This document discusses architecting an identity fabric for cloud-scale computing. It argues that a new approach is needed for identity management in cloud environments due to issues around cross-cutting nature, organizational impacts, and lack of management skills. The key components of a cloud-scale identity fabric are discussed, including access control, authentication, user management, auditing, and meeting requirements of cloud platforms. Building identity as a distributed fabric can significantly reduce management costs and complexity compared to traditional centralized models. Identity must integrate and abstract to provide infrastructure as a service for applications and users in cloud environments.

1. EEDC
34330
Execution
Architecting a Cloud-
Environments for
Scale Identity Fabric
Distributed
Computing
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members:
Josep Subirats
Arinto Murdopo
Juan Luis Pérez

2. Introduction
 Cloud => EVERYWERE
But not for critical workloads
Concerning about security
2

3. Introduction
 Identity management in the Cloud is difficult:
– Its cross-cutting nature.
– Its impact across architectural and organizational domains.
– Many companies not equipped to manage identities.
 New approach:
Identity Fabric
3

4. Scalability
 Not only performance scalability
 Management scalability
– Speed at which an organization can deploy, integrate and
administer a system over the time.
Infrastructure Identity management
4

5. Identity management
 Before: Identities stored in directories and database
5

6. Identity management
 Today: Identity as a Fabric
Enterprise Apps Cloud Apps
6

7. Cloud-scale identity fabric
 Access control and authorization.
 Authentication, federation and SSO.
 User account management and provisioning.
 Auditing and compliance.
 Cloud platform architectural requirements.
7

8. Access control and authorization
 Users outside the private network
– Authorization: Distributed model to support users outside the
firewall.
 Raising number of users
– ACL not practical anymore
– Authorization: can be scaled by using a distributed, federated
model
 Authorization decisions must happen quickly and
support high volumes of traffic
8

9. Authentication, federation and SSO
 Federation concept based on a trust model between
entities.
 Modern federations base this trust model in a XML-
based open standard – SAML
– But SAML only 10% adoption => excessive costs
 Solution: focus on the core HTTP authentication
standard.
9

10. User account management and provisioning
 Managing data about users is a challenge in Cloud.
– App-specific user management
– User management APIs are neither consistent nor standardized.
– Absence of universal user schemas for directories makes
building general-purpose management tools difficult
10

11. Auditing and compliance
 Users using external apps can not be monitored.
 Laws are complex and often contradictory depending
on the jurisdiction.
The industry needs a framework to met global
jurisdictional challenges
11

12. Cloud platform architectural requirements
 IaaS providers offer storage, databases as a service
… but what about identity and access management?
 Virtual platforms can not handle access management
overhead.
 Solution: Proxy based approach that doesn’t
overload the Web/Application servers.
12

13. Identity must integrate, extend and abstract
10.000 users 10.000 users
15 apps 15 apps
------------------------------ ------------------------------
150.000 credentials 10.000 credentials
x $30 management cost
------------------------------
$4.5 million in management 93% Reduction
$50.000 cost per connection
X 15 apps
------------------------------ --------------------------------
$750.000 integration expense $50.000 integration expense
13

14. Identity must integrate, extend and abstract
 Identity network effect
– A benefit of a new identity deployment extend to other networks
members by being connected.
 Abstraction
– App developers built identity into the app itself
– Externalizing identity:
• Developers focus on improving their apps
• Enterprises can manage identity across multiple apps more
efficiently
14

15. Identity infrastructure as a service
 Identity management for the cloud must evolve to:
– Being standardized.
– Accessible by multiple applications and users.
 Companies need to think less about identity
technology and focus instead on
– Service-level agreements
– Service management
15

16. Identity infrastructure as a service
Image obtained from http://www.symplified.com/us/products/symplified/features.html
16

17. Conclusions
 New Cloud environment requires new approach to
identity management.
 Identity fabric in a federation.
 Identity infrastructure as a service.
17

18. EEDC
34330
Execution
Architecting a Cloud-
Environments for
Scale Identity Fabric
Distributed
Computing
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members:
Josep Subirats
Arinto Murdopo
Juan Luis Pérez