"When it comes to identity management and authentication, all the vulnerabilities that are seen on the ground will also appear in the cloud," said Perry Carpenter, a Gartner analyst. However, the cloud has also introduced its own characteristics and problems.
Gartner believes that there are three different aspects of cloud identity management. First, identity management to the cloud, can send some information from the enterprise to the cloud, the second is, cloud computing to identity management, can from the cloud or some other existing places to send information to the organization, third, cloud to cloud identity management.
Every aspect has a different risk. In enterprise organizations, the use of identity management services itself is relatively small. Occurs only in a specific business activity that is supported, only to have ID management in the cloud.
"It's hard to separate security-related things from the cloud, which means more sophisticated technology," he said. On the other hand, some SMEs are beginning to intervene.
Legal expectations and service level agreements (SLAs)
This is a full range of challenges. "There are things like Google Apps, Salesforce.com and workday in the cloud. The identification component is something that is added later, and in fact, this later addition will carry the inherent weakness, "Carpenter said.
Carpenter points out that many cloud security issues boil down to legal expectations and service level agreements (SLAs), which do not understand technology. "We call it the cloud because we want it to be more attractive, but these fundamental problems have been going on for some time." And the cloud added some of its own problems. "First, every cloud vendor has its own proprietary identity management system. So there is no foolproof method, and if I can get the right identity management in one context, it will be correct in another context, "he said.
In addition, it history shows that when you process multiple incompatible systems, it can also cause failures. I think it's best to have a standard interface between customers and more ways to play the plug-ins.
SAML and OAuth
In the meantime, however, Gartner analyst Gregg Kreizman has been looking for the right approach. He used identity and access management (IAM) to describe the challenge. Carpenter points out that islands of the same identity or islands that already exist can be copied into the cloud.
As a result, the SaaS provider begins to reshape the IAM functionality, for example, by applying for federated APIs and certifications to achieve a single sign-on-like function.
"The enterprise has now developed the IAM and expanded the already completed content into the cloud and their SaaS applications," he said. According to Kreizman, the challenge of certification has matured. However, the success of the public cloud also requires an API or an Enterprise infrastructure Web service.
Kreizman says traditional IAM vendors have expanded their offerings for their allies, and extension connectors can be combined with cloud resources such as Google Apps and Salesforce. Another trend is the emerging Iamaas market--iam as a service-by aggregating small vendors, providing the core of the IAM functionality to the cloud or from the cloud. The Iamaas company implements connection components or provides gateways at the client side, joins their services in the cloud, and connects SaaS vendors.
Traditional IAM vendors are also creating services in the cloud, more like gateway providers. For example, Lighthouse's computer service already employs IBM's Tivoli software heap, "encapsulating it to make it easier to use." He points out that they can provide a similar function for internal applications.
But this is only temporary, Kreizman says, without a successful guideline. "There is some trepidation about using these services. Some organizations do not want to put identity data or other sensitive information into the cloud. However, some want to ' test if there are any problems '. ”
Kreizman says those who are trying to overcome the IAM problem should be familiar with some of the relevant techniques, such as:
The authentication-side Security Assertion Markup Language (SAML) is the main winner for the federation because it provides the ability to single sign-on. OpenID Connect (the alternative to OpenID, based on the OAuth2.0 protocol) also appears and may be more useful. OpenID Connect is a lightweight specification that can provide a framework for identity collaboration through the RESTful API
OAuth was built as a means of accessing resources in the cloud, and he has been identified by key players such as Facebook and Twitter.
Simple Cloud Identity Management (SCIM) is a specification supported by some vendors, built on existing templates (in accordance with its boosters) and targeted at reducing overhead and user management complexity.
There is also a u-ma-user admin access. Kantara's proposal, U-ma stronghold, a U-ma authorized Web user can authorize Web application requests at once, constantly accessing the address resource that contains the "Personal data" service host, and the Authorization decision Service (Authorization Manager) acts as an access decision to tell the host.
(Responsible editor: Lu Guang)