Quick Hits

How To Manage Identity In The Public Cloud

One of the toughest parts of using cloud services is learning how to provision (and deprovision) user access. Here are some tips to help get you started
[The following is excerpted from "How To Manage Identity In The Public Cloud," a new report posted this week on Dark Reading's Cloud Security Tech Center].

The process of adding new users to your enterprise network -- and managing their access to authorized applications and services -- is a challenging task made even more so when applications and services are moved to the public cloud. For one thing, your company is likely partnering with several different cloud providers, each using different technologies and each with a different trust relationships. For another, cloud deployments are dynamic, and information is being passed over what is essentially a hostile network -- the public Internet.

When you are thinking about which cloud identity architecture to use, there are a couple of key considerations.

Companies will first need to determine the level of identity validation required. There are two primary mechanisms by which identities are validated: organizational and personal. With organizational validation, the identity of a person is confirmed or asserted by the organization that created the identity. This is the basic process by which users are assigned IDs within an organization, and there is typically some level of trust associated with the validation. With personal validation, you trust a person’s assertion as to who they are, with, typically, no additional validation of the information the user provides.

There is a much lower level of trust associated with personal validation than there is with organizational validation. Companies should utilize organizational-based assertions for business-related purposes; for consumer-focused services, self-assertion may be an acceptable (and, in many cases, the only) option.

The complexity and maturity of your own environment and identity management systems will also affect your choice of cloud identity management model. If you have a decentralized identity management architecture, synchronization with cloud service providers is likely not practical. If you do not currently have a just-in-time (JIT) enterprise provisioning process, you will need to ensure that current approval workflows will not be broken or bypassed by cloud identity management systems that do leverage JIT technologies.

To learn about the four basic models of cloud identity management -- and to get a list of key questions to ask your cloud services provider -- download the free report on identity management in the cloud.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.