Cloud // Software as a Service
News
10/3/2012
02:55 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Single Sign-On For The Cloud

Worried about controlling access to corporate cloud apps? There's an app for that.

When it comes to integrating cloud applications into a corporate environment, one of the biggest challenges for many IT shops is identity management. Users often create their own logon credentials to business-related cloud applications. This can lead to a variety of problems, including the use of easy-to-crack passwords and the difficulty of cutting off access when users leave the company.

So how do you build an identity management framework for all of your cloud applications? There are four choices, all of which involve Active Directory, Microsoft's popular directory software, and one that uses the cloud itself.

AD or another LDAP-based directory should be at the heart of your cloud ID management strategy. Leveraging AD to manage access to cloud apps addresses a number of security, risk, and compliance issues. It also reduces the administrative burden of adding and removing users, facilitates the deployment of single sign-on, and lets you do some cool things with role-based authentication based on various group memberships and user attributes.

The four approaches you can use for managing access to cloud apps are either full or partial synchronization of Active Directory, federation, and identity-as-a-service. Here's how they work.

Active Directory Synchronization

With full AD synchronization, you leverage Active Directory to authenticate users to a particular cloud application. Enterprise single sign-on isn't really all that important for companies that use one or a small number of cloud apps. This situation applies to 27% of 166 respondents to InformationWeek's State of Cloud Computing Survey, who have only one cloud application provider. In this case, you simply let your cloud provider synchronize all user objects in AD at a predetermined interval.

The benefit of full synchronization is that you can leverage your directory for authentication. The drawback is that you must punch a hole in your firewall to allow incoming LDAP queries from the cloud provider.

Another full-synchronization option is to install an agent on your domain controller that synchronizes AD outbound over SSL. This is a better approach, because it doesn't require a separate port to be opened in the firewall. Note that the level of detail that a cloud provider will synchronize can differ. For instance, one provider might only synchronize the user attributes needed to confirm a user's identity, such as the user ID, first and last name, and group membership. Another provider might synchronize your entire directory. That leads to the partial synchronization option.

For security and compliance reasons, a company may not want to hand over a full copy of its directory services infrastructure to a third party. With partial synchronization, you only copy the attributes necessary to identify a user.

Here's how it works: When an employee logs on to a cloud application, the app forwards the logon request to the employer's Active Directory domain controller to validate the user. With this approach, you get real-time AD authentication but without the security and compliance issues of having a full copy of your directory hosted off-site. The downside is that if a domain controller isn't available to validate the request in real time, then the user won't be able to authenticate to the cloud app.

Federation, the third approach to managing access to cloud apps, grew out of the need for companies to provide access to applications for business partners and suppliers. Two or more companies set up a system that allows access to specific systems using predefined authentication and access mechanisms.

The concept is simple, but implementation is hard. Companies have to deal with complex identity standards and mechanisms such as identity tokens and digital certificates. You also must purchase, configure, deploy, and manage the infrastructure required--including dedicated servers to run the federation infrastructure--in order to make it work.

Microsoft offers Active Directory Federation Services, which is free with the base Windows operating system. ADFS supports many of the standard identity protocols in use today, including SAML 1.1 and SAML 2.0, WS-Trust, and WS-Federation. IBM and Oracle also offer comprehensive federation products: IBM's Tivoli Federated Identity Manager and Oracle's Identity Federation.

diagram: Cloud Connection

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/11/2012 | 1:10:22 PM
re: Single Sign-On For The Cloud
We tried to implement adfs2 but it was a P.I.A. ended up using something called secureauth as it added 2-factor for external access to our cloud apps.
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.