Setting the groundwork for IAM in the cloud

Before considering cloud computing, it's essential to make sure you have your existing IAM program under control. While every CSO and security manager understands that IAM is critical to the long-term success of any security strategy, they often get bogged down with technical minutiae and lose sight of the issues that can drive a successful IAM program. There are three strategic issues/questions that need to be identified within an organization to ensure that your strategy for IAM in the cloud will succeed:

  • Identify the business drivers for identity management.
  • Identify interoperability requirements: More specifically, which standards you will likely need to support.
  • Identify cloud use cases for your identity and access management project.

This presentation will address the details that should be considered for each of those areas, and provide guidance as to some common answers to questions that arise when extending an IAM program to the cloud.

About the speaker:
Phil Cox is former director of security and compliance at SystemExperts.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Setting the groundwork for IAM in the cloud

Phil Cox: Today we're going to be talking about extending our existing
identity and access management service that we have internally
in an organization into a cloud. One of the things that we'll look at is setting
the groundwork on how to make sure that happens successfully. When we
think about that, there are really three primary goals or things that you will
need to do in order to make that transition happen. The first one is, and
we'll cover these more in detail, is have a mature identity and access
management solution within your organization. It's kind of hard to extend
something that doesn't exist.

The second is understanding what you want to do with identity and access
management in the cloud and that will be figuring out software as a service,
platform as a service, infrastructure as a service, basically those type of
services. And thirdly, what extent you want to be able to inner-operate with
your cloud service. How much of your identity and access management
solution do you actually want to extend to the cloud? So with that, kind
of jumping to  the mature enterprise identity and access management
program. When we think about that, what does it mean? It means that
we've got policies and a governance in place. That there's something
that works within our organization, in order to allow that to happen in an
efficient manner. We've got processes and procedures that are efficient
and appropriate, and when we think about efficient and appropriate...

When we go to the cloud we're talking about typically more users, we're
talking about extending things out, and with that, any problems that we may
have internally and in our organization are just going to be exacerbated
when we go to that type of architecture. We want to make sure that the
processes are efficient and appropriate for what we need. We'll talk a
little bit about, is it just identity? Is it just access management? Is it
provisioning? The different services we may provide. Do we have good
account provisioning and de-provisioning within our organization already?
Do we have good management of authentication information? Do we have good
account entitlement updates? And lastly, is our current audit processes,
are they sufficient? Are we getting the information we need from an audit
standpoint out of our identity and access management solution, existing in
the corporate? Or in the organization? Because when we extend it out, we
don't have those things set up, then we're not going to be successful in
being able to meet compliance requirements or other issues that we may run

So one of the motto's I would take as I venture into this is, if you aren't
doing it at home, you're not going to do it when you're away. You really
need to make things happen first within the organization, and then extend
those out. Next, you have to decide, let's assume that we have a mature IAM
solution in our organization. We know what we're doing and we do it well.
Next we have to say, what do we want to extend this to in the cloud? And
there are different directions. Typically when you think of cloud
services, you think of software as a service, platform as a service, and
identity as a service. Well, there are going to be different support for be
it identity or provisioning, or access management based on the type of
cloud service that you decide to utilize, as well as the cloud service
provider that you pick. For example, software as a service is going to be
much more likely to consume any identity and access management services
that you provide. When you think of platform as a service or infrastructure
as a service, the reality in today's market is that you may desire to
extend your identity and access management to those, but their ability to
do it is somewhat limited. You need to identify what you want to do in the

So we've taken a look, and we say we've done what we need to within the
organization to ensure that our identity and access management solution
works. It works at home. Then what we've done is, we've decided these are
the types of cloud services that we're going to utilize, and we understand
that that decision will have direct impact on how much of our corporate IAM
we'll be able to extend. And then thirdly what we have to look at is inter-
operability, and this is more of a due diligence of looking at what
information you plan on using, what technical options you have as well as
asking your cloud service providers what they can support. When we think
about it, we'll think about evaluating our current identity and access
management to determine if it'll work with our cloud providers. We'll ask
questions like, "Does my provisioning/de-provisioning management process,
are they documented? Are they automated? How centralized is my identity
source that I want to use?" You may have an enterprise-wide identity and
access management solution, but you may only want to utilize a small
portion of that for a cloud service and what we're talking about is
that portion you want to utilize for the cloud.

So I look at that. Is it centralized? What standards does my current
solution currently support? These tend to lead to other questions,
especially in the standards realm. Does my current identity and access
management solution support the Security Assertion Markup Language (SAML),
which is basically the de-facto standard within the industry for identity,
for exchange of identity information. There's another one, WS Identity.
Figuring out from a technical standpoint, what does my solution provide?
And then figuring out does my cloud, will it do what I need to, and can my
cloud service provider consume it? So we think of standards like, again,
SAML, Security Assertion Markup Language. We think of SPML, the Service
Provisioning Markup Language. If you want to have an ability for your cloud
service provider to provision and de-provision accounts, it's likely that
you're going to want to have a mechanism like SPML supported, and that's
going to depend on what your cloud supports, as well as what your current
technology supports.

Lastly, when we think about extending access control, we want to be able to
dictate what happens, how we control access, how we control entitlements,
those type of things. Typically what we're looking at is the extensible
Access Control Markup language, or XACML. Those three standards: SAML,
SPML, and XACML are the open standards that this whole identity and access
management solution will ultimately probably utilize going forward. SAML is
primarily for identity, SPML is primarily for provisioning and de-
provisioning, and XACML is primarily again, for access control. What you
may find is in your organization, you may have certain identity and access
management solutions that provide things, and you need something like a
translation gateway. You may look at different vendors that would provide
that, that would go from, like take your active directory groups, users,
all that authentication, and use what's known as a translation gateway, to
translate that to an SPML or a SAML or an XACML, that can be
consumed by your cloud provider.

One of the other things when we think a from a strategic standpoint is that
we need to ensure that we've got a mature IAM inside. What does this mean?
It means that we're doing what we need to. Next we need to know what cloud
services that we want to consume as a part of that answer, and in reality
when we think about it now, really software as a service is the primary
mechanism or the primary cloud service that you're going to be able to do
this with. In that respect, it's primarily going to be identities. When we
think about provisioning and even access control, the current state of
technology, the current state of cloud services just doesn't provide that
type of inner-operability. For example, if you take Sales Force and Google.
If you look at Sales Force, Sales Force supports identity basically,
consuming identities using the SAML 1.1 specification, where Google uses
SAML 2.0. So we get back to the point where even with open standards,
you've got different cloud providers that support different open standards,
so to speak. You'll need to make sure you understand what's there.

When you look at, and I've said it before but I think it's worth repeating
when you look at platform as a service or infrastructure, it may change
within the year, but for the most part right now, extending your identity
and access management into those cloud services is not realistic. It's not
going to happen. You may desire that- or at least it won't happen in a more
open mechanism. There may be cloud service providers that have proprietary
mechanisms by which you can do that, which would be fine. I would caution
against that, because if you decide to move from one cloud service provider
to another and you're not based on open standards, you're going to be
locked in. Which again, you kind of have to weigh the risks of that and the
benefit of having maybe that extra, the extension of your IAM to that cloud
service provider, but think about using open standards, is a good thing.
Asking your cloud service provider what they support and trying to
encourage them to support open standards, realizing that currently today,
if you want to use software as a service, you're likely going to be able to
extend any identity you have, maybe some provisioning, maybe some access
control. If you're looking at platform or infrastructure, the reality is
you're probably going to be locked into whatever your cloud service
provider gives you. Lastly is evaluating, taking the time to talk to
different cloud service providers in terms of what they support. You'll
have a set of technologies that you utilize inside. You know what you want
to do, you've looked at this is the type of information I'm going to be
giving to, that I want to make access control decisions based on. Well,
what is your cloud service provider, what does it support? Making sure that
those specific cloud service providers are getting down to, so to speak,
the brass tacks, in terms of what they will support.

So it's kind of a trifecta. You have to be doing the right things. You have
to have the technology that will talk to the cloud service provider to
provide those services. And lastly, you have to have a cloud
service provider that will actually consume those services. While they seem
like it should be reasonable that that place exists today, it currently
doesn't. So again, back to the standpoint of laying the groundwork for IAM,
extending your IAM. Open standards, have a good governance, processes and
procedures internally; and at some point, the cloud service providers will
be coming around. They will start doing what the customers want. They'll
start implementing and consuming those types of services that the
customers are providing.

So if you do those two things internally, have a good IAM infrastructure
and base it on open standards, you are setting a great foundation to be
able to move forward and extend that into a cloud, regardless of whether
it's a software, platform, or infrastructures of service, and as the cloud
service providers start extending those more and more, you'll be able to
utilize that. With that, that's kind of the gist of what we've got.
Hopefully it's helpful, and hopefully you'll be on your way, at least be
able to extend that and be productive in your identity access management
solution in the cloud. Thank you.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.