to the application.
In an IDaaS scenario, a company still needs
to link Active Directory to the IDP, and for
some that’s a drawback.However,cloud iden-
tity providers do not typically store passwords,
only user attributes.That’s a plus if you’re wor-
Previous Next
An identity service brokers connections between the enterprise and its software-as-a-service providers.In a typical deployment,an
employee logs in to a SaaS application,usually via a Web portal.The identity service checks user credentials against a corporate
LDAP-compliant directory,often Active Directory.The service then passes authentication credentials to the SaaS site to log in the user.
An identity service may support multiple identity standards,including SAML and OpenID,or use proprietary mechanisms.
Firewall
Corporate
Web
portal
Employees and
contractors
LDAP
Plug-in
SAML,OpenID,
WS-Federation,or
proprietary
connections
Other SaaS
app
CloudConnection
nID,
on,or
ary
ons
Other SaaS
Identity
service
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
Figure 4
Like
Like Tweet
Tweet
Tweet
Share
Share
Like This Report?
Share it!
10. October 2012 10
ried about a breach of the provider compro-
mising the passwords of your users. You can
minimize the number of user objects that you
sync with an IDP if you have specific access
needs. For example, if only the sales and mar-
keting team needs access to Salesforce, then
you can limit the synchronization of AD to the
specific organizational units that contain the
user objects needing access to Salesforce. An
organizational unit within Active Directory is
used to group users or departments that share
common security policy requirements.
Here’s another plus: With IDaaS you get
some cool security features that would be
more difficult to implement in the absence of
an identity management tool. For example,
you could configure an access control policy
that says if a user is not connecting from one
of your internal subnets (that is,the employee
is off the corporate network), then force two-
factor authentication.
But here’s where identity providers may re-
ally be worth their weight in gold.A good IDP
has already federated with the most popular
cloud application providers. So instead of
spending time building and managing a fed-
eration server farm, and the SSL and token-
signing certificates that are required to make
it work,you can just dump that responsibility
on an IDP. And instead of syncing AD with 10
cloud providers, you can outsource that ad-
ministrative burden to a single vendor, or in
this case,your IDP of choice.
There are many provider choices if you’re
considering IDaaS: PingFederate, OneLogin,
Symplified,ActivIdentity,EmpowerID,Janrain,
and Intel Cloud SSO are just a few of the ven-
dors that offer help with cloud identity man-
agement challenges.
User Provisioning
The ability to provision and deprovision user
accounts quickly is perhaps one of the biggest
advantages of using an IDP.If you were just us-
ing Salesforce and needed to bulk import 100
new employees, you could certainly do that
with the Data Loader tool that Salesforce sup-
plies for its customers. However, that process
is manual and can be cumbersome.
Alternatively, you could leverage some of
the APIs that Salesforce exposes for cus-
tomers for a range of automation tasks, in-
cluding user account management.But most
IDaaS vendors have already integrated those
APIs into their identity clouds. That means
when you create new users in AD,they will au-
tomatically be synced to your IDP, and from
there an API call can be made by the IDP to
create the new user account within the cloud
application. The upshot is, you’re ultimately
using AD to control group-based access pol-
icy, and you’re using AD to add and remove
users from accessing your cloud apps.
The user provisioning benefits of IDaaS are
compelling, but only if you’re scaling out the
number of cloud apps you need to support to
the point where provisioning is becoming a
major headache.In the absence of that,your in-
ternal AD infrastructure is more than adequate
to provide efficient account management.
Compliance Concerns
While IDaaS has many benefits,it can open a
can of worms on the compliance front. Com-
pliance mandates that deal with authentica-
Previous Next
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
11. October 2012 11
tion and access control, such as PCI and Sar-
banes-Oxley, will look closely at an IDaaS im-
plementation, because for all intents and pur-
poses, you’re exposing critical applications
(that is,Active Directory) to the Internet.An au-
ditor will scrutinize password complexity pol-
icy,along with your ability to centrally manage
and review logs.Log management and review
is important because it may provide early
warning of attempts by an intruder to gain ac-
cess to business systems.Your cloud identity
vendor may not have passwords, but it likely
has other user attributes tied to your account,
including an email address and user name. In
many organizations, a company’s email do-
main and AD domain namespace are the same.
With those two pieces of information alone,an
attacker can attempt to use brute-force pass-
word cracking techniques.
If you have an internal log management in-
frastructure (or even a cloud log management
infrastructure), the vendor you select should
be able to provide logs of user account activ-
ity.At the very least,there should be adequate
logging features within the cloud identity
platform itself that you can access.
Cloud applications are now a normal part of
the mix of business applications and tools that
employees require to get their work done.And
given the variety of options that IT has for
managing user access to cloud services,
there’s no reason any company should leave
identity and access management of business
applications in their users’ hands.And as more
IT shops make the transition to cloud apps
with highly mobile workforces, IDaaS will be-
come more widely accepted and deployed.
Previous Next
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
Table of Contents
12. Subscribe
Subscribe
Newsletter
Want to stay current on all new
InformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.
October 2012 12
Previous
reports.informationweek.com
reports C l o u d I D M a n a g e m e n t
MORE
LIKE THIS
Want More Like This?
InformationWeek creates more than 150 reports like this each year,and they’re all free to registered users.We’ll help
you sort through vendor claims,justify IT projects and implement new systems by providing analysis and advice from IT
professionals.Right now on our site you’ll find:
9 Vital Questions on Moving Apps to the Public Cloud: The decision to move an application from in-house to the
public cloud is a significant one.Organizations have to consider a range of issues,from business drivers to application
availability to compliance and security to user adoption.We have nine questions you should ask and answer to help you
pick the right course of action.
Compliance in the Cloud Era: Just as we’re finally getting to a good place with controls,a new pressure is emerging,
say the 422 respondents to our 2012 Regulatory Compliance Survey.There is good news,too:Most have the resources
they need to meet mandates,and just 22% are still ignoring data classification.However,enterprises are placing in-
creased reliance on external parties,and 72% of respondents see at least some vendors and partners as a compliance
threat.Here’s how to minimize your risk.
Buyer’s Guide:Cloud Storage,Backup and Synchronization: The cloud is displacing local physical storage for
applications as diverse as file sharing,backup and cross-device data synchronization.Both business users and IT are
adopting cloud services because of their convenience and low costs.We examine the market landscape and present
detailed features and pricing from14 providers,including Carbonite,Dropbox and Nirvanix.
PLUS: Find signature reports,such as the InformationWeek Salary Survey,InformationWeek 500 and the annual State of
Security report; full issues; and much more.
Table of Contents
