Talking Identity Banner

Expanding on the Oracle-Sun IdM Strategy

Jan 29th, 2010
by Nishant Kaushik.
Comments

oracle_sun_smallWith the Sun acquisition complete, we can finally start talking about what this means for various product lines. Thomas Kurian touched on the identity management strategy in the big Wednesday launch event, and I recapped what he said in my previous blog post. Now, the next level of detail has come from Hasan Rizvi, SVP for Oracle Fusion Middleware, in this product strategy webcast. Definitely take the time to check out the webcast, as there is a lot of good information in there. Below is a brief overview for each of the IdM product areas.

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

  • In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
  • Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Slide 18

role mining, compliance attestation/recertification, and dashboards and reports for identity analytics
Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Oracle Identity Management.
Tagged: · · · · · · · · · · ·

Today is the day: Oracle + Sun = Exciting Days Ahead

Jan 27th, 2010
by Nishant Kaushik.
Comments

Well, it’s finally here. After months and months of delay, Oracle announced it finalized its acquisition of Sun.oracle_sun

It took so long, I think of lot of people thought this day was just a mirage. And unfortunately, the delay has cost us (in the identity management team) the opportunity to work with some great folks like Eve Maler and Pat Patterson. But now it is done, and the real work can begin as we start to lay out exactly how the IAM suites of the two companies – arguably the best in the business – will come together. It isn’t going to be easy, and our emphasis on our customers means that it can’t be quick, but the result should be great. In the Oracle+Sun strategy update this morning, Thomas Kurian gave the following overview on the Identity Management product strategy:

  • Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products
  • Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS
  • Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool
  • Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun
  • Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager
  • Oracle will also invest in Sun OpenSSO and integrate it with OAM

Of course, the devil is in the details, and I expect that the coming weeks and months are going to be a little crazy as those details are laid bare. Planning has been going on for a while, and now those plans can finally be communicated and the ramifications thrashed out. That should provide a fair amount of fodder for discussion in the blogosphere and twittersphere (so stay tuned). I’ll try to provide some information here as and when it can be made public.

And a warm welcome to all my new colleagues from Sun. Buckle in for what should be a very interesting ride. I’ll be at Oracle HQ in a couple of weeks to participate in some of the planning and discussions that will be happening. So if you will be around, then lets meet up.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Oracle Identity Management.
Tagged: · · · · ·

Kuppinger Cole’s free Virtual Conference on Access Governance

Dec 7th, 2009
by Nishant Kaushik.
Comments

The identity management analyst team over at Kuppinger Cole is organizing a free virtual conference on Enterprise Access Governance over the next two days (December 8 and 9). They’ll be putting forward their thoughts on what constitutes a complete access governance program, and what is the best, most optimal way to go about managing your risk and security needs.

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

  • How to Efficiently Implement SoD Controls: Which Level Works?
    • 11am EST| 8am PST | 5pm CET
  • How to Start: Recertification or Active Access Controls First?
    • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · · · ·

Can OAuth do what SPML hasn’t?

Nov 24th, 2009
by Nishant Kaushik.
Comments

I spent an interesting week at HQ last week, trying to deal with some of the craziness that occurs every time a major release is on its way. But far more interesting were all the identity management conversations I engaged in during the course of the week – in hallways, over meals and especially over drinks. Suffice to say that it was a very thought provoking week. I wanted to use this forum to expand on a conversation that started in one venue, and then spilled over into the Twitterverse.

One of the topics that has been fodder for some animated discussion has been the topic of federated provisioning. As the cloud has brought federated authentication back into focus, it has also shone a light on the need for federated provisioning to power cloud identity. After a very interesting discussion that I had with some folks who are looking at identity in the cloud, I posed the following question on Twitter:

Had an interesting discussion this morning on how OAuth could be to federated provisioning what OpenID is to federated SSO. Any takers?

The Thesis

Federated provisioning is about creating an account with appropriate privileges in underlying systems on the Relying Party side when triggered by an authentication event (user comes to the RP service from the Identity Provider, or IdP, side). Further, the authentication token being presented to the RP does not contain sufficient claims (attributes, etc) for the systems on the RP side to create the necessary account (there are other scenarios, of course, but this is the common one I am trying to address). Consequently, we have a need for the RP to get provisioned with data from the IdP side.

Now in my post “The Thing About Federated Provisioning“, I pointed out that there are challenges in doing all of this just-in-time. Enterprises often resort to out-of-band pre-provisioning of accounts across the domain boundaries, which is where SPML proves to be adequate. But the demand for JIT mechanisms still exists. The cloud exacerbates this problem greatly, because pre-provisioning is pretty much impossible when you move up to the scale and loose coupling of the cloud. And the nature of SPML requires that extensive integration be done before the connection between the RP and the IdP can go live.

And this is where I believe OAuth could play a role. OpenID is already viewed as a lightweight solution for enabling federated authentication, with attribute exchange supporting the simpler data transport scenarios. We could now augment this flow by adding an OAuth-based data provisioning mechanism that allows a Provisioning Service on the RP side to connect back to a Provisioning Service on the IdP side and retrieve the data it needs to create the underlying accounts. Being based on OAuth, this would require far less integration than the SPML based approach would.

Mapping the concepts, the RPs Provisioning Service becomes the OAuth Consumer, while the IdPs Provisioning Service becomes the OAuth Service Provider. The interactions are outlined in the diagram below (greatly simplified for the purposes of this discussion).

OAuth for Fed-Prov

The Challenge

But when you look at the actors involved in OAuth, you run into one problem – OAuth was defined with users in mind, not enterprises. So you find the User as part of the protocol, but nothing that would allow the Enterprise to have a say in the exchange. And this raises an interesting challenge.

Just like there are security issues to resolve in the OpenID protocol for it to satisfy enterprise requirements, there are policy challenges that would need to be resolved in the OAuth exchange as well. Connecting the services only requires that the user in the flow provide their assent, but if OAuth were to step in as a federated provisioning protocol, it would require some way for the enterprise to inject (fine-grained) business policy into the exchange. And what if approval workflow needs to enter the picture?

One thought would be to introduce an IGF style declarative policy mechanism that would allow the services on each side of the exchange to declare intent and policy, thereby allowing some automated decision making that ensures that security and business policies are honored by the exchange. Because when you are talking about fed-prov, a one-size-fits-all construct will be a non-starter.

My posting on twitter did generate some good feedback from folks like Eve Maler and Ashish Jain. I am interested to get people’s thoughts on the viability of this idea, and whether you think adding OAuth to provisioning systems would be part of the move to enabling enterprise identity management systems for the cloud.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM, The Cloud Identity Series.
Tagged: · · · ·

Executive IdM Session at OpenWorld: It’s All About Managing Risk

Oct 29th, 2009
by Nishant Kaushik.
Comments

One of the things I did at OpenWorld this year was attend an Executive IdM Session that brought together folks from the IdM team and some of our best customers to share information and talk about the future direction of identity management at Oracle. It was an interesting gathering with lots of good discussion that resulted in the session running well over its allotted time of 3 hours. As you can see from the picture below, it was a full room (what you don’t see is those of us who had to stand in the peanut gallery at the back of the room).

The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Security Inside OutAmit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

breakglassOne of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM, Oracle Identity Management.
Tagged: · · · ·

Screencast of my OpenWorld Session on “IdM and the Cloud”

Oct 16th, 2009
by Nishant Kaushik.
Comments

On Monday, I presented at Oracle OpenWorld on the topic of “Identity Management and the Cloud: Stormy Days Ahead?“. The title proved to be a little too prescient, because the weather in San Francisco was pretty nasty. And as you can imagine, the number of jokes made about this became all to predictable.

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

IdM And The Cloud: Stormy Days Ahead?

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

  • A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
  • Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
  • A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.
Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Identity Services.
Tagged: · · · · ·

I’ll be talking at OpenWorld on IdM and the Cloud

Oct 1st, 2009
by Nishant Kaushik.
Comments

As I mentioned at the end of my last post, I’ll be speaking at Oracle OpenWorld on the topic “Identity Management and the Cloud: Stormy Days Ahead?“.This year, I got a slot that is at a far more reasonable hour. In fact, it is after the morning keynotes on Monday, and before the general sessions with our SVPs, so I feel a little bit like a warm up act. Here are the details:

  • Session ID: S309525
  • Location: Moscone South Room 308
  • Date and Time: 10/12/2009 | 11:30am-12:30pm

Below is the abstract for the session, in which I plan on expanding a great deal on the presentation I did in the webinar with KuppingerCole:

Cloud computing is about to revolutionize enterprise IT and architecture. But leading industry analysts see security as a gating factor preventing enterprise adoption of cloud solutions, as enterprises grapple with the unique characteristics of cloud security and the challenges of compliance and governance. This session outlines key identity management considerations for evaluating a move to the cloud. It discusses how enterprises can leverage their existing identity and access management infrastructure and the principles of service-oriented security and standards-based interactions to secure their assets in the cloud. It also looks at the prospects for identity management as a service and how it will affect cloud computing’s future.

As I prepare for my talk, I found myself revisiting some of the previous talks I gave at OpenWorld the last few years. It was very interesting to see how my vision for Identity Services has evolved over that time. I found it a most amusing exercise, so I thought I would extend the courtesy to my readers. To that end, I have uploaded my previous OpenWorld presentations to my Slideshare page (you can also get to them from the links on my Speaking page). I can’t believe I thought the Love Guru angle was a good one to take for a tech talk :-)

If you are going to be attending OpenWorld, you can pre-register for my session using the Schedule Builder tool for OpenWorld attendees. And as always, ping me on email/LinkedIn/Twitter if you want to meet up that week. Look forward to seeing you there.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Identity Services, Insight IdM.
Tagged: · · ·

Identity Services & the Cloud [Podcast now available]

Sep 22nd, 2009
by Nishant Kaushik.
Comments

My webinar with KuppingerCole on the topic “Identity Services and the Cloud: What Every Enterprise Should Know” went pretty well yesterday. KuppingerCole has made the recording available for viewing, which you can download here (you have to register for a free account; trust me, its worth it). Or you can just check out the deck I presented.

It started off with Martin Kuppinger talking about his views on cloud computing and identity management. I then spoke for about half an hour on how I think cloud computing will disrupt traditional enterprise identity management – but in a good way.

Enterprise IdM, Interrupted

Enterprise IdM, Interrupted

More than anything else, cloud computing is going to accelerate the evolution of identity management to a services-based model. I have, of course, been talking about identity services on this blog and at OpenWorld and other forums for quite a while now. But the need for good security and controls in the completely elastic, plug-and-play world of the cloud mandates that identity be externalized into an infrastructure layer.

I wish we had left more time for questions during the webinar, because I would have loved to hear from folks about their thoughts on the topic. Hopefully there will be a chance for discussion when I speak on this at Oracle OpenWorld (session details below). In the meantime, check out the webinar recording or my deck. And as always, I encourage you to leave me some comments.

Identity Management and the Cloud: Stormy Days Ahead?

Session ID: S309525 | Moscone South Room 308

10/12/2009 | 11:30am-12:30pm

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Identity Services.
Tagged: ·

Webinar – Identity Services and the Cloud

Sep 21st, 2009
by Nishant Kaushik.
Comments

I’m doing a webinar with KuppingerCole on the topic of “Identity Services and the Cloud: What Every Enterprise Needs To Know” today at 11 am EST. Cloud security is widely viewed as the number one roadblock for enterprise adoption. At the same time, many are jumping into cloud computing without fully understanding what they are getting into. Without paying attention to the security and governance implications, any cost savings realized from moving to the cloud will actually evaporate when an enterprise either tries to retrofit their existing business policies and controls into the cloud environment, or when they have to deal with the fallout from a breach or issue. Identity Services is a critical piece in making cloud computing enterprise ready.

The webinar is today, Monday Sep 21st, 11 am EST (yeah, I know, short notice. But hey, if you were following me on Twitter…). You can register for the webinar (it’s free!) here.

And if you miss it, it will be available as a podcast later.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Ask Dr. K.
Tagged: ·

IdM and the Cloud: A Chance To Do Things Right

Sep 14th, 2009
by Nishant Kaushik.
Comments

Over 2 months ago (wow, time really flies when you are trying to keep up with the Twitter firehose), I wrote an introductory post to a topic that I am beginning to examine in some detail – the impact Cloud Computing will have on Identity Management. Back in May, I tweeted that I believe cloud computing will change how enterprises approach identity management in much the same way that compliance did a few years ago. And last month at Burtons Catalyst conference, we saw a lot of evidence of that, most notably at the cloud computing single sign-on interop. In fact, I will be doing a webinar with Martin Kuppinger (Kuppinger Cole) on the topic of Identity Services and the Cloud next week on the 21st of September (free registration), and speaking about it at Oracle OpenWorld as well.

The Cloud Hanging Over Us

At Catalyst, Dan Blum stated that cloud computing is not ready to be a serious player in the enterprise when it comes to applications that handle sensitive data (some would argue that covers most enterprise apps). This reflects the biggest obstacle facing cloud computing acceptance – Trust. Enterprises need to be able to rely on cloud providers (read: have SLAs) for availability, security, performance, governance and privacy. But how can they do that when there are so many unanswered questions (as I pointed out in my previous post) and a lack of transparency on the part of the cloud providers? How can an Enterprise feel comfortable when Google says “The service is neither designed nor intended for high risk activities” or Amazons contract states “We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data…

Looking at the Silver Lining

When people talk about the business drivers for cloud computing, it is often summed up as the following list: Cost, Flexibility, Simplicity, Availability. But why not Security? Cloud architecture actually lends itself to a far more robust and reliable security architecture than anything that has come before. Everything can be built right into the platform and the applications, and the need for vendors to support multiple customers in a dynamic environment means that all of it has to be standardized and easy to put up/take down.

So what are the major identity management pieces in this puzzle?

  • Federated Authentication that spans the enterprise environment and the cloud environment
    • Alternatively (or additionally), consider supporting User-Centric Identity
  • Strong User and Access Lifecycle Management (Provisioning/De-Provisioning Capabilities)
  • A Claims-Based Authorization model, coupled with strong XACML-based Entitlement Management
  • Enterprise Identity Providers protected by IGF-style policy controls
  • DLP (Data Leakage Protection) tools that protect sensitive data moved to the cloud
  • A standardized Audit Framework for creating, managing and analyzing audit trails across cloud services

In my follow-up posts (and in the talks I am giving), I will look at each of these in more detail. In the meantime, register for the KuppingerCole webinar I’ll be doing and lets exchange some thoughts.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · ·

← Earlier Posts
Follow me on Twitter Connect on LinkedIn Favorite this blog on Technorati Profile of Nishant Kaushik, architect of Identity Management