Cloud-Based Identity Management Systems: What to Look For

On the Internet, famously, nobody knows that you're a dog. Fine, you're a dog. But whose dog are you? Are you authorized to use the doggy door? Eat from the food bowl? Sleep in the dog bed? Bark at intruders? Ultimately, are you a good dog?

With a real-life dog, you can check the ID tag on the pet collar. What about authorized people or applications to use enterprise applications and networks? Traditionally, that's the realm of server-based identity and access management (IAM) systems such as Microsoft's Active Directory or a Linux-based Lightweight Directory Access Protocol (LDAP) server.

In the cloud era, there are new cloud-native IAM packages that work more efficiently.

Before we dive into some of the choices, let's look at the features and functions of an IAM system. An IAM package -- on-premises systems such as Active Directory or LDAP server -- does more than say "access permitted" or "access denied."

There are ranges of protection and of access control, governing everything from permission to use a WiFi network to being able to use a single sign-on (SSO) package to gain access to cloud servers, to being granted (or denied) administrative privileges, to being granted (or denied) access to some data fields or functions within applications.

For example, take a human-resources database: Most workers might be given limited access, such as to look up contact information for other employees -- but only HR staff might be able to access payroll data. Even there, data access could be constrained on a need-to-know basis. An IAM system should be able to handle broad access -- like to the WiFi or to SSO -- as well as being able to reach deep into applications to govern fine-grained access controls.

From cloud to multicloud
A small company might be able to work fine with an IAM system that works across a single cloud service -- Amazon Web Services, for example.

However, an enterprise-grade IAM should be able to work across multiple network domains, including multiple clouds -- Google Cloud Platform, Microsoft Azure, AWS -- on-premises data center applications, and even hosted software-as-a-service, like Salesforce.

Being able to scale to multiple domains is where the concept of federation comes in. Federation can integrate and synchronize several IAM systems together across disparate networks, operating systems, and application platforms. Even simpler, however, are IAM platforms that run natively on multiple clouds and in the data center, so that there's only a single identity platform to install, manage, update and debug.

Hard-core Microsoft shops have one key advantage when it comes to IAM, in that on-premise Active Directory and Microsoft's online services are tightly integrated. That includes Microsoft's Identity Manager, Azure Multi-Factor Authentication, and Azure Active Directory. Federating on-premise and cloud-based IAM is probably easier than with any other cloud provider's platform.

So, if you're a Microsoft shop, you can stop reading.

It's not so easy elsewhere. AWS offers a strong Identity and Access Management system, included at no extra cost with AWS accounts. The AWS system includes federation functions using the Security Assertion Markup Language 2.0 (SAML) standard, as well as tools such as Amazon Cognito to provide IAM options for web and mobile users. For those using Active Directory on-site, but wanting to use AWS in the cloud, Amazon also offers a non-SAML integration tool, called Amazon Directory Service for Microsoft Active Directory.

The tools are there, but it's up to you -- or your consultants -- to do the heavy lifting and make sure that everything is working properly.

---

Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

---

IAM solutions for Google Cloud Platform are offered in two tiers: free and paid.

The Cloud Identity Free Edition provides basic identity and end-point security services. The paid version adds enterprise security, application management, and mobile device management.

Frankly, I find Google's implementation of IAM more limited than either AWS or Azure; it's more focused on devices and users, and less on fine-grained access controls than other IAM platforms. Federation with other IAM platforms is through a separate cloud product -- Google Firebase -- but it's really geared around federation with social media SSO platforms, like Twitter and Facebook, as well as mobile platforms like Android and iOS.

In other words: Google's IAM isn't out-of-the-box designed to be integrated with other cloud players or enterprise systems. You can do it, but it's a lot of work.

Another option for a complete IAM cloud solution is to choose a dedicated third-party provider. The benefit here is that you're not locked into a specific cloud vendor's solution. The drawbacks: You're locked into the IAM vendor's solution, and of course, there's going to be an extra cost. Don't dismiss the aftermarket out-of-hand, however; it's worth looking into the wide range of vendors in this space, from Auth0 to IAM Cloud to IBM to JumpCloud to Oracle Identity Management to Ping Identity.

You never know, they might have just the features -- and the doggy-door integrations -- that you're looking for.

Related posts:

• Containers in the Cloud Are Great, but Are They Secure?
• Microsoft's GitHub Deal: Following Developers & Security Into the Cloud
• Public Cloud, Part of the Network or Not, Remains a Security Concern
• Cybersecurity & C-Suite: Why Executives Should Take the Lead

— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.