The research report, will serve as the baseline for the Trusted Cloud Initiative, a certification criteria that all cloud providers can use to assure secure and interoperable identity management in the cloud. The report is an in-depth look at identity and access management control issues in the cloud, delving into how organizations can best manage provisioning, authentication, authorization, federation and compliance in the cloud.
2. Foreward
At a time when companies are looking for ways to cut costs, cloud computing looks like an attractive alternative,
one which you would think most cash-strapped IT departments would take a long look at. But a recent survey of
mostly IT professionals conducted by Novell finds a strong mistrust for cloud computing in the workplace, while
at the same time, a surprisingly wide acceptance for personal use.
The survey was conducted using members of Novell's Cool Solutions Community from July to September, 2009.
453 people responded, of which 81 percent identified themselves as IT professionals. The respondents were
from a variety of geographic locations including the US, India, China, Australia, Canada, South Africa and
western Europe. The company sizes varied from 25 or less to more than 5000, with 44.6 percent working for
companies with more than 1000 employees.
When asked to list the top 5 things they feared or mistrusted about cloud computing in the workplace, security
came in on top, with 34.6 percent listing it as their top choice. This is not surprising as many other surveys have
indicated the same mistrust and confusion among end-users of the cloud. So, what is the truth – is cloud more
secure than the enterprise or is it totally insecure. The answer is probably somewhere in the middle.
This paper is an in-depth look at the identity and access management issues in the cloud. It goes into the
different aspects of managing identities such as provisioning, federation, compliance as well newly emerging
models of having identities in the cloud. It looks at these issues from the enterprise perspective and lists what
enterprises need to ask cloud providers before they move to the cloud.
This research will also serve as the foundation for the Trusted Cloud Initiative that was launched by CSA and
Novell in March 2010 to research and outline a certification criteria that all cloud providers can adhere to. This
initiative takes a major step in providing transparency and a level of trust for end-customers who are concerned
about security in the cloud. For more information on this initiative, please logon to http://www.trusted-cloud.com
or http://www.cloudsecurityalliance.org/trustedcloud
This paper is part of domain 12 research on: Identity and Access Management by the Cloud Security Alliance
(CSA). The material in this document is a copyrighted work of the Cloud Security Alliance. The Cloud Security
Alliance is a non-profit organization formed to promote the use of best practices for providing security assurance
within cloud computing and provide education on the uses of cloud computing to help secure all other forms of
computing. For more information on the Cloud Security Alliance, visit www.cloudsecurityalliance.org.
p. 2
3. Domain 12: Guidance for
Identity & Access
Management V2.1
Prepared by the
Cloud Security Alliance
April 2010