Why Is Cloud Identity Such a Hard Problem?

Cloud Identity UnsolvableCloud identity management is a thorny, complex problem.  Will we eventually end up with comprehensive platforms for managing cloud identities instead of a series of point solutions?  I’m sure we probably will.  Will these broad solutions be coming in the near future?  Here, I’m a bit more skeptical.

Identity management is frequently named by CIOs as one of the more daunting challenges they face as cloud services proliferate in their organizations.   Cloud services by their nature create issues as they’re provided by 3rd parties who each have their own user and identity models.  These identity silos create several big issues for enterprise IT:

  • Authentication – As they don’t directly control the cloud service, IT wants to make sure a user is identified and validated before they get access to a cloud application and service, say Salesforce.com.   Before John the sales rep gets access to the company’s Salesforce.com instance, they want to make sure it’s John logging in, and not someone pretending to be John.  Today this is done primarily through passwords, and in some cases more secure methods (two-factor authentication, for example).  This creates challenges both for users, who need to manage passwords for every cloud service they use, and for IT, who want to authenticate users across a variety of cloud services.
  • Entitlements – IT wants to ensure that the user has the appropriate license type and authorizations they need within a SaaS app or service for their role or function.  They want to do this to ensure users don’t have access to data they shouldn’t see, and that the company isn’t paying for licenses and capabilities they don’t need.   John, the sales rep, needs to access his accounts, contacts and opportunities within Salesforce.com.  He probably doesn’t need access to marketing campaign or customer support capabilities, nor does his company want to pay for it.
  • Account management – Finally IT wants to ensure that user accounts are provisioned, managed and deprovisioned in accordance with company policy.  IT needs to ensure that new accounts are created in a timely way for new employees, and also deactivated or deprovisioned when an employee leaves.   If John is terminated, his access to Salesforce.com needs to be shut off as soon as possible so he doesn’t download the customer and opportunity lists.

These problems were much easier to solve in the on-premise world where business applications could be integrated with existing directories and identity stores.  So, given the attention it’s getting, why hasn’t the cloud identity problem been solved yet?  Four big reasons come to mind:

  1. Proliferation of cloud services – Early cloud identify management use cases focused just on SaaS, and how to integrate user authentication and authorization across multiple SaaS applications with corporate directories (LDAP, Microsoft Active Directory).   With the growing adoption of PaaS and IaaS in the enterprise, the nature of the cloud identity problem is rapidly evolving and changing.  As Ben Kepes noted in a recent post, cloud identity now needs to be woven through not just a complex variety of cloud applications and services, but also the social fabric of the organization.  With the requirements for cloud identity evolving this rapidly, it’s not a surprise that the identify solutions market hasn’t been able to keep up.
  2. Lack of standards adoption –  A variety of standards have emerged or are being applied towards the cloud identity problem, including SAMLOAUTHSCIM and others which provide standards for user authentication and authorization.  Unfortunately adoption and support of these standards among major cloud service providers is inconsistent at best.  Without standards adoption, cloud identity vendors and enterprises need to take the ‘brute force’ approach, developing custom cloud identity integrations into each different cloud service provider, which ends up being expensive to develop and maintain,  and non-scalable.
  3. Personal clouds and social identities – The growing trend of knowledge workers bringing their own ‘personal clouds’ and social identities to the workplace is an issue that many enterprises haven’t wrested to the ground from a policy perspective.  The issue of how personal and professional identities can coexist in the enterprise hasn’t yet been successfully addressed.  In addition the potential role of Facebook, Twitter, or Google in corporate identity management has yet to be fully explored.
  4. Insufficient customer ‘pain’ – The cloud identity problem hasn’t been solved, but it doesn’t look like that’s stopping cloud adoption in the enterprise.   This raises an interesting question: will enterprises be willing to live with more costly manual approaches (and the associated risks) towards cloud identity management?  While spreadsheet and email coordination between SaaS administrators may not be the most elegant solution, will it be the most practical?   Customer ROIs for identity are notoriously soft, with purchase driven by compliance or security requirements.   Previously, the on-premise identity software market didn’t take off until Congress forced the issue through SOX regulations.  Will the cloud identity management market require a similar mandate before it blooms?

One way or another, the cloud identity management problem will be solved, eventually.  The key question is when, and will the solution look anything like what we expect today?


  1. Use of unique biological characteristics of a person that can never be copied and used by other persons will soon provide the security that is needed for all cyber environments.

    • Biometrics aren’t the panacea you think. Fingerprints in the digital realm are simply data points, just like other biometric measures. They can be copied, stolen, duplicated. And once someone has stolen your fingerprint, you can’t exactly get a new one.

  2. With biometrics and fingerprints the worst problem is the lack of readers. You should have the reader connected to any device you may use.

    The answer is mobile device and MPKI (Mobile PKI). The mobile phone you have always with you and it uses different channel to your service (operator service via radio network). That means, it doesn’t matter the device you use for data, authentication is asked from your phone. In Finland this has been legal way now many years to Governmental services as well as to others. You can stole a phone, but you don’t know PIN:s and to where that is connected.

  3. And what about areas where you can’t get a mobile signal? They still exist in lots of places.
    And this requires that every employee of the company has a mobile phone, will that be a company mobile phone? That makes the costs way too high.

  4. Cloud and cross-Cloud identity management can gain from SSO and cross-federation solutions from prior inter-enterprise communications frameworks. Biometrics and mobile phone 2-factor authentication solutions have been available for a number of years. Various interactions between these approaches have provided an increasing level of certainty of one’s identity. BYOD and inter-Cloud services expansions are further accelerating our identity management needs. Mobile devices: phones, tablets, wearable devices provide us with more embedded sensor and location capabilities, from which the industry should be able to develop more “trusted” identity management solutions. These, primarily end device capabilities, can improve authentication capabilities, provide real-time-efficient location, and be an important feedback mechanism which IAM systems can harness. As information security professionals, we need to be open to the advances occurring in device capabilities and seek to incorporate those within traditional systems and management controls disciplines. 30 years in this business and we have more tools available today, than we have ever had. Today’s world is more complex, but looks similar to the past.

  5. At our company, we are very very heavily focused on transitioning our systems to the cloud, and I think we’ve been doing an excellent job. We have a very solid handle on cloud identity and access, and can very tightly integrate our on prem identity with all of our cloud services from end to end. For example, with SalesForce, all we do is to drop you into an AD group, and almost immediately your account is provisioned on SalesForce and your Role, Profile, and access level are all automatically determined based on your Division, Department, Title, and job type within the company (we can also automatically handle edge cases where our predetermined rules don’t apply to you). Logins take place through SAML SSO, and if your access level is high enough, you’re required to use your cellphone for your second factor authentication. Our second factor authentication is risk based, so for example, you won’t be required to provide second factor authentication, unless you’re 50 miles away from our offices or your account has logged in from multiple locations (much more goes into it though). Once you leave the company, you immediately lose your SFDC access (and access to all the other on prem and cloud services), and your account is automatically disabled so your license is freed up. We do a ton more than that and that’s just the basics of it. All of this is very heavily monitored and tracked. Not only do we monitor what goes on SalesForce, but we also monitor many other points of entry, access, and activity throughout the systems. There’s no single technology that can do all of this, so our solutions are massively customized for our needs and the cloud services we use. However, I think we’ve gotten real good at it. Now a days, we can pretty much introduce any cloud service and have it fully automated and monitored within weeks.

Speak Your Mind