Identity Trend 11: Identity in the Cloud
By identity on Nov 05, 2009
This post is the last in a series of eleven posts I have written about trends in the Identity Management industry.
I am certainly not an expert in the entire field of cloud computing, but find it fascinating to learn about this significant trend in computing technology. I recently read a book entitled, “The Big Switch: Re-wiring the World, from Edison to Google,” by Nicholas Carr, which proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model. While I agree that the general direction is correct, there are several factors which make a move to utility computing much more difficult than a move to utility electricity generation. I’ll address some of my thoughts about those differences in a future blog post.
Nevertheless, we can see that just like Identity is a core platform technology for computing in traditional enterprise IT environments, Identity is a critical foundation for cloud computing or utility computing. Identity may be a component of cloud computing infrastructure, or exposed as a separate set of services in the form of Identity as a Service (IDaaS).
In some ways, the challenges and solutions about Identity in the Cloud are similar to Identity in traditional data center. However, there is increased technical and administrative/legal complexity because of the locations and increased number of physical and virtual components involved.
A few of the areas of increased complexity include:
- Scale and distribution: Large numbers of accounts on large numbers of servers distributed globally.
- Division of responsibility: The different levels of cloud computing – Infrastructure as a Service, Platform as a Service and Software as a Service - may be split between different service providers.
- Security Policy: Logging and auditing are essential to assure that cloud providers are not circumventing or compromising security policy.
- Risk Management: Risk profiles are different for cloud users, depending on type of company (e.g. difference between SMB and high profile public company).
- Legal and administrative: Control of Identity is often be delegated to external parties, so more complex trust relationships must be put in place.
- Pricing. How will Identity Services in the cloud be priced? How can the business value of Identity Services be quantified?
- Governance. How will Identity governance procedures become more complex as the number of stakeholders and individual companies increases?
One example of this increased complexity was highlighted in a recent legal case, where a lawsuit filed against eBay in Pennsylvania was transferred to Santa Clara, California because of a clause in eBay’s user agreement. As with many areas of technology advancement, I expect that legal and procedural issues associated with cloud computing will be a challenging as the technologies involved.
A number of companies are emerging with the express emphasis of Identity Management in Cloud computing. A couple of such companies I have recently connected with are Symplified and Conformity. I expect many more will emerge and that existing vendors of Identity Management software will release software versions specifically tailored for cloud computing.
For example, some interesting discussions about cloud computing have been held with Oracle recently. When asked about cloud computing by Ed Zander at the Churchill Club on September 21, 2009, Larry Ellison remarked, “just a lot of water vapor – nothing new!”
On the surface, it would seem that Larry was denigrating the whole idea of cloud computer. However, further discussions revealed that Larry thinks that cloud computing is just another label for technology that has been around for awhile. Oracle has been offering their ERP applications in a hosted, pay-as-you-go model for a decade. I actually worked on that initiative while employed by Oracle nearly a ten years ago.
Coincidentally, the day I heard about Larry Ellison’s comments at the Churchill Club, I learned that Nishant Kaushik of Oracle had recently given an interesting presentation entitled “Identity Services And The Cloud.” He also gave a follow-on presentation at Oracle Open World, entitled, “Identity Management in the Cloud: Stormy Days Ahead?” Clearly, Oracle is right in the middle of addressing the issues surrounding Identity in the Cloud.
Questions to consider:
As you consider the implications of Identity Management as it applies to cloud computing, perhaps these questions will help:
- How does your enterprise use cloud-based computing now?
- What are your plans for the future?
- How do you plan to leverage your existing Identity infrastructure as you adopt more cloud-based computing models?
- What information security challenges do you see in extending Identity and Access Management into the cloud?
- How will inclusion of multiple cloud computing vendors affect your privacy protection methods?
- How will you will you comply with internal and external audit requirements as you adopt cloud computing principles?