Access control and authentication and data protection are often cited as hurdles for enterprises looking to cloud services to take advantage of reduced operational and capital expenses and increase business agility. Organizations are concerned about issues such as loss of control and enforcing corporate risk and compliance policies as they migrate portions of their IT infrastructure to the public cloud and their users consume SaaS-based cloud applications.
Cloud providers, in turn, are increasingly expected to prove adherence to control standards as a condition of doing business.
"As more and more enterprises start to consume more and more services from the cloud, one of the challenges is creating trusted relationships between providers and enterprises," says Brian FitzGerald, vice president of marketing for RSA. "There's a lot of cost and complexity that can slow down the ability to provision each new provider."
The Identity Service provides federated identity and single sign-on (SSO) to major cloud providers through synchronization with corporate directories and federation standards, such as SAML. Enterprise users log on once to access both internal resources and cloud services based on their access and authorization levels defined in Active Directory or other user stores. Identity Service acts as the trusted broker between the enterprise and supported cloud providers, such as Salesforce.com, SuccessFactors, Google Apps, WebEx, and Box.net.
Multifactor authentication is also an option with RSA's SecurID.
Identity Service is based on technology from TriCipher, which was acquired last year by VMware. TriCipher's TACS appliance and myOneLogin SaaS service provide federation, SSO, and strong authentication for thousands of cloud and internal applications.
"I think it's a good approach," says IDC analyst Sally Hudson. "What's most appealing is the central view and central point of management and automation, combined with a secure identity-driven trust platform."
The Compliance Profiling Services use the RSA Archer eGRC platform and are based on the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ). The questionnaires are a tool for enterprises and/or auditors to evaluate a cloud provider's security program based on best practices and control specifications, as well as for vendor self-assessment. RSA will use the CAIQ format to assess cloud providers and make the resulting "trust profiles" available to service subscribers. The central repository will enable enterprises to evaluate and compare prospective providers.
"Our surveys show 85 percent of all identity and access and management purchases in 2010 were driven by the need for compliance," IDC's Hudson says. "Compliance regulations are getting more intricate, and anything enterprises can do speed the process is good."
Both RSA services will be launch in beta programs in the second half of this year. They are expected to be followed by other services, such as data protection in the cloud and compliance verification leveraging RSA Solution for Cloud Security and Compliance, which uses a dashboard based on RSA Archer to assess security and compliance posture across their VMware virtual infrastructure.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.