Thursday Nov 19, 2009
Tuesday Nov 17, 2009
By identity on Nov 17, 2009
Ten years ago, while employed by Oracle, I worked on a project where we tried to convince the large North American telcos to act as Application Service Providers (ASP) and host Oracle applications for their customers. We proposed that the combination of existing telco data centers, network connectivity, business customer base and billing infrastructure provided an ideal foundation for such services. At that time, we didn’t get much traction with the telcos, but Oracle went ahead and launched their own ASP service, now known as "Oracle On Demand.”
Now, as Sun awaits acquisition by Oracle, it is interesting to see telco participation in what we now term “Cloud Computing.” On Monday, AT&T announced “Synaptic Compute as a Service(SM), its latest innovative global cloud-based service, designed to give companies of all sizes simple on-demand access to scalable computing capacity.” Ironically, the press release was entitled, “AT&T Unveils Network-Based 'On Demand' Computing for Companies of All Sizes.” I’m not sure what Oracle might think of AT&T’s use of the “On Demand” term.
AT&T is working closely with Sun to use the Sun Cloud Open Cloud Platform, Sun Cloud APIs, cloud reference architecture and design expertise to create an environment to make it easy for developers to build and deploy value-added services.
"Sun is committed to helping our customers and partners deliver public and private clouds that are cost effective, open and interoperable," said Dave Douglas, senior vice president, Cloud Computing, Sun Microsystems. "AT&T's network and operational excellence coupled with Sun's Open Cloud Platform and Sun Cloud APIs delivers a revolutionary cloud offering. We're excited to be working with AT&T to bring an enterprise-class, highly scalable offering that delivers choice and flexibility to market."
The trend towards cloud computing marches on. I think we will see more telco participation in this market. We have long accepted utility telephony services from telecom operators. Offering computing utility services is a logical next step.
By identity on Nov 17, 2009
It was nice to see a short piece covering the CIO Frankly Speaking Breakfast event in Toronto yesterday, where Michelle Dennedy and I fielded questions about Identity Management and Cloud Computing from John Pickett of IT World Canada. I particularly liked the statement made by Michelle, “Identities are now being realized as the true assets for the organization.”
Monday Nov 09, 2009
By identity on Nov 09, 2009
Tomorrow is the first of five “CIO Roundtables” sponsored by CIO Magazine and Sun Microsystems to be held in Washington DC, New York, San Francisco, Vancouver and Toronto. It will be a good experience to participate in each event with Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, and dozens of CIOs and IT management folks in what promises to be a lively and invigorating discussion of Identity Management issues facing modern enterprises and government institutions. We will address the subject, “Identity Management - Pathway To Enterprise Agility.”
A list of locations and further information are included in a previous post.
Thursday Nov 05, 2009
By identity on Nov 05, 2009
This post is the last in a series of eleven posts I have written about trends in the Identity Management industry.
I am certainly not an expert in the entire field of cloud computing, but find it fascinating to learn about this significant trend in computing technology. I recently read a book entitled, “The Big Switch: Re-wiring the World, from Edison to Google,” by Nicholas Carr, which proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model. While I agree that the general direction is correct, there are several factors which make a move to utility computing much more difficult than a move to utility electricity generation. I’ll address some of my thoughts about those differences in a future blog post.
Nevertheless, we can see that just like Identity is a core platform technology for computing in traditional enterprise IT environments, Identity is a critical foundation for cloud computing or utility computing. Identity may be a component of cloud computing infrastructure, or exposed as a separate set of services in the form of Identity as a Service (IDaaS).
In some ways, the challenges and solutions about Identity in the Cloud are similar to Identity in traditional data center. However, there is increased technical and administrative/legal complexity because of the locations and increased number of physical and virtual components involved.
A few of the areas of increased complexity include:
- Scale and distribution: Large numbers of accounts on large numbers of servers distributed globally.
- Division of responsibility: The different levels of cloud computing – Infrastructure as a Service, Platform as a Service and Software as a Service - may be split between different service providers.
- Security Policy: Logging and auditing are essential to assure that cloud providers are not circumventing or compromising security policy.
- Risk Management: Risk profiles are different for cloud users, depending on type of company (e.g. difference between SMB and high profile public company).
- Legal and administrative: Control of Identity is often be delegated to external parties, so more complex trust relationships must be put in place.
- Pricing. How will Identity Services in the cloud be priced? How can the business value of Identity Services be quantified?
- Governance. How will Identity governance procedures become more complex as the number of stakeholders and individual companies increases?
One example of this increased complexity was highlighted in a recent legal case, where a lawsuit filed against eBay in Pennsylvania was transferred to Santa Clara, California because of a clause in eBay’s user agreement. As with many areas of technology advancement, I expect that legal and procedural issues associated with cloud computing will be a challenging as the technologies involved.
A number of companies are emerging with the express emphasis of Identity Management in Cloud computing. A couple of such companies I have recently connected with are Symplified and Conformity. I expect many more will emerge and that existing vendors of Identity Management software will release software versions specifically tailored for cloud computing.
For example, some interesting discussions about cloud computing have been held with Oracle recently. When asked about cloud computing by Ed Zander at the Churchill Club on September 21, 2009, Larry Ellison remarked, “just a lot of water vapor – nothing new!”
On the surface, it would seem that Larry was denigrating the whole idea of cloud computer. However, further discussions revealed that Larry thinks that cloud computing is just another label for technology that has been around for awhile. Oracle has been offering their ERP applications in a hosted, pay-as-you-go model for a decade. I actually worked on that initiative while employed by Oracle nearly a ten years ago.
Coincidentally, the day I heard about Larry Ellison’s comments at the Churchill Club, I learned that Nishant Kaushik of Oracle had recently given an interesting presentation entitled “Identity Services And The Cloud.” He also gave a follow-on presentation at Oracle Open World, entitled, “Identity Management in the Cloud: Stormy Days Ahead?” Clearly, Oracle is right in the middle of addressing the issues surrounding Identity in the Cloud.
Questions to consider:
As you consider the implications of Identity Management as it applies to cloud computing, perhaps these questions will help:
- How does your enterprise use cloud-based computing now?
- What are your plans for the future?
- How do you plan to leverage your existing Identity infrastructure as you adopt more cloud-based computing models?
- What information security challenges do you see in extending Identity and Access Management into the cloud?
- How will inclusion of multiple cloud computing vendors affect your privacy protection methods?
- How will you will you comply with internal and external audit requirements as you adopt cloud computing principles?
Tuesday Sep 01, 2009
By identity on Sep 01, 2009
While listening this morning to Glenn Brunette’s excellent webinar entitled, “Safety First: Protecting Your Services in the Cloud,” I was introduced to the Cloud Security Alliance, of which Glenn is a founding member. I was intrigued by the document published by the Alliance in April 2009, entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing.” This initial report from the Alliance outlines “areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.” The report outlines 15 domains or areas of concerns that should be addressed by stakeholders in cloud computing initiatives.
I focused primarily on the section entitled “Domain 13: Identity and Access Management, “ authored by Subra Kumaraswamy, Senior Security Manager, Sun Microsystems and Jim Reavis, Co-founder & Acting Executive Director, Cloud Security Alliance. The executive summary of the document provided five key recommendations regarding IAM in the cloud:
- The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.
- Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
- Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed cloud customer internal policies.
- Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
Consider implementing Single Sign-on (SSO) for internal applications and leveraging this architecture for cloud applications.
- Using cloud-based “Identity as a Service” providers may be a useful tool for outsourcing some identity management capabilities and facilitating federated identity management with cloud providers. For example, they may be useful for abstracting and managing complexities such as differing versions of SAML, etc. Be aware that they become a critical new cloud provider for your organization and must be vetted with this broad guidance document.
Some of the key points I gleaned from the IAM section include:
Supporting today’s aggressive adoption by the business of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s cloud computing providers. …
Standards support for achieving IdM federation with your cloud providers is crucial. … It appears as though SAML is emerging as the leading standard that enables single sign-on (SSO). …
You should understand the cloud provider's support for user management processes including user provisioning, de-provisioning and overall lifecycle management of users and access in the cloud in an automated way. …
You also need to perform due diligence to assure that the cloud provider's password policies and strong authentication capabilities meet or exceed your own policies and requirements. …
As a long term strategy, customers should be advocating for greater support of XACML-compliant entitlement management on the part of cloud providers, even if XACML has not been implemented internally. …
A good strategy towards the maturation of your own IdM in order to make it “cloud friendly” is to start enabling SSO within your own enterprise applications, for your existing user base of employees, partners and contractors. …
One of the investments you may consider is an Identity as a Service solution to bridge between cloud providers or even outsource some Identity Mgt functions. …
I will join Sun colleagues on a conference call tomorrow to explore the topic: “What is the same and what is different about the task of integrating a new app when it is in the cloud vs. internal?” I’ll report back on what we learn from each other.
Thursday Jun 18, 2009
By identity on Jun 18, 2009
"Isos Technology has moved their entire server infrastructure into the Amazon Web Services (AWS) cloud. All web, application and database server components have been installed and bundled in Amazon Machine Images (AMI), which can be used to create cloned instances of each migrated server. All persistent data has been moved to Amazon's Elastic Block Storage (EBS) drives, ensuring the data is not lost if the servers are shut down. An additional benefit is that any of these drives can be moved to new instances of the AMIs for instant scalability if the load on any of the components warrants the addition of a new instance. The server instances are reserved instances which guarantee availability and decrease costs. Elastic IP addresses have been associated with the new servers and registered with Isos' registrar to allow the outside world access to all of the content which was previously available from Isos."
With all the focus on cloud computing today, it is always interesting to learn of companies that are actually using this technology. It will be interesting to hear from Isos in a couple of years to learn if they made the right decision.
Technorati Tags: CloudComputing, AmazonWebServices
Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.
Thanks for stopping by.
Please connect with me in cyberspace at LinkedIn or Twitter.
- Oracle Identity Management 11g R2: Securing the New Digital Experience
- Oracle Event: Database Enterprise User Security
- Titantic Catastrophe: Compliant Doesn’t Mean Secure
- The Linked Data Strategy for Global Identity
- Resurrecting Discovering Identity on Blogs.Oracle.Com
- How Many iPhone Apps Do You Use?
- Oracle Street in Mesa, Arizona
- Identity Services for Cloud Computing
- Users of Cloud-based Services
- Boomeranging Back to Oracle