Managing identities in the cloud

Quocirca analyst Fran Howarth

For many years, the internet has been depicted in diagrams as a cloud, so it is hardly surprising that the term ‘cloud computing’ has been taken up to describe a computing paradigm in which software and services are accessed over a network. In contrast to traditional software distribution models, where applications are licensed per user and installed on end-user devices, users access applications on the internet when needed.

Cloud computing builds on earlier types of grid or on-demand computing, where applications and services are provided as a utility model, such as that used for electrical power. In such a model, users are charged for the actual usage of services. This model can offer advantages when compared to traditional licensing mechanisms and allows usage to be matched to actual demand. One of the prime advantages in today’s economy of using cloud computing services is that they allow organisations to turn capital expenses into operating expenses because they subscribe to a service, rather than having to make upfront investments in the technology used.

Cloud computing has been made possible through advances in processors, virtualisation technology, storage technology, fast, inexpensive servers and widespread, reliable broadband connectivity. Technology vendors offering cloud computing services are building massive datacentres, comprising in some cases hundreds of thousands of servers and processors to create immensely powerful, scalable systems.

The list of such vendors is large and growing, offering applications that range from salesforce automation and customer relationship management, to security solutions such as threat protection. Some of the best known include Amazon, Microsoft, Google and Salesforce.com.

However, there is an emerging security issue with such services since the vast majority - as many as 95 per cent of cloud computing sites, according to on-demand identity vendor Symplified - require just a user name and password for access to the services that they offer. This can throw up many problems for organisations since user name and password combinations can be easily compromised. For example, poster child Salesforce.com was forced to admit in November 2007 that it had been the victim of a pair of targeted malware attacks that installed password-stealing software on computers of more than 500 victims. Without the ability to control who is accessing data and what they are doing with it, organisations could well find that they are unable to comply with regulatory and governance requirements.

The software vendor CA, an organisation with a long experience of IT security, states that there are four essential elements of the infrastructure required for cloud computing: identity management, information governance and process management, performance and fault management, and customer experience management. The identity management component is required to address concerns regarding data leakage, compliance, governance, visibility and access control.

However, as many organisations have found, identity management can be a complex and costly process. To deal with this problem, vendors such as CryptoCard are offering managed identity and authentication services for cloud computing environments.

CryptoCard offers an automated, web-based self-service portal for users to sign in using two-factor authentication for higher levels of security. The service is used to authenticate users according to access controls as defined in existing organisational directories, managing all logins and controlling the authorisation process. This provides the organisation granting access with a centralised view of all access and authentication events, matching them with policies in order to ensure compliance across all users and applications connecting in the cloud.

This can also solve the problem of requiring users to remember multiple user name and password combinations for different services as the user can be required to authenticate just once to gain access to multiple resources residing in the cloud. Organisations can more securely offer such single sign-on capabilities since the use of strong authentication mechanisms tied to access control directories gives them greater confidence that the person is who they say that they are. In this way, the problem of federating identities across multiple resources may finally be solved - even resources that reside in other connected clouds offering other services.

As the use of cloud computing services continues to grow, more emphasis is likely to be placed on security - and providing secure access controls will be a key capability. But, one of the prime advantages of using cloud-based services is that they allow organisations to control costs. Such identity services as those described here can solve identity and access management needs for accessing cloud resources, securely and without costing the earth.