Identity Management and Cloud Computing—Beyond SaaS
July 2009
Cloud Computing
For starters it’s important to understand that Cloud Computing has taken the entire systems stack and exposed it as services in the Internet. Whereas Software as a Service (SaaS) provides capabilities to end users of applications, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) provide services to technologists (developers and administrators) who are creating applications. Most folks are now familiar with popular SaaS platforms such as Salesforce.com, Taleo, and Google Apps. There are now thousands of SaaS providers available: Check out The SaaS Showplace for more listings.
With PaaS and IaaS, technologists can spin up virtual servers and build in solutions for storage, network, UI, multi-tenancy, etc. using services for collaboration, development, and instrumentation that are part of the Cloud environment. For example, we have Amazon Elastic Compute Cloud (EC2 ), Salesforce Force.com, Rackspace Mosso, and many others. You can check out Peter Laird’s cloud taxonomy. The following sections address considerations for PaaS and IaaS adoption.
Integration Philosophy
PaaS and IaaS consumers should have objectives in mind for how the apps they are creating with Cloud computing are to be integrated with other systems. Even if they are delivering SaaS Apps for end users, they should consider how to address Identities, Data, Collaboration, and Security (to name a few) and be aware of the fact that their customers will almost certainly be using other SaaS apps as well. It’s easy to become myopic and ignore the fact that the apps we write as developers are not at the center of our customer’s universe and that our apps must play well with the larger constellation of Apps, Services, and Data.
User Provisioning Lifecycle
How will creation and removal/disabling of user accounts in your application relate to other processes and technology of your customers/users? Are you exposing secure APIs to enable this programmatically?
Single Sign On
Enterprise customers will want to bring your application into the fold of other applications by using Single Sign-On (SSO). Will you support federation, APIs, or web forms that make this feasible?
Access Control
How can your enterprise customers set policies that prescribe permissions for accounts within your application? Are you going to force your customers to learn and use yet another access control system or will you integrate with other access control technologies to enable a single, consolidated, view of policies?
Logging and Auditing
What are your customers’ needs for accessing and processing log data on account activities? How can customers solve compliance needs to monitor privileged accounts?
Summing It Up
In conclusion, I recognize these are the same old questions IT has been addressing over the years, just with a new twist. For PaaS and IaaS we don’t have a unified set of tools and standards to address all of these needs. And the PaaS and IaaS environments don’t all provide these capabilities out of the box. The new generation of technologists must answer these questions for themselves, and make technology decisions of how to satisfy their needs. While, yes, there are emerging sets of standards to support these capabilities (such as SAML for federated authentication that enables SSO), Cloud adopters will need to make informed decisions about what standards and tools to use.
Coby Royer
Technical Product Manager
Symplified | The Cloud Security Company