Everybody’s up in the air about clouds, but few seem to really know where they’re heading. Most existing applications aren’t ready for the cloud quite yet, especially since the realization seems to be sinking in that building security into the cloud is no trivial pursuit.
Cloud computing is about to change the way software is written. Till now, applications were programmed with scant regard to what they would actually be deployed for later. After all, isn’t that what operating systems are for?
But now, in today’s world of cloud excitement (or should we say cloud hysteria?) every stakeholder is clamoring for fresh ideas in order to be able to process their data safely in a misty, shifting world of cloudiness. And even more, they want to know how they can actually prove their date is safe, which is an entirely different kettle of fish.
In fact, enabling applications to interact, which means to exchange data in a timely and secure fashion, may well prove to be the key element which defines the success or failure of a cloud deployment. If not, then the whole concept may simply go up in smoke. What’s left may just be some kind of “private cloud” running on a hosted OS. Whether that pudding would be worth the eating is at least doubtful.
Software development, in this context, should focus on the policies laid down by the data owners. It should also ensure that compliance with these policies is well-documented and instantly provable, regardless of whether the underlying virtualization layer has moved from one provider to another. Developers need to realize that user management will be central to their ability to deliver applications that are designed for the special environment we now call “The Cloud”. Simply providing an LDAP hookup and pinning one’s hopes on the database and its authentication system aren’t enough.
Instead, we need modern, open and powerful identity management that can interface directly with the new software. After all, an application simply provides a service. It doesn’t have to manage its own users.
On the other hand, identity providers need to administer protection policies – the security specifications laid down by the software owner – in a responsible way, for instance through discretionary access control and preferably through policies defined in XACML (eXtensible Access Control Markup Language). This means, however, that they have to know beforehand exactly what the software will be doing once it’s installed.
The key to true “cloud readiness” lies then in separating the application from the user information. This will require some major rethinking of traditional software development practices. Unfortunately, too many “owners” still think the application is theirs alone, so they can use it as a kind of CRM anytime they like. In fact the true solution is obvious: The CRM system can be the identity provider, and it can be run completely apart from the application itself.
In the world of cloud computing, there probably will never be a single identity provider. So who stands between IT and the cloud? The software developers who still try to do their own user management, that’s who! We should tell them to get out of the way – or take a rain check while the rest of us get on with the business of cloud.