Monday Oct 05, 2009

Identity Trend 3: Authorization

This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.

imageOne might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy.  Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park.  Similarly, simple Identity Management authorization allows access to all functions within an application.

imageHowever, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities.  For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format.   The definition and enforcement of this fine-grained authorization would be externalized from the application itself.

At the present time, fine grained authorization is desirable but difficult to implement.  It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy. 

Much is being discussed about policy management standards (e.g. XACML).  Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.


As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:

  1. Which of your applications could benefit most from fine-grained authorization?
  2. How would externalizing policy management and enforcement streamline your applications?
  3. How could standards such as XACML improve the management of security and access control policies in you organization?

Tuesday Sep 01, 2009

Cloud Computing: Identity and Access Management

csa While listening this morning to Glenn Brunette’s excellent webinar entitled, “Safety First: Protecting Your Services in the Cloud,” I was introduced to the Cloud Security Alliance, of which Glenn is a founding member.  I was intrigued by the document published by the Alliance in April 2009, entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing.”  This initial report from the Alliance outlines “areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.”  The report outlines 15 domains or areas of concerns that should be addressed by stakeholders in cloud computing initiatives.

I focused primarily on the section entitled “Domain 13: Identity and Access Management, “ authored by Subra Kumaraswamy, Senior Security Manager, Sun Microsystems and Jim Reavis, Co-founder & Acting Executive Director, Cloud Security Alliance.  The executive summary of the document provided five key recommendations regarding IAM in the cloud:

  • The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.
  • Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
  • Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed cloud customer internal policies.
  • Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
    Consider implementing Single Sign-on (SSO) for internal applications and leveraging this architecture for cloud applications.
  • Using cloud-based “Identity as a Service” providers may be a useful tool for outsourcing some identity management capabilities and facilitating federated identity management with cloud providers. For example, they may be useful for abstracting and managing complexities such as differing versions of SAML, etc. Be aware that they become a critical new cloud provider for your organization and must be vetted with this broad guidance document.

Some of the key points I gleaned from the IAM section include:

Supporting today’s aggressive adoption by the business of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s cloud computing providers. …

Standards support for achieving IdM federation with your cloud providers is crucial. … It appears as though SAML is emerging as the leading standard that enables single sign-on (SSO). …

You should understand the cloud provider's support for user management processes including user provisioning, de-provisioning and overall lifecycle management of users and access in the cloud in an automated way. …

You also need to perform due diligence to assure that the cloud provider's password policies and strong authentication capabilities meet or exceed your own policies and requirements. …

As a long term strategy, customers should be advocating for greater support of XACML-compliant entitlement management on the part of cloud providers, even if XACML has not been implemented internally. …

A good strategy towards the maturation of your own IdM in order to make it “cloud friendly” is to start enabling SSO within your own enterprise applications, for your existing user base of employees, partners and contractors. …

One of the investments you may consider is an Identity as a Service solution to bridge between cloud providers or even outsource some Identity Mgt functions. …

I will join Sun colleagues on a conference call tomorrow to explore the topic: “What is the same and what is different about the task of integrating a new app when it is in the cloud vs. internal?”  I’ll report back on what we learn from each other.


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« June 2016