July 2009
Cloud Integration-We are not alone
PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems.
Constituency
What constituencies are you serving? So you are creating an app with PaaS-Is it for your company's employees? Or are you creating a corporate SaaS app to serve your partners or customers? Integration needs will vary based on constituencies.
Single Sign-On
Corporate users will want Single Sign-On (SSO) tied to their existing directories. Customers and Partners may want Single Sign-On tied to their own directories and systems. There are many options ranging from calling out to another authentication system to federation with standards like SAML. If you are in corporate IT, you can implement your own session management and validate session tokens from your own authentications. But if you are a SaaS vendor, federation may be the best way to provide SSO. For example, OpenSAML provides toolkits to make it easy to SAML enable your SaaS application.
Identities
Avoid creating yet another Identity Silo that requires user provisioning/deprovisioning and profile management. Again, federation can help. Providing integration to external identity systems avoids the whole problem of managing Identity life cycles. Don't take on the burden of managing this yourself when your customer is likely to already have solutions in place!
User Profiles and Attributes
In addition to being able to authenticate users and ensure proper management of Identity life cycles you should consider how you manage profile data associated with identities. There are methods to "single source" your data and minimize the need to synchronize and update multiple copies of the same information. Consider tying your new PaaS-hosted app to existing directories and Identity Management systems. Some systems (like Symplified) can pass user attributes to your application to avoid having to mirror what is already in your directories and databases. You can also expose secure APIs that enable import and export of data.
You Are Not the Only App
We have a natural tendency to focus on just the one application we are creating. But since almost no one uses "just one app" there is an aggregation effect: as each new app is added to your portfolio, it introduces incremental increase in pain surrounding credentials, profile data, transactional data, compliance data, etc. So even if managing users in your app is so easy you can do it in your sleep, your customers and their constituencies will still need to learn how your system works. This is Incremental Pain that turns into a nightmare-no matter how simple one task is, repeating that task many times in many ways is costly and prone to error.
Collaboration
Does your app need to support collaboration between different users of your app? Or across different apps? How can they securely exchange data while not violating privacy requirements? Will customers or integrators be creating mash ups with your application? How do you expose data and functionality (again, securely). These are all important considerations, and are increasingly easy to do in the world of Cloud Computing. But as we address our needs for security and privacy, identity and access management are fundamental building blocks. When handling a request for data, how do you know who is asking? How do you know they have permissions?
Conclusion
I hope the questions in this blog have been thought provoking. As you consider the PaaS and IaaS for hosting and deploying new apps, remember that "You are not Alone". Your app will be one of many for your customers; and collaboration and integration require identity management and access control solutions.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company
View Symplified's Webcast with presenting Partner, Log Rhythm,
Register to Receive The Identity Management Blog weekly by entering your e-mail address in the left hand toolbar.
July 2009
Cloud Computing
For starters it’s important to understand that Cloud Computing has taken the entire systems stack and exposed it as services in the Internet. Whereas Software as a Service (SaaS) provides capabilities to end users of applications, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) provide services to technologists (developers and administrators) who are creating applications. Most folks are now familiar with popular SaaS platforms such as Salesforce.com, Taleo, and Google Apps. There are now thousands of SaaS providers available: Check out The SaaS Showplace for more listings.
With PaaS and IaaS, technologists can spin up virtual servers and build in solutions for storage, network, UI, multi-tenancy, etc. using services for collaboration, development, and instrumentation that are part of the Cloud environment. For example, we have Amazon Elastic Compute Cloud (EC2 ), Salesforce Force.com, Rackspace Mosso, and many others. You can check out Peter Laird’s cloud taxonomy. The following sections address considerations for PaaS and IaaS adoption.
Integration Philosophy
PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems. Even if they are delivering SaaS Apps for end users, they should consider how to address Identities, Data, Collaboration, and Security (to name a few) and be aware of the fact that their customers will almost certainly be using other SaaS apps as well. It’s easy to become myopic and ignore the fact that the apps we write as developers are not at the center of our customer’s universe and that our apps must play well with the larger constellation of Apps, Services, and Data.
User Provisioning Lifecycle
How will creation and removal/disabling of user accounts in your application relate to other processes and technology of your customers/users? Are you exposing secure APIs to enable this programmatically?
Single Sign On
Enterprise customers will want to bring your application into the fold of other applications by using Single Sign-On (SSO). Will you support federation, APIs, or web forms that make this feasible?
Access Control
How can your enterprise customers set policies that prescribe permissions for accounts within your application? Are you going to force your customers to learn and use yet another access control system or will you integrate with other access control technologies to enable a single, consolidated, view of policies?
Logging and Auditing
What are your customers’ needs for accessing and processing log data on account activities? How can customers solve compliance needs to monitor privileged accounts?
Summing It Up
In conclusion, I recognize these are the same old questions IT has been addressing over the years, just with a new twist. For PaaS and IaaS we don’t have a unified set of tools and standards to address all of these needs. And the PaaS and IaaS environments don’t all provide these capabilities out of the box. The new generation of technologists must answer these questions for themselves, and make technology decisions of how to satisfy their needs. While, yes, there are emerging sets of standards to support these capabilities (such as SAML for federated authentication that enables SSO), Cloud adopters will need to make informed decisions about what standards and tools to use.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company