Using identity federation to lock down your cloud

Building a private or hybrid cloud is a major undertaking, and security and identity management should be important facets in the planning process. In the first part of this series, we outlined seven best practices for securing data

    Requires Free Membership to View

in a private cloud. Identity federation can make it easy for IT managers to protect the cloud without complicating how end users access data.

Pushing one or two cloud-based applications into an environment is one thing, but what if a company has 10 or more Software as a Service, Infrastructure as a Service or Platform as a Service applications in the cloud? Identity pools become a serious issue as users struggle to remember multiple credentials.

An end user accessing Salesforce.com, for example, would need to log in with one set of credentials. That same user would have to access Amazon Web Services or a hosted Web application using another set of credentials. This creates a new problem in many cloud computing environments: rogue identity pools.

IT teams often have three main security questions about how private cloud will affect the data center:

  1. How can I improve the end-user experience without compromising security?
  2. How can I use a WAN to securely grow my virtual environment and reduce my physical hardware footprint?
  3. How can I enforce corporate security policies and still adopt open access technologies?

The answer to all of these questions is federated identity. Federated identity involves linking a person's electronic identities, attributes and profile information, which then becomes stored across multiple identity management systems. Single sign-on (SSO) is a viable application for federated identity as it uses an end user's authentication across IT systems, organizations and applications in the cloud.

Identity federation vendors such as Ping Identity Corp. and Layer7 take an existing infrastructure and mirror it in the cloud. Ping Identity, for example, develops PingFederate, which extends corporate identities to the cloud. This extension enables an organization to control user management, policies and access methods on the network and within cloud-based apps. PingFederate uses standard identity protocols that give employees, consumers, customers or partners using a single username or password access multiple cloud resources.

Citrix's OpenCloud Access (OCA) virtual appliance is another tool that creates a portal for identity federation and SSO. After establishing authentication once, users only need corporate credentials to access all cloud-based applications from one portal. With one click, end users can access applications like Ceridian, Salesforce.com, GoToMeeting and WebEx, all of which have their own sets of credentials in the cloud. In its early stages, the OCA component included 107 pre-built cloud application connectors; administrators can create custom HTTP or SAML connectors, depending on the endpoint cloud destination.

Identity federation is a tool not only for SSO but also for data center security and management. It gives cloud managers a way to centrally manage security and gives end users single sign-on for a range of cloud-based applications.

Bill Kleyman, MBA, MISM, is an avid technologist with experience in network infrastructure management. His engineering work includes large virtualization deployments as well as business network design and implementation. Currently, he is a Virtualization Solutions Architect at MTM Technologies, a national IT consulting firm.

This was first published in October 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.