This document discusses architecting an identity fabric for cloud-scale computing. It argues that a new approach is needed for identity management in cloud environments due to issues around cross-cutting nature, organizational impacts, and lack of management skills. The key components of a cloud-scale identity fabric are discussed, including access control, authentication, user management, auditing, and meeting requirements of cloud platforms. Building identity as a distributed fabric can significantly reduce management costs and complexity compared to traditional centralized models. Identity must integrate and abstract to provide infrastructure as a service for applications and users in cloud environments.
1. EEDC
34330
Execution
Architecting a Cloud-
Environments for
Scale Identity Fabric
Distributed
Computing
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members:
Josep Subirats
Arinto Murdopo
Juan Luis Pérez
3. Introduction
Identity management in the Cloud is difficult:
– Its cross-cutting nature.
– Its impact across architectural and organizational domains.
– Many companies not equipped to manage identities.
New approach:
Identity Fabric
3
4. Scalability
Not only performance scalability
Management scalability
– Speed at which an organization can deploy, integrate and
administer a system over the time.
Infrastructure Identity management
4
7. Cloud-scale identity fabric
Access control and authorization.
Authentication, federation and SSO.
User account management and provisioning.
Auditing and compliance.
Cloud platform architectural requirements.
7
8. Access control and authorization
Users outside the private network
– Authorization: Distributed model to support users outside the
firewall.
Raising number of users
– ACL not practical anymore
– Authorization: can be scaled by using a distributed, federated
model
Authorization decisions must happen quickly and
support high volumes of traffic
8
9. Authentication, federation and SSO
Federation concept based on a trust model between
entities.
Modern federations base this trust model in a XML-
based open standard – SAML
– But SAML only 10% adoption => excessive costs
Solution: focus on the core HTTP authentication
standard.
9
10. User account management and provisioning
Managing data about users is a challenge in Cloud.
– App-specific user management
– User management APIs are neither consistent nor standardized.
– Absence of universal user schemas for directories makes
building general-purpose management tools difficult
10
11. Auditing and compliance
Users using external apps can not be monitored.
Laws are complex and often contradictory depending
on the jurisdiction.
The industry needs a framework to met global
jurisdictional challenges
11
12. Cloud platform architectural requirements
IaaS providers offer storage, databases as a service
… but what about identity and access management?
Virtual platforms can not handle access management
overhead.
Solution: Proxy based approach that doesn’t
overload the Web/Application servers.
12
13. Identity must integrate, extend and abstract
10.000 users 10.000 users
15 apps 15 apps
------------------------------ ------------------------------
150.000 credentials 10.000 credentials
x $30 management cost
------------------------------
$4.5 million in management 93% Reduction
$50.000 cost per connection
X 15 apps
------------------------------ --------------------------------
$750.000 integration expense $50.000 integration expense
13
14. Identity must integrate, extend and abstract
Identity network effect
– A benefit of a new identity deployment extend to other networks
members by being connected.
Abstraction
– App developers built identity into the app itself
– Externalizing identity:
• Developers focus on improving their apps
• Enterprises can manage identity across multiple apps more
efficiently
14
15. Identity infrastructure as a service
Identity management for the cloud must evolve to:
– Being standardized.
– Accessible by multiple applications and users.
Companies need to think less about identity
technology and focus instead on
– Service-level agreements
– Service management
15
16. Identity infrastructure as a service
Image obtained from http://www.symplified.com/us/products/symplified/features.html
16
17. Conclusions
New Cloud environment requires new approach to
identity management.
Identity fabric in a federation.
Identity infrastructure as a service.
17
18. EEDC
34330
Execution
Architecting a Cloud-
Environments for
Scale Identity Fabric
Distributed
Computing
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members:
Josep Subirats
Arinto Murdopo
Juan Luis Pérez