So how do you build an identity management framework for all of your cloud applications? There are four choices, all of which involve Active Directory, Microsoft's popular directory software, and one that uses the cloud itself.
AD or another LDAP-based directory should be at the heart of your cloud ID management strategy. Leveraging AD to manage access to cloud apps addresses a number of security, risk, and compliance issues. It also reduces the administrative burden of adding and removing users, facilitates the deployment of single sign-on, and lets you do some cool things with role-based authentication based on various group memberships and user attributes.
The four approaches you can use for managing access to cloud apps are either full or partial synchronization of Active Directory, federation, and identity-as-a-service. Here's how they work.
Active Directory Synchronization
With full AD synchronization, you leverage Active Directory to authenticate users to a particular cloud application. Enterprise single sign-on isn't really all that important for companies that use one or a small number of cloud apps. This situation applies to 27% of 166 respondents to InformationWeek's State of Cloud Computing Survey, who have only one cloud application provider. In this case, you simply let your cloud provider synchronize all user objects in AD at a predetermined interval.
The benefit of full synchronization is that you can leverage your directory for authentication. The drawback is that you must punch a hole in your firewall to allow incoming LDAP queries from the cloud provider.
Another full-synchronization option is to install an agent on your domain controller that synchronizes AD outbound over SSL. This is a better approach, because it doesn't require a separate port to be opened in the firewall. Note that the level of detail that a cloud provider will synchronize can differ. For instance, one provider might only synchronize the user attributes needed to confirm a user's identity, such as the user ID, first and last name, and group membership. Another provider might synchronize your entire directory. That leads to the partial synchronization option.
For security and compliance reasons, a company may not want to hand over a full copy of its directory services infrastructure to a third party. With partial synchronization, you only copy the attributes necessary to identify a user.
Here's how it works: When an employee logs on to a cloud application, the app forwards the logon request to the employer's Active Directory domain controller to validate the user. With this approach, you get real-time AD authentication but without the security and compliance issues of having a full copy of your directory hosted off-site. The downside is that if a domain controller isn't available to validate the request in real time, then the user won't be able to authenticate to the cloud app.
Federation, the third approach to managing access to cloud apps, grew out of the need for companies to provide access to applications for business partners and suppliers. Two or more companies set up a system that allows access to specific systems using predefined authentication and access mechanisms.
The concept is simple, but implementation is hard. Companies have to deal with complex identity standards and mechanisms such as identity tokens and digital certificates. You also must purchase, configure, deploy, and manage the infrastructure required--including dedicated servers to run the federation infrastructure--in order to make it work.
Microsoft offers Active Directory Federation Services, which is free with the base Windows operating system. ADFS supports many of the standard identity protocols in use today, including SAML 1.1 and SAML 2.0, WS-Trust, and WS-Federation. IBM and Oracle also offer comprehensive federation products: IBM's Tivoli Federated Identity Manager and Oracle's Identity Federation.