For a while now, I (and others) have talked about how Identity is the glue that will tie together the fabric of an increasingly commercialized (read: cloud-ified) IT environment. The offering of features like SSO from inside the corporate environment, an identity hub, lifecycle management of accounts and activity monitoring for compliance and audit purposes is about the potent combination of security, user empowerment, agility and meeting business mandates. A gateway sitting between internal identity management systems and the cloud can provide a powerful command and control center for Corporate IT to manage the application sprawl that they feel is descending on them, while still allowing the enterprise to empower their users with the apps and tools they want.

And if VMWare Horizon App Manager can become the identity platform for the enterprise’s cloud-based infrastructure, then this will also make VMWare’s virtualization technology more easily adoptable (read: attractive) to enterprises as well.

There were already a few players in this space, notably Ping Identity and Okta. Now, as Robert Scoble pointed out, a heavyweight has joined the fight for the hearts and minds of the next generation of Corporate IT. With Google starting to make some moves in this space that are squarely aimed at advancing their mindshare beyond the startups to enterprise level customers, this is going to get really interesting.

Speaking of glue, I’m going to be at Gluecon next week. It will be interesting to see how much identity plays a role in the discussion of whats tying together services in the cloud. At least I hope it will be more than just Paul Madsen pontificating about OAuth. I’ll be there to represent the identirati, but most importantly to learn. Hope to see you there too.

Tags: Cloud Computing, Cloud Security, Enterprise Identity, Gluecon, Horizon App Manager, Identity Hub, Identity Services, SaaS, SSO, TriCipher, VMWare

Matt Flynn brought to my attention an article in which Dale Olds talks about the need for hosters (companies that provide the platform on which you deploy your Cloud/SaaS applications) to provide identity services (and as Matt points out, security services in general) as part of their offering.

<Side Note>No, I do not have a vendetta against Novell, though these last few blog posts may make it feel that way. I actually really like the Novell gang – Dale, Ben and Nick Nichols among others – and for the most part completely agree with their views on identity.</Side Note>

Now, I am with Dale for the first half of the article. Developers of these cloud applications just want to focus on the business logic that is at the core of their service, and not have to worry about the plumbing items, which would include identity management. This is fundamental service-oriented security principles at play, and the survey Dale mentions reflects this (I would argue that even the one-third of SaaS vendors that said they want to handle identity themselves are either saying so because they don’t know what’s involved or are just not happy with what they are getting from the platform and embeddable components). A good set of identity services goes a long way in making applications agile and more acceptable/appealing to customers.

But then the article talks about hosters using identity services as a way to make their platform sticky, because if the platform owns the user accounts for the service, then the service will be hooked. I actually envision the opposite of that when I think of identity services in the platform – identity services making it possible for the SaaS vendor to switch between platforms easily. What is being described sounds like an Identity Provider, which is a business service, not a platform service.

What the platform should provide, and what most enterprise customers would want, is an Identity Hub service, as opposed to an Identity Store service. This allows the customer of the SaaS application to plug it into their enterprise identity store (usually a corporate LDAP system, but it could also be their Salesforce user store) and also accept incoming identities over the wire, while still freeing the SaaS vendor from having to manage identities. In this model, the stickiness for the hoster comes not from owning the user accounts, but from the QoS of the identity services they are providing to their customers (the SaaS vendors and their delegated customers). It also doesn’t force a SaaS vendor to be married to one platform.

Now, I am going to be a little presumptuous here. Having spent some time with Dale, and knowing his past work, I think that he believes in the view I am taking as well. The article seems to be discussing the topic of identity services from a particular angle, which is that there is currently a market opportunity for hosters to leverage the lack of good (non-enterprise) Identity Providers to make their platforms more sticky. It is absolutely true that platforms can (and are actively seeking to) make themselves sticky by owning the accounts; Dale points out that this is exactly what Google did by leveraging GMail as the gateway drug (see, I told you the metaphor works). But as Google seeks to penetrate the enterprise market deeper, even they are recognizing the need to support federated identities as a necessary step for viability. (UPDATE: An old blog post of Dale’s actually clarifies this, and in essence agrees with the view point I am stating here – exactly as I thought he would )

Bob Blakley has long mused about what business models would make Identity Oracle’s viable. And the simple truth is that  platform players like Google or Force.com that can leverage an identity-rich business service that they also have are ideally suited to be trusted Identity Providers. But while a big platform player can certainly be a good Identity Provider, not all hosters should need to be Identity Providers to be successful. Instead, standards based identity services would be a great asset for hosters that want to be sticky (by being the best platform to deploy on) without having to take on the onerous task of being an Identity Provider (which has its own challenges) or passing on those responsibilities to their customers (which is what mostly happens today). And it would be an asset for SaaS vendors that want to have the freedom of choice that we all crave, and that want to be able to work with their customers identity infrastructure. As Dale says in the article:

You see, people can move an application from one host to another without much trouble.

Now, isn’t that a good thing, and something that we should be aiming for?

Tags: Cloud Identity Model, Identity Services, SaaS, Service-Oriented Security

What Is Cloud Computing?

You’d think this would be easy, given how much everyone is talking about it. But a search on google will show you that there is actually a lot of debate on what the term stands for. Cloud Computing is a fairly elastic term that has been shape-shifting over time to encompass more and more disciplines in the area of IT operations. For a detailed explanation, I would suggest checking out this (free) research paper by the Burton Group. For the purpose of my discussion, I am going with the basic view that Cloud Computing encompasses all those *aaS concepts we have been hearing about for years now that allow every single layer in the architecture of an application (including hardware) to be utilized as a service over the internet:

• SaaS (Software as a Service): through which application services are offered (examples abound like Gmail, Salesforce.com, Zoho)
• PaaS (Platform as a Service): through which application platform/middleware services are offered (like the Google App Engine)
• IaaS (Infrastructure as a Service): through which underlying computing resources like processing,storage and networking are offered (think Amazon’s EC2)

Gartner has said that there are 5 basic attributes of a cloud computing model:

• It is service-based
• It is scalable and elastic
• It shares a pool of resources
• It is metered by use (aka pay-as-you-go)
• It uses internet technologies

Different Types of Clouds

There has also been some controversy around the concept of private clouds, with different folks defining it differently, or even positing that there is no such thing. I think Private Clouds are real and different from traditional data centers, and essentially refer to cloud computing environments dedicated to a single tenant (thereby not adhering to the sharing attribute). The waters get muddied even further when you bring up the concept of Hybrid Clouds. We’ll see how this is relevant later.

What Does This All Mean For Identity?

When we start to think about applications being delivered over the cloud, or enterprises relying on a cloud computing model instead of a data center model, we start to see certain implications for the identity architecture within.

• What is the identity model for these services? Can it co-exist with the enterprises existing identity model?
• Fundamentally, how will the users of these cloud services authenticate? And how will their access rights be managed and enforced?
• Will the cloud services have access to the enterprise identity stores (that are likely not in the cloud)? Is there a integration approach? Is there a replication strategy?
• What security controls exist around the identity data gathered, stored or used by these cloud services? Will they be in compliance with applicable regulations (like jurisdictional regulations on geographic location of data, PCI DSS) and an enterprises internal controls?
• Who (from the service provider side) will have access to the data? How will that be managed?
• How will the enterprises data be effectively segregated in a shared environment?
• What audit controls exist to allow investigation and discovery?

Generally speaking, the reason companies are considering cloud computing is to avoid the expense involved in building or acquiring the infrastructure, and to some extent managing it. However, without paying attention to the security and governance implications, those cost savings will actually evaporate when they either try to retrofit their existing business policies and controls into the cloud environment, or when they have to deal with the fallout from a breach or issue. I think we’ve all seen this particular movie before, so the question is whether we are paying attention to the lessons learnt. Lets talk about this, and examine how externalizing identity is crucial to making cloud computing viable.

Tags: Cloud Computing, Compliance, IaaS, Identity Services, Oracle_IDM, PaaS, SaaS