Single Sign-On For The Cloud

Worried about controlling access to corporate cloud apps? There's an app for that.

Another option for simplifying ID management for cloud applications is to turn to the cloud. A new category of providers now offers identity-as-a-service, or IDaaS. With this service, an identity provider, or IDP, acts as a broker between your employees and the cloud services they use. The IDP makes it easier to manage multiple cloud services, and provision and deprovision users.

Consider this scenario: Company A provides, Google Apps, Office 365, Dropbox, and WebEx as corporate-issued Web apps. In the absence of an ID management product or service, each user (or IT) would have to create a user profile within each individual application, and employees would log on separately to each application. While the user's credentials could be tied to AD, the user would still have to log on manually to each app.

With IDaaS, instead of logging on to each application separately, you establish a session with an identity provider. The IDP responds to requests for credentials by a cloud Web application, typically via standards such as SAML or OAuth, automatically logging you on to the cloud app. Many IDaaS providers offer a portal or will connect to a company intranet that lists all the user's cloud applications. The user clicks the appropriate icon and is logged on to the application.

With IDaaS, companies still need to link Active Directory to the IDP and, for some, that's a drawback. However, cloud identity providers typically don't store passwords, only user attributes. Your users' passwords aren't at risk if the provider's system is hacked or breached. You can minimize the number of user objects that you sync with an IDP if you have specific access needs. For example, if only the sales and marketing team needs access to Salesforce, then you can limit AD synchronization to the specific organizational units within Active Directory that contain the users needing access to Salesforce. Organizational units are used to group users or departments that share common security policy requirements.

Here's another plus: With IDaaS you get some cool security features that would be more difficult to implement in the absence of an identity management tool. For example, you could configure an access control policy that says if a user isn't connecting from an internal subnet (that is, the employee is off the corporate network), then force two-factor authentication.

But here's where identity providers may really be worth their weight in gold. The good ones have already federated with the most popular cloud application providers. So instead of spending time building and managing a federation server farm, and the SSL and token-signing certificates that are required to make it work, you can dump that responsibility on an IDP. And instead of syncing AD with 10 different cloud providers, you can outsource that task to a single vendor, or in this case, your IDP of choice.

There are many provider choices if you're considering IDaaS: ActivIdentity, EmpowerID, Janrain, Intel Cloud SSO, PingFederate, OneLogin, and Symplified are some of the vendors that offer cloud identity management help.

chart: How many actual cloud providers do you use?

User Provisioning

The ability to provision and deprovision user accounts fast is perhaps one of the biggest advantages of using an identity provider. If you were just using Salesforce and needed to bulk import 100 new employees, you could do that with the DataLoader tool that Salesforce supplies. However, that's a manual, potentially cumbersome, process.

Alternatively, you could leverage some of the APIs that Salesforce exposes to provide customers with a range of automation tasks, including user account management. But most IDaaS vendors have already integrated those APIs into their identity clouds. That means when you create new users in Active Directory they'll automatically be synced to your IDP, and from there, the IDP will make an API to create the new user account within the cloud application. Ultimately, you're using AD to control group-based access policy and to add and remove users allowed to access your cloud apps.

While IDaaS has many benefits, it can open up a number of compliance issues. Compliance mandates that deal with authentication and access control, such as PCI and Sarbanes-Oxley, will look closely at an IDaaS implementation, because for all intents and purposes, you're exposing critical applications (that is, Active Directory) to the Internet. An auditor will scrutinize password complexity policy, along with your ability to centrally manage and review logs. Log management and review is important, because it can provide early warnings of intruder attempts to access to your systems and employee misuse.

If you have an internal log management infrastructure (or even a cloud log management infrastructure), the vendor you select should be able to provide logs of user account activity. At the very least, there should be adequate logging features within the cloud identity platform itself that you can access.

Cloud applications are a normal part of the business applications and tools mix that employees need to do their jobs. Given the variety of options that IT has for managing user access to cloud services, there's no reason to leave identity and access management of business applications in users' hands. And as more IT shops make the transition to cloud apps with highly mobile workforces, IDaaS will become more widely accepted and deployed.

chart: what are your cloud services concerns?