The Directory in the Cloud?
It seems that it is an eternity ago – and it is. Pretty much three years ago, Doug Cavit and me published a paper called the Cloud Computing Security Considerations. Even though it is three years, the paper is still worth reading as the content still applies. What we basically said was, that if you look at the Cloud, there are five areas of Considerations:
- Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
- Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organization and country borders.
- Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organization's security management.
- Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
- Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.
In such a context, identity is one of the key challenges. Our statement was fairly clear (and still is) that if you move to the Cloud, you definitely should not use a provider, you cannot federate your identity to as you do not want to add an additional identity for your user and you will definitely want to control the process. Imagine the situation, where you have to lay-off an employee and this user still has access to you public cloud through any PC connected to the Internet.
This led us to an interesting paradox: We needed a directory in the Cloud to run Windows Azure and Office365 but most probably it will be the last server a customer switches off… Really? Well, think again. Maybe you want to consume something like "Identity as a Service"?
Our French team released a paper called: Active Directory from on-premises to the cloud. From the abstract:
Identity management, provisioning, role management, and authentication are key services both on-premises and through the (hybrid) cloud. With the Bring Your Own Apps (BYOA) for the cloud and Software as a Service (SaaS) applications, the desire to better collaborate a la Facebook with the "social" enterprise, the need to support and integrate with social networks, which lead to a Bring Your Own Identity (BYOI) trend, identity becomes a service where identity "bridges" in the cloud talk to on-premises directories or the directories themselves move and/or are located in the cloud.
Active Directory (AD) is a Microsoft brand for identity related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). Windows Azure AD is AD reimagined for the cloud, designed to solve for you the new identity and access challenges that come with the shift to a cloud-centric, multi-tenant world.
Windows Azure AD can be truly seen as an Identity Management as a Service (IDMaaS) cloud multi-tenant service. This goes far beyond taking AD and simply running it within a VM in Windows Azure.
This document is intended for IT professionals, system architects, and developers who are interested in understanding the various options for managing and using identities in their (hybrid) cloud environment based on the AD foundation and how to leverage the related capabilities. AD, AD in Windows Azure and Windows Azure AD are indeed useful for slightly different scenarios.