With some CIOs now proclaiming publicly the cost advantages of cloud computing, it is a good time for those considering cloud computing adoption to clarify the benefits they might really achieve from using cloud computing into the medium and long term. Ensuring that the use of cloud computing does not reduce quality of service or increase operational overheads is critical, but this requires the establishment of significant integration to tie cloud-based resources together with others that underpin the business service. Identity and access management (IAM) is one of the key aspects of such integration, and organisations may have to look at extending their IAM use to incorporate capabilities, such as policy-based management of access rights, or federated identity, to ensure cloud computing efficiencies are delivered.
Integration at user level between in-house and cloud-based resources is required
Almost all organisations adopting cloud computing will use it alongside their non-cloud environments. The physical complexity or heterogeneity of the physical infrastructure underpinning a cloud environment can be completely abstracted from the end-user organisations perspective. With the adoption of infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS), an API or GUI from the cloud provider affords access to the services without users needing to know how they are implemented.
However, end-user organisations will need to consider how to manage users access to cloud-based resources, in order to bring about much more fine-grained control of access than is required for infrastructure management. As an example, infrastructure managers need to know whether a single cloud-based infrastructure element is available, reliable, performs sufficiently strongly, and has spare capacity. IAM needs that relate to the same element, however, could vary considerably according to the use of the element. If it were a server, IAM requirements may vary along the lines of which applications are run within its environment each one needing to be mapped to different user access requirements for the application. Configuration strategies, such as the use of partitioning, can be used, allowing different access requirements to be implemented for different areas running applications within the same cloud element.
Policy-based management can help to cater for the dynamic nature of cloud computing environments
Introducing cloud-based infrastructure might be the trigger that merits the necessary investment to introduce policy-based management of access rights, as it reduces the complexity and improves the efficiency of the identity and access management task. One of the key adoption drivers of cloud computing is the flexibility to scale up or down the usage of infrastructure, and automated policy-based management allows this to be accommodated and dynamically implemented as each new infrastructure element, and even new types of infrastructure element, are activated.
Another important reason to implement policy-based management over cloud-based infrastructure is that those newly activated cloud-based infrastructure elements must also be integrated in a way that ensures a seamless end-user experience. The introduction of cloud-based infrastructure elements cannot be allowed to impair the user experience in any way imagine the reaction if a business user or external customer was shown login prompts when a transaction used a cloud-based resource. IAM functionality already supports organisations use of varied infrastructure such as heterogeneous endpoint types, servers and networks, and integrates these in order to implement the appropriate access rights. Cloud-based resources should similarly be assimilated as an extension of the corporate infrastructure.
The efficiency gains of a federated identity approach will build momentum with increasing cloud adoption
Identity federation is finding a new domain of applicability in controlling access to corporate cloud-based services. An organisation can enforce its identity management policy by requiring users to log in to a corporate system, and then using identity federation mechanisms to assert the identity of the user and their authorisation to access the service. This gives the user the continued convenience of single sign-on and the organisation audit controls. Federated identity can be based on relationships that are either internal or external to the organisation, and provide the foundation for access being granted across network boundaries.
Alan Rodger is Senior Analyst at OVUM Butler Group.
Sign up for Computerworld eNewsletters.