To maintain the competitive advantages provided by cloud computing, IT shops must focus a lot of their energies
on uptime and stability. To accomplish this, they must examine either in-house options or a type of service-oriented architecture deployment. At the same time, many businesses must also worry about customer and application portals, security and accessibility. This is where identity federation comes into play.
A fairly new term, identity federation can be seen as the key to a harmonious relationship between technological efficiency and business competency. In many regards, identity federation should be one of the first steps in moving towards the cloud.
Understanding federated identity
Even on a LAN, identity and password management can be a nightmare. Now imagine pushing these elements to the cloud. In the world of IT, federated identity means linking a person's electronic identities, attributes and profile information, which then becomes stored across multiple identity management systems. For example, single sign-on (SSO) is a viable application for federated identity, since it uses a user's authentication across IT systems, organizations and various applications in the cloud.
Organizations, for the most part, have not yet adopted an all-out cloud. They have, however, been adopting hybrid cloud architectures. These hybrid clouds require identity federation in order to provide not only SSO but also role-based access controls between internal and external services.
A few cloud integration federation offerings have begun to appear on the market from vendors such as Ping Identity and Layer7. How is identity federation being offered as a service from these vendors? Simple; they look to extend your current infrastructure and mirror it to the cloud.
Ping Identity, for example, owns the PingFederate service, which allows the extension of Active Directory to the cloud. This, in turn, enables an organization to control user management, policies and methods of access not only on their network but in the cloud. Using standard identity protocols, PingFederate allows employees, consumers, customers or partners access to multiple cloud resources using a single username and password. Users can now use their original sign-on credentials for sites like Salesforce.com.
To enable communications amongst client apps and Web services located in various identity domains, both the client application and Web service must be able to establish trust with one another and exchange identity information. To accomplish this task, startup Layer 7 Technologies is focusing heavily on identity federation and security. Layer 7 is the only XML security vendor to currently offer companies a system for managing Web services federation from client application to Web service without programming, as well as providing a built-in SAML based Secure Token Service.
Using identity federation to solve cloud challenges
Although many organizations may understand what identity federation is, some still find it hard to see where it fits with their current environment. When identity federation is examined further, we see that it is nothing more than a virtual reunion of a user's information that is stored across multiple identity management systems. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain easily and without redundant user administration. The goal requires all included systems to use the same protocol for maximum interoperability.
Let's examine four scenarios where identity federation comes into play:
- Creating partnerships between multiple remote sites: One of the simplest forms of identity federation looks at a company's ability to allow SSO over the WAN without having redundant server hardware and those locations. This means a company can have two (or more) simple appliances at remote locations which allow the remote node SSO capabilities.
- Identity federation in extranet applications: Using hardware appliances designed for federation over the cloud, companies can use products like IBM Websphere Application Servers to secure their applications over the WAN. SSO can then be brought into these extranet apps for greater ease of use and better end-user experience.
- Identity federation in a public cloud: With federation in the public cloud, IT managers can now start looking at Platform as a Service (PaaS). This gives the end-user access to remote access portals and offers the IT administrator complete control over PaaS authentication and other security protocols. A user can, for example, log into a corporate appliance and instantly have access to their Gmail account with full view of their calendar and other features without having to enter in multiple credentials.
- Integration with Software as a Service (SaaS): One of the most common integrations of identity federation has been with SaaS platforms. By extending Active Directory, users can utilize Salesforce's portal and business applications without the need to incorporate additional credentials.
It's important to understand the intricate challenges facing IT managers when it comes to managing identity. With the seemingly exponential growth of virtualization, SaaS architectures and cloud computing, engineers will have to adopt new technologies if they want to overcome security challenges and provide a more seamless experience to their end-user.
ABOUT THE AUTHOR:
Bill Kleyman is the director of technology at World Wide Fittings, a manufacturer and distributor of steel hydraulic tube and fittings headquartered in Niles, Ill. He can be reached at BKleyman@WorldWideFittings.com.