CSA calls the need for a robust and standardized federated-identity management structure, and services to take advantage of it "the key critical success factor to managing identities at cloud providers."
"The current state of granular application authorization on the part of cloud providers is non-existent or proprietary," the CSA goes on to say. CSA also recommends that:
o End users require cloud providers provide stronger authentication between them and their customers than the cloud providers use internally; o End users consider using third-party single-sign-on services to authenticate to the cloud; o End users realize that the third parties to which they outsource some part of their identity management will become criticalinfrastructure providers, not just ways to link more conveniently with cloud services by federating identity and authentication mechanisms.
Today's Problem: Lots of List Maintenance Needed
Most cloud or SaaS services have either proprietary identity mechanisms, or require customers to make the change both on an internal access list and on the cloud configuration list every time a new employee is hired, one is fired, or permissions are changed.
"There's a lot of effort involved in that if you're talking a couple of thousand users," Mogull says. "It's really easy to screw it up, and if it's not a standard way of doing it, there's no guarantee whatever you're doing will be compatible with what you'll do to manage identities in the future."
Forgetting to delete an e-mail account or access to a particular application inevitably creates security and configuration headaches. Because cloud providers usually charge per user, an uncancelled account also keeps costs higher than they should be, for no benefit.
"If I were going to move something into the cloud, I would prefer to have a service I can sign on to that would synchronize all that identity data securely, consistently and non-manually. Otherwise, whether there are standards in place or not, you're going to be managing the software yourself," Mogull says. "Federated identity is the kind of thing end users should not be programming when they can avoid it."
Novell's approach is to hide internal security applications behind proxies, using "identity connectors" to provide a secure data transfer and authentication mechanism between internal networks and the cloud, adding user-access controls, reports and event tracking to give customers a clearer view and better control over who has access and to what.
The service will be available in 2010.
Extending identity controls such as its directory and security services is a logical extension for Novell, which also has the ability to scale its service to support a cloud computing environment, according to Jeff Kaplan managing director of consultancy Think Strategies.
CA's Federation Manager supports SAML, WS-Federation and other specifications to provide secure identity and authentication control between organizations, whether cloud-based or not, the company says. The product is part of CA's Secure Web Business Enablement suite, which is already available. It demonstrated federated-identity integrations with Salesforce.com, Google Apps, Cisco's WebEx and others at the Burton Group conference.
Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.