A Hybrid Approach for Migrating IAM to the Cloud
We continue to hear about how cloud, mobility and the consumerization of IT has the potential to transform business. However, the ongoing hype around these trends may lead some to believe that these trends require an “all or none” approach. This can create conflicts as organizations may have significant investments in on-premise IT and cannot simply pull the plug on these environments and immediately go to the cloud. As a result, they are seeking ways to utilize cloud-based applications and infrastructure while maintaining certain applications on-premise. The resulting architecture is referred to as a hybrid environment because it features both on-premise and cloud-based resources.
Hybrid approaches can provide organizations with flexibility to slowly move to cloud based services while still maintaining select on-premise resources. For organizations in this situation, one of their major challenges is providing users with the flexibility to seamlessly move around the environment while still maintaining appropriate security levels—or more specifically, ensuring consistent control and security policy between on-premise applications and cloud services.
Within a strictly on-premise model, IT focuses on building physical infrastructures—servers, virtualization layers, operating systems, and middleware applications—and delivering security throughout the whole stack. With a hybrid model, however, IT must change its perspective and style, treating any and all IT components (cloud-based or otherwise) as services that are available for the business to consume. In doing so, IT security needs to ensure consistent protection between and among the organizations and all the instances of applications where sensitive data exists (i.e., the broader and fragmented data center).
At first blush, it might seem that the role of IT security is significantly diminished by this process. The reality, however, is that securely enabling the access to and interaction of cloud services provides much more value to the business. In doing so, IT is enabling an organization to move more quickly. Furthermore, IT is facilitating the adoption of the consumer-oriented IT capabilities that employees are demanding. In other words, utilizing more cloud-based services puts the IT security function front and center in the day to day of a company’s planning activities.
Once organizations simultaneously leverage applications via a variety of IT models, such as on-premise applications and SaaS-based services, the traditional notion of a network perimeter simply no longer exists. And as a result, our ideas about how we manage security and identity have to change.
How doesone ensure appropriate security levels within this hybrid environment?
To avoid building separate identity silos solely for cloud-based services resources (the result of unique accounts within each of those providers and applications), enterprises should look for a centralized IAM service thatcan manage all users’ access and authentication before they go to any applications—on-premise or in the cloud.
By taking the approach that Identity is the new perimeter, we can funnel all access to enterprise resources through a central identity service. In this way we create a single front door to every SaaS, mobile and on-premise application. This service can enforce whatever level of authentication you desire for each application. With standards such as SAML and OAuth being quickly adopted by SaaS providers and mobile application developers, you have the ability to enforce that all enterprise uses enter through your central identity service…your new identity perimeter.
For employees, authentication could be against a corporate directory. For partners, it could entail using identity federation via standards such as SAML that enable the users of an organization to easily and securely access the data and applications of other organizations as well as cloud services via cloud single sign-on, thus preventing the need to maintain another list of user accounts. This approach ensures that all the identity-related functions, such as authentication—and ultimately authorization—are consistently managed by the enterprise.
For customers who may already have an existing digital social identity (such as Facebook or Google) and would like to be able to leverage that identity, standards such as OpenID and OAuth would allow those users to access cloud resources using those credentials and not require additional user registration steps. For special employees or high-value transactions, a higher level of authentication might be required before allowing the user access to a particular service. There might be very sensitive data that goes into a SaaS-based HR application, for example. If the necessary level of required authentication is not native to that particular SaaS environment, the enterprise could require an additional “step-up authentication”—via a centralized identity service—before granting access.
As hybrid environments become the norm, the need for solutions that can interoperate in on-premise and cloud environments will be paramount. Adopting a hybrid based approach can enable organizations of all types and sizes to realize efficiency gains while still protecting their critical digital resources, regardless of whether those resources are on-premise or in the cloud.
This can result in:
- Reduced security risk for all systems, applications, and information
- Reduced administrative expenses and improved efficiency
- Improved IT agility through flexible deployment options across on-premise and cloud environments
- Ability to move to the cloud on a comfortable schedule
Organizations may find this hybrid approach as a practical alternative deployment model to going 100% into the cloud without sacrificing agility, usability or flexibility.
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud security initiatives. The co-author of “Wireless Security”Merritt blogs on a variety of IT security topics, and can be followed at www.twitter.com/merrittmaxim. Merritt received his BA cum laude from Colgate University and his MBA from the MIT Sloan School of Management.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.