Problem solve Get help with specific problems with your technologies, process and projects.

Using identity federation to lock down your cloud

Avoid rogue identity pools and manage security of cloud-based apps centrally with identity federation.

Building a private or hybrid cloud is a major undertaking, and security and identity management should be important facets in the planning process. In the first part of this series, we outlined seven best practices for securing data in a private cloud. Identity federation can make it easy for IT managers to protect the cloud without complicating how end users access data.

Pushing one or two cloud-based applications into an environment is one thing, but what if a company has 10 or more Software as a Service, Infrastructure as a Service or Platform as a Service applications in the cloud? Identity pools become a serious issue as users struggle to remember multiple credentials.

An end user accessing, for example, would need to log in with one set of credentials. That same user would have to access Amazon Web Services or a hosted Web application using another set of credentials. This creates a new problem in many cloud computing environments: rogue identity pools.

IT teams often have three main security questions about how private cloud will affect the data center:

  1. How can I improve the end-user experience without compromising security?
  2. How can I use a WAN to securely grow my virtual environment and reduce my physical hardware footprint?
  3. How can I enforce corporate security policies and still adopt open access technologies?

The answer to all of these questions is federated identity. Federated identity involves linking a person's electronic identities, attributes and profile information, which then becomes stored across multiple identity management systems. Single sign-on (SSO) is a viable application for federated identity as it uses an end user's authentication across IT systems, organizations and applications in the cloud.

Identity federation vendors such as Ping Identity Corp. and Layer7 take an existing infrastructure and mirror it in the cloud. Ping Identity, for example, develops PingFederate, which extends corporate identities to the cloud. This extension enables an organization to control user management, policies and access methods on the network and within cloud-based apps. PingFederate uses standard identity protocols that give employees, consumers, customers or partners using a single username or password access multiple cloud resources.

Citrix's OpenCloud Access (OCA) virtual appliance is another tool that creates a portal for identity federation and SSO. After establishing authentication once, users only need corporate credentials to access all cloud-based applications from one portal. With one click, end users can access applications like Ceridian,, GoToMeeting and WebEx, all of which have their own sets of credentials in the cloud. In its early stages, the OCA component included 107 pre-built cloud application connectors; administrators can create custom HTTP or SAML connectors, depending on the endpoint cloud destination.

Identity federation is a tool not only for SSO but also for data center security and management. It gives cloud managers a way to centrally manage security and gives end users single sign-on for a range of cloud-based applications.

Bill Kleyman, MBA, MISM, is an avid technologist with experience in network infrastructure management. His engineering work includes large virtualization deployments as well as business network design and implementation. Currently, he is a Virtualization Solutions Architect at MTM Technologies, a national IT consulting firm.

Dig Deeper on Cloud security tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.