Expert comment: Cloud identity crisis

Source: Internet
Author: User
Keywords identification Microsoft suppliers we

Whether you agree or not, Microsoft is a well-deserved enterprise identification standard. In addition to support for a variety of standard protocols, Microsoft's product suite includes certificate Server, SCCM, Active Directory, Active Directory Federation Services, and core Windows logins ) has always been the enterprise identification standard.

But that will change as companies move to the cloud. If you don't want to manage your application servers, operating systems, and hardware, but instead move these to cloud computing, do you want to manage your identity infrastructure? This allows many businesses to start looking for an identity solution, the "complete" cloud architecture.

When we talk about identity, we mean part of security, authentication and authorization: Who are you and what do you want to do?

XaaS identification

In the marketing terminology of XX as the Service (hereinafter referred to as XaaS), you will see the new IDaaS, that is, identity is service. The concept of identity as a service is that you can manage user identities through Web applications just as you manage sales in a CRM application.

But the identification of cloud computing is more than that. For example, if you create a user account and set him up as a sales person with administrative responsibilities, he may need to use Salesforce.com for CRM, use Google Apps for e-mail and documents, and in PAAs (e.g. Cloud Foundry) , this PAAs application may even invoke services on Salesforce and Google apps.

In general, your IDaaS will use the SAML protocol to handle the authentication and authorization of your different XaaS. In some cases, the user may pass the OAuth protocol to authenticate the IDAAS and authorize the XaaS, but IDaaS what is going on?

Microsoft IDaaS

One example is Microsoft's IDaaS. "You can think of Windows Azure Active Directory as Active Directory running in the cloud, which is a multi-tenant service with internet size, high availability, and integrated disaster recovery," says John Shewchuk, a Microsoft technician. ”

Microsoft's strategy is to support both internal and external Active Directory and the hybrid model of both. Shewchuk says Azure Active directory is an open directory that any Third-party application or service can use, and it supports industry-standard protocols such as SAML, Oauth 2, and OData.

Other IDaaS

There are other IDaaS, such as ping identity pingone. Ping Identity company chief technology officer Patrick Harding pointed out that the 2012 cloud computing environment is different from the 2002 enterprise internal environment. At the time, many different directories emerged and were later incorporated into AD (Active Directory), and most enterprise-internal applications were bound to ad for authentication and role/group management.

Harding that in the future, "cloud computing will require SSO and user directory/user storage synchronization, we cannot avoid this trend, because each cloud application requires an identity store." We will also need relevant standards to ensure seamless execution of this functionality, such as SAML and SCIM. Each mainstream platform will likely need to support the derivative protocols of these protocols, and Microsoft's Azure/office 365 is an exception because they rely on ws-federation and graph. ”

There is an internal conflict. When deploying an identity solution, you typically run to the edge where Microsoft does not support SAML, but rather supports competitive standard--ws-federation. For a long time, the identity vendors in the enterprise's internal domain have not been able to speed up the latest standards (SAML 1.1 vs. 2.0) or even the same standards (SAML vs. ws-federation), resulting in the often need for custom software and very complex configurations for integration.

The only supplier?

To complicate matters, many of your XaaS suppliers want to be your only supplier. Red Hat company JBoss Security architect Anil Saldhana said: "Many cloud providers (such as Salesforce and Google) give customers the option to use a client-hosted identity provider, which may be the only identity holder, which can serve as a service provider, You can use the SAML attribute to pass roles, and so on. ”

Martin Raepple, the product owner of SAP's NetWeaver cloud solution, does not think there is a major vendor in the cloud that can centrally manage identities, "in the past, any attempt to do so has failed, including the most prominent example, the Microsoft (. Net) passport system." ”

Saldhana Unified said: "The general size of the enterprise will not entrust IaaS hosting to another vendor, but I also do not think that the provision of software stacks to allow enterprises to host their own identity system to succeed, this is not just about technical issues, but on the directory (user/role/partner/customer)"

Mixed identification

In the near future, there may be an integration of enterprise internal solutions and external cloud computing. "The solution offered by many security providers is to extend the employee's SSO experience from the corporate network to the cloud environment, providing employee identity to the vendor's cloud computing hub," says Raepple. Users who are willing to accept this ' middleman ' approach will certainly adopt these solutions, but as a platform we also need local capabilities that support SSO and Federation. ”

This could give Microsoft a "home advantage".

The identification crisis is an immature manifestation

SAML, Oauth, OpenID and so on are still very new standards, deployment is very uneven, in other words, this is still a positive development area, the cloud computing domain is still in the use-case identification phase, which is very, very early stage.

Given that vendors are adapting their platforms and the immaturity of the field, it is difficult to see the complete cloud architecture that integrates identity.

As Saldhana said: "In the public cloud field, still belong to ' Wild West '." "(Grid network 邹铮 compiled)

(Responsible editor: The good of the Legacy)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.