Mapping IAM to the Cloud: IAM is growing beyond the premises / Cloud
Although the term ‘Global Village’ is already celebrating its 53rd birthday this year (according to Wikipedia, it was introduced by Marshall McLuhan in his books “The Gutenberg Galaxy: The Making of Typographic Man in 1962)” it has never been more prevailing: Looking to a typical company setup today, everything seems globally interwoven – teams, processes, IT-systems. As one of the consequences IAM systems are challenged to consider and cover this flexibility in its concepts.
The biggest attention in this structural change is probably given to the idea of Cloud Computing.
Mapping IAM to the Cloud
Mapping Cloud Computing to IAM, there are several aspects to be considered:
Provisioning to Cloud Applications
When speaking about the Cloud, most people think of cloud applications like Google’s Picasa. Although such consumer oriented applications are not in the focus of our business customers, there is a growing number of cloud services for enterprises like Salesforce.com, Dropbox-like file hosting services or Office 365. Such applications must be somehow integrated into the company-wide IAM concept.
But how to interface with applications in the Cloud? For this, the use of SCIM (System for Cross-Domain Identity Management) is becoming more and more the industry standard for such an account provisioning. It will be interesting to see, if the current trend for SCIM will continue to gain larger number of application vendors to join this standard. Many (but unfortunately still far from all) vendors of cloud applications are supporting this interface. An increasing number of Beta Systems’ customers have already implemented SCIM connections to their cloud-based appliations with SAM Enterprise.
Provisioning in Private Cloud Environments
With everybody putting the focus on internet-based / public cloud applications, the large number of private cloud scenarios must not be forgotten. Long before the term ‘Cloud Computing’ became widely known, companies tend to outsource and outtask the operation of single IT applications or even the entire IT environment to external service providers. From an IAM perspective, all such concepts are Private Cloud environments, since the target application is located somewhere outside the corporate premises from the IAM system’s point of view. The cloud-specific distinction of usage/subscription based accounting is of no relevance to the technological IAM challenge.
In this context, the challenge for IAM comes with the distributed IT environments and organizations. To provision accounts in applications that are running in a private cloud environment requires a stable, low-maintenance and self-contained concept for addressing remote applications. A similar complexity is found if your IAM system is in control of applications from organization-wise independent subsidiaries or joint ventures. Beta Systems is covering this scenario by using agent-less connector concepts wherever possible. In combination with a fault-tolerant, bidirectional communication and a fast deployment concept, SAM Enterprise provides a maximum of control on your remote application network.
IAMaaS / Running in the cloud
With the growing maturity of IAM concepts and the general call for IT cost reduction, the idea of simplification in IAM has become one of the market drivers the past years. One suitable move to reduce the complexity of IAM is to run IAM in the cloud. With this idea, customers hope for multiple advantages from economy of scales for the platform in the cloud over the reduced skill set to run IAM to preconfigured governance concepts and applications. Where some of these expectations can’t be served today, several benefits are really applicable for a cloud based IAM operation. Running SAM Enterprise in a (private) cloud environment helps many customers to reduce the opex for IAM significantly.
Within our partner network, Beta Systems can provide the required experts, who help our customers to implement and run their IAM solution with the lowest possible invest in IAM expertise and infrastructure. With our existing preconfigured, standardized implementation templates, we help our customers to unify the IAM setup as much as possible. Based on our experiences, the complexity and individuality of IAM can be served by private cloud instances of such preconfigured systems. The need for and degree of customer-specific adaptations to such solutions has kept us and other vendors from offering a really unified private and public cloud IAM solution to the market.
Managing off-premises users
More and more, companies are relying on team work with external cooperative units. Freelancers, partners, vendors or customers – To some extent each of these groups requires access to a company’s applications. For IAM systems, this extension of user types is driving the need for distributed administration concepts. With this growing number of off-premises user types, HR (Human Resources) is no longer in control of the on-/offboard processes for all users. To serve this scenario, IAM must find ways to allow the distributed administration of (often project releated or time-limited) access rights.
With SAM Enterprise, the flexible internal security (ISEC) in combination with the consideration of given organizational structures (access codes) allows customers to grant individually the fine granular administrative rights and the selective processing of access rights for each specific user group. In addition to this, the data model of SAM Enterprise allows the detailed tagging and characterization of user types that can drive their individual access rights administration. By using Beta Systems browser-based IAM applications, all access governance tools are available also for users coming from outside the corporate premises.
Federation with other IAM authorities
But the management of off-premises users is not just limited to concepts of remote or distributed administration. The number of installations with identity federations has grown over the past few years. The federation concept is based on the idea, that trust relationships between multiple identity providers / Identity & Access Management Systems allows to manage each individual identity in just one system but having a cross-system single-sign-on established, where the managing systems are affirming the identity of a user to all the other connected systems (SAML assertion).
Beta Systems supports federation systems / Identity Provider (IDPs) by governing the users that are subject to control by the IDP. In this scenario, SAM Enterprise is propagating the applicable user information to the IDP directory. With this concept, companies can utilize the same management processes (e.g. transfer of all user data from HR into the IAM) for traditional IAM and for the federation services to external trusts. In addition, Beta Systems is associated via informal partnerships with several IDP vendors, to provide a joint solution approach for IAM federation on a project individual basis.
Web-Access from external users
In many customer use cases, the amount of users coming from outside the premises is outnumbering the core corporate users by far. Very often, these external users / customers are limited in their access rights to a small number of applications. Also these external users are typically not subject to complex and dynamic role-based concepts. Generally spoken, the access rights for these external users are following a unified pattern, where each user is getting a standardized access and feature set for his individual data pool. In this scenario, the major challenge can be found in the security concept and not in the access management features. Similar to firewall applications, the web-access for external users must handle typical internet vulnerabilities like massive denial of service attacks etc..This is the reason, why such special applications are also names ‘Web Access Firewalls’. Beta Systems is cooperating with a couple of leading vendors of WAF technologies. In this cooperation, SAM Enterprise will provision the accounts for external users to the WAF system, that manages the secure log-on process (also in combination with federation SSO technologies) and the tunneling of logged-in users to the entitled applications.