Cloud identity management is a thorny, complex problem. Will we eventually end up with comprehensive platforms for managing cloud identities instead of a series of point solutions? I’m sure we probably will. Will these broad solutions be coming in the near future? Here, I’m a bit more skeptical.
Identity management is frequently named by CIOs as one of the more daunting challenges they face as cloud services proliferate in their organizations. Cloud services by their nature create issues as they’re provided by 3rd parties who each have their own user and identity models. These identity silos create several big issues for enterprise IT:
- Authentication – As they don’t directly control the cloud service, IT wants to make sure a user is identified and validated before they get access to a cloud application and service, say Salesforce.com. Before John the sales rep gets access to the company’s Salesforce.com instance, they want to make sure it’s John logging in, and not someone pretending to be John. Today this is done primarily through passwords, and in some cases more secure methods (two-factor authentication, for example). This creates challenges both for users, who need to manage passwords for every cloud service they use, and for IT, who want to authenticate users across a variety of cloud services.
- Entitlements – IT wants to ensure that the user has the appropriate license type and authorizations they need within a SaaS app or service for their role or function. They want to do this to ensure users don’t have access to data they shouldn’t see, and that the company isn’t paying for licenses and capabilities they don’t need. John, the sales rep, needs to access his accounts, contacts and opportunities within Salesforce.com. He probably doesn’t need access to marketing campaign or customer support capabilities, nor does his company want to pay for it.
- Account management – Finally IT wants to ensure that user accounts are provisioned, managed and deprovisioned in accordance with company policy. IT needs to ensure that new accounts are created in a timely way for new employees, and also deactivated or deprovisioned when an employee leaves. If John is terminated, his access to Salesforce.com needs to be shut off as soon as possible so he doesn’t download the customer and opportunity lists.
These problems were much easier to solve in the on-premise world where business applications could be integrated with existing directories and identity stores. So, given the attention it’s getting, why hasn’t the cloud identity problem been solved yet? Four big reasons come to mind:
- Proliferation of cloud services – Early cloud identify management use cases focused just on SaaS, and how to integrate user authentication and authorization across multiple SaaS applications with corporate directories (LDAP, Microsoft Active Directory). With the growing adoption of PaaS and IaaS in the enterprise, the nature of the cloud identity problem is rapidly evolving and changing. As Ben Kepes noted in a recent post, cloud identity now needs to be woven through not just a complex variety of cloud applications and services, but also the social fabric of the organization. With the requirements for cloud identity evolving this rapidly, it’s not a surprise that the identify solutions market hasn’t been able to keep up.
- Lack of standards adoption - A variety of standards have emerged or are being applied towards the cloud identity problem, including SAML, OAUTH, SCIM and others which provide standards for user authentication and authorization. Unfortunately adoption and support of these standards among major cloud service providers is inconsistent at best. Without standards adoption, cloud identity vendors and enterprises need to take the ‘brute force’ approach, developing custom cloud identity integrations into each different cloud service provider, which ends up being expensive to develop and maintain, and non-scalable.
- Personal clouds and social identities - The growing trend of knowledge workers bringing their own ‘personal clouds’ and social identities to the workplace is an issue that many enterprises haven’t wrested to the ground from a policy perspective. The issue of how personal and professional identities can coexist in the enterprise hasn’t yet been successfully addressed. In addition the potential role of Facebook, Twitter, or Google in corporate identity management has yet to be fully explored.
- Insufficient customer ‘pain’ - The cloud identity problem hasn’t been solved, but it doesn’t look like that’s stopping cloud adoption in the enterprise. This raises an interesting question: will enterprises be willing to live with more costly manual approaches (and the associated risks) towards cloud identity management? While spreadsheet and email coordination between SaaS administrators may not be the most elegant solution, will it be the most practical? Customer ROIs for identity are notoriously soft, with purchase driven by compliance or security requirements. Previously, the on-premise identity software market didn’t take off until Congress forced the issue through SOX regulations. Will the cloud identity management market require a similar mandate before it blooms?
One way or another, the cloud identity management problem will be solved, eventually. The key question is when, and will the solution look anything like what we expect today?