Execution

Environments for

Distributed

Computing

Architecting a Cloud-

Scale Identity Fabric

EEDC

34

33

0

Master in Computer Architecture,

Networks and Systems - CANS

Homework number: 5

Group number: EEDC-4

Group members: Josep Subirats

Arinto Murdopo

Juan Luis Pérez

2

Introduction

Cloud => EVERYWERE

But not for critical workloads

Concerning about security

3

Introduction

Identity management in the Cloud is difficult:

– Its cross-cutting nature.

– Its impact across architectural and organizational domains.

– Many companies not equipped to manage identities.

New approach:

Identity Fabric

4

Not only performance scalability

Management scalability

– Speed at which an organization can deploy, integrate and

administer a system over the time.

Scalability

Infrastructure Identity management

5

Before: Identities stored in directories and database

Identity management

6

Identity management

Today: Identity as a Fabric

Cloud Apps Enterprise Apps

7

Cloud-scale identity fabric

Access control and authorization.

Authentication, federation and SSO.

User account management and provisioning.

Auditing and compliance.

Cloud platform architectural requirements.

8

Access control and authorization

Users outside the private network

– Authorization: Distributed model to support users outside the

firewall.

Raising number of users

– ACL not practical anymore

– Authorization: can be scaled by using a distributed, federated

model

Authorization decisions must happen quickly and

support high volumes of traffic

9

Authentication, federation and SSO

Federation concept based on a trust model between

entities.

Modern federations base this trust model in a XML-

based open standard – SAML

– But SAML only 10% adoption => excessive costs

Solution: focus on the core HTTP authentication

standard.

10

User account management and provisioning

Managing data about users is a challenge in Cloud.

– App-specific user management

– User management APIs are neither consistent nor standardized.

– Absence of universal user schemas for directories makes

building general-purpose management tools difficult

11

Auditing and compliance

Users using external apps can not be monitored.

Laws are complex and often contradictory depending

on the jurisdiction.

The industry needs a framework to met global

jurisdictional challenges

12

Cloud platform architectural requirements

IaaS providers offer storage, databases as a service

… but what about identity and access management?

Virtual platforms can not handle access management

overhead.

Solution: Proxy based approach that doesn’t

overload the Web/Application servers.

13

Identity must integrate, extend and abstract

10.000 users 15 apps ------------------------------ 150.000 credentials x $30 management cost ------------------------------ $4.5 million in management $50.000 cost per connection X 15 apps ------------------------------ $750.000 integration expense

10.000 users 15 apps ------------------------------ 10.000 credentials 93% Reduction -------------------------------- $50.000 integration expense

14

Identity must integrate, extend and abstract

Identity network effect

– A benefit of a new identity deployment extend to other networks

members by being connected.

Abstraction

– App developers built identity into the app itself

– Externalizing identity:

• Developers focus on improving their apps

• Enterprises can manage identity across multiple apps more

efficiently

15

Identity infrastructure as a service

Identity management for the cloud must evolve to:

– Being standardized.

– Accessible by multiple applications and users.

Companies need to think less about identity

technology and focus instead on

– Service-level agreements

– Service management

16

Identity infrastructure as a service

Image obtained from http://www.symplified.com/us/products/symplified/features.html

17

Conclusions

New Cloud environment requires new approach to

identity management.

Identity fabric in a federation.

Identity infrastructure as a service.

Execution

Environments for

Distributed

Computing

Architecting a Cloud-

Scale Identity Fabric

EEDC

34

33

0

Master in Computer Architecture,

Networks and Systems - CANS

Homework number: 5

Group number: EEDC-4

Group members: Josep Subirats

Arinto Murdopo

Juan Luis Pérez