CCSK Guide
30Mar/11Off

Cloud Identity as a Service (IDaaS)

Defining Identity as a Service

According to the CSA (Cloud Security Alliance), Identity as a Service (IDaaS) refers to the management of identities in the cloud, apart from the applications and providers that use them. IDaaS is an extremely broad term, including services for software, platform and infrastructure services in both the private and public cloud.

There are other definitions of IDaaS as well. Jonathan Penn distinguishes between two different understandings of IDaaS. In the first definition, IDaaS refers to managed identity services (MIS) in which a managed service provider (MSP) provides on- or off-site services to customers. Such services may include provisioning, directory management, or the operation of a single sign-on service (SSO).

In the second definition, IDaaS is a broader term, used to refer to the implementation of identity and access management (IAM) functionality, predominantly as web services, within a service-oriented architecture in an enterprise. These services are often referred to as “IM web services.” For the most part, such products currently lack a cohesive, integrated framework for their services, which may include authentication, authorization, provisioning, entitlements and policy query.

Why IDaaS?

Since IDaaS makes identity management capabilities available through the infrastructure, enterprises can make identity a transparent and ubiquitous part of their applications. At the same time, enterprises can also ensure consistency in authentication, authorization, administration and auditing, which are the central tenets of identity management. Identity management experts point out that the development of IDaaS goes hand in hand with the creation of an enterprise identity layer, which would serve as the platform for all identity-enabled enterprise applications.

Challenges to IDaaS

From an identity management perspective, there are a number of uncertainties that have arisen with the discussion of IDaaS development. Some of them have been outlined below:

  • Need a clear definition of what identity services (IDaaS) are and what type of functionality is expected.
  • Application developers must be sensitive to service-oriented architecture (SOA) requirements.
  • Standards must “catch up” with services offered.
  • Interoperability must be satisfied.
  • Define an application programming interface (API) model that facilitates development.

The CSA also lists a number of challenges to IDaaS development and implementation, which are discussed below:

  • Security – Depending on whether the IDaaS is managed internally or externally to the organization, security challenges may greatly vary. Security also depends on which type of identity is being managed within the cloud.
  • With SaaS (Software as a Service) – Customers intending to use IDaaS with SaaS must consider how well the IDaaS provider is able to meet the needs of different types of users, including: a) internal users, such as enterprise employees; b) external users, such as partners and customers; and c) consumers acting on their own behalf.
  • With PaaS (Platform as a Service) – Customers intending to use IDaaS with PaaS must consider issues regarding web service interaction between their applications and the IDaaS. Examples of such issues may include: identity provisioning/deprovisioning; storage of identity information; application access to user information; location of authentication; secure transmission; and interactions with IDaaS provider for access control.
  • With IaaS (Infrastructure as a Service) – The main challenge for customers intending to use IDaaS with IaaS is the management of privileged access to virtual machines that are being provisioned on an IaaS platform. A key question here is how to link virtual machine authenticity with user identity.

IDaaS Spotlight: Conformity

Conformity is advertised as an “SaaS gateway,” which does not necessarily store identity data, but functions to connect in-house identity stores to other SaaS that users might access. According to Scott Bils, founder of Conformity, the IDaaS service aims to address three major problems that are faced when organizations begin to use SaaS: 1) decentralization; 2) loss of control; and 3) broken integrations. Conformity streamlines SaaS management by offering the following solutions:

  • User provisioning
  • Role and profile management
  • Approval workflows
  • Directory integration
  • Compliance reporting
  • Usage analytics
  • Change management

IDaaS Spotlight: Symplified

In February 2011, cloud security service developers Symplified launched the Symplified Suite, the third generation of their services which addresses the complete life cycle of IAM for both private and public cloud applications (i.e. SaaS) and resources (i.e. IDaaS and PaaS). The suite is comprised of:

  • Symplified Access Manager
  • Symplified Identity Manager
  • Symplified Sign-On

These three components offer a wide variety of services, including access management, authentication, user provisioning, user administration, federated SSO and usage auditing.

Critics say...

According to Phil Lieberman, the CEO of Lieberman Software:

"My position has been that in theory IDaaS makes sense. [But] I believe that the IDaaS model breaks down in many areas: first, there is the reality that most IAM [Identity and Access Management] systems have extensive customizations done to them to support the unique business models (unique schemas). Second, most of the IAM systems also have integrations with third party line of business applications, that may or may not be supported in an IDaaS outsourced scenario. Third, and most critical in my mind, the IAM function is the most sensitive function in an organization (holding the keys to the kingdom), so the trust level in the vendor's confidentiality as well as business continuity/longevity issues would need to be brought into focus continuously. As a vendor of privileged identity management solutions, we see that most organizations are extraordinarily risk averse and secretive when it comes to identity management and security."

 

Summary

This article takes a look at identity as a service (IDaaS), a broad term for the management of identities in the cloud. IDaaS include services for software, platform and infrastructure services in both the private and public cloud. The article takes a look at some challenges and issues surrounding IDaaS development and implementation, from an identity management and enterprise perspective. Such challenges differ greatly, depending on the type of users involved, as well as the context in which the IDaaS are applied (whether with SaaS, PaaS or IaaS).

 

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

  • Cloud Service Models (Domain 1)
  • Data Security Lifecycle (Domain 5)
  • Key Portability Objectives of S-P-I (Domain 6)
  • Differences in S-P-I Models (Domain 10)
  • Identity Federation,Authorization, Access Control & Provisioning (Domain 12)

 

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , , , , , , , Comments Off
Comments (0) Trackbacks (2)

Sorry, the comment form is closed at this time.

» «

Login

Sponsored Links

Tags

access control Amazon Amazon EC2 API audit authentication authorization best practices compliance contracts CSA data breach data breaches data security disaster recovery encryption EU google government IaaS IAM identity identity federation interoperability lock-in management Microsoft open source PaaS portability private cloud provider selection public cloud risk management risks SaaS security SOA standards threats trends vendors virtualization virtual machines vulnerabilities

Archives

Meta



Our mission: Provide reliable and accurate information to cloud security professionals seeking CCSK certification.



We expect individuals seeking the Certificate of Cloud Security Knowledge will find our information specifically targeted at their CCSK pursuit useful. Our test preparation software and forums give candidates a higher chance for success.

Thank you for visiting. Since you're new to the site:
  • Please review the user agreement.
  • Register for the site so you may use the testing services.



    • We hope you find this service useful, and good luck on the exam!