KupingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KupingerCole Webinar recording
KupingerCole Webinar recording
Well, good morning. Good afternoon. Good evening. Wherever you happen to be welcome to Kuppinger Cole's webinar on identity and excess management in the cloud. Is it real or is it a Mirage? I'm Dave Kern, senior Analyst with KuppingerCole, I'll be joined today by Beka Jane who's director of product management at Intel corporation. As we explore this subject little background first, for those of you not familiar with co coal, we are Europe's leading.
And one of the foremost analytical firms in the world for enterprise it research through advisory decision support, networking for it professionals. We do this through research services, advisory services and events like this webinar, and also like the upcoming European identity and cloud conference taking place in just a few weeks in Munich. This will be, I believe it's the seventh EIC my sixth, and it always promises to be an exciting time, a time of great learning, a time of great networking, a time of great fact finding it's coming up in a few weeks.
There are probably still a few places left. If you go to the website, www.idf.com, and you can learn more about it for today's webinar. You don't have to worry about muting and unmuting and so forth. That's all done centrally. The webinar will be recorded and a podcast will be available tomorrow. All registered attendees will get notification when the podcast is available. You'll see in your little control panel, section entitled questions. Normally we take questions after the presentations, but through the control panel there, you can enter your questions at any time.
And if any seem particularly relevant during the discussion. Well, we'll take them at that time. But as I say, generally, we'll wait until the end, but don't wait. Get your questions in. As soon as they're ready, a new factor with our temperature cold webinars is that they are now eligible for continuing education credits. You can get one group internet based CPE following this webinar. If you take and pass a test after the webinar, when your attendance has been confirmed, you'll get an email containing a link point to the test.
That's oh, maybe half dozen, multiple choice questions that you have to answer in order to get the credit. The objectives for this particular webinar are listed after you've completed this webinar, you should be able to explain why you should consider moving IAM to describe the benefit and identities in important capabilities and describe Intel's security solutions for, or the cloud, our agenda for today.
Part one, I'll be reviewing IAM in the cloud. Is it real or is it a Mirage? And we sort of tipped the answer there because part two is Vi's talking about Intel's new cloud SSO product. So it's probably real, but then we'll go on to questions and answers at the end. So we may as well get started. Cloud computing is no longer controversial. It's no longer up and coming. It's no longer groundbreaking cloud computing grew out of the software as a service architecture, which came out of the web services architecture of the nineties.
It started sneaking into our organizations a dozen years ago when sales departments discovered salesforce.com and set up their plan secure, what we're doing with cloud based computing, we find that we find that many of our clients are moving a lot of their productivity and line of business software to the cloud. And over the past few years, let's say two or three years.
We've seen a lot of discussion of moving identity and excess management services to the cloud because originally what IAM there was around cloud computing was simply a username password authentication mechanism at the cloud service. We're finding that people are now discussing this, that vendors are now bringing forward products, which manage I am in the cloud, much better than they have in the past. The trend is to switch to I am in the cloud is while not large at the moment is growing rapidly year over year. We believe it's inexorable.
And that in time IM will be mostly a cloud offered service rather than a data center offered service. Now in the cloud, there are three major architectural models that we talk about. One is to have your, I am in your data center, an on premises system, which manages the SAS apps and accounts, which are in the cloud. Usually through some sort of subscription pricing model.
This can lead to some improved integration with the internal identity repositories or directories, whether that's active directory or other app structures and traditional enterprise IAM applications, especially useful when syncing your provisioning and deprovisioning with eternal identities, or you can have the IAM in the cloud IM service in the cloud used to manage app accounts. So it's a pure cloud based offering the identity repository resides in the cloud. And finally, the third method is a hybrid of the two.
You can have IM operations in the cloud integrated with the internal on-premises identity, repositories and applications, and delivered via some sort of bridge mechanism coming up at EIC. By the way, there'll be a session cloud identity services, models, and challenges looking at these architectural models and that'll feature Martin cope from, and Intel's anti who will discuss and lay out these, these models in detail. So we're not gonna into too much today instead let's, let's consider some use cases for cloud strategy.
Okay, there's the cloud only strategy where you outsource all your SAS account management to the cloud service provider. Now, this is really only good for small organizations or lean organizations or fairly new organizations who can start off with totally cloud based strategies without having to worry about legacies. This can also be done by work groups or smaller departments within larger organizations where they're looking to increase agility or cut costs, especially in those places where the departments are built for their it services.
The second use case would be to migrate from I to an on demand strategy beginning with the on traditional approach, having all of your saw hardware, software licensing applications, and service, of course, in the data center, gradually migrating that user to the cloud, and then eventually winding down the on premise system as the migration is complete, that will probably the strategy for most organizations. And finally, there's a, another strategy, a split strategy to where you manage internal employee accounts using an on-premise solution.
You manage external user accounts, customers, contractors, temps, business partners, vendors, clients, whatever, using a cloud service that could certainly be effective for many people, especially those who have a lot of non-employee users. So one of the benefits of moving to the cloud, well, one of the best, at least as far as getting buy to your plan to do this specifically from the finance department, is that you can actually demonstrate lower cost by moving IAM to the cloud.
You can have better cash flow because there are no capital expenditures for hardware, software licensing, or maintenance. There's no amortization of previously purchased, but unused or underutilized equipment. And the subscription model for most IM in the cloud services provides easier, more efficient cashflow management. So what this does is it shows an improved return on equity on the balance sheet and a positive balance sheet effect. Now these are, you know, music to the years of the CFO. He will be on your side because you can demonstrate this to him.
Another significant benefit of moving to the cloud is rapid access to best of breed applications. One thing we find at KuppingerCole and I found even before joining them, when I talk to users and customers and it professionals is that while I would write about the latest and greatest technologies and the latest and greatest versions of the applications and software that people were using in practice, people were typically two versions behind because it takes time to acquire, set up, test pilot, Redo, and finally roll out those new versions.
When the software is in the cloud, the vendor takes care of all of the upgrades and bug fixes the maintenance and so forth. And it's done on a, a schedule that, that makes it much more rapid. You really, you don't have to go around visiting desktops, visiting data centers or anything else to make sure that it gets done. Cloud apps and cloud app vendors also tend to be a bit more agile with their rapid response to changing market needs again, because they have to change in fewer places.
And as far as integration with other things go, that's usually done through some sort of abstraction layer rather than embedded within the product. The third factor, which is may help sway some people is that when you're looking at cloud based applications, often vendors will give you a, a free trial period, allow you to sort of do a pilot run with the product to see how well it, it works for you to see if it serves the needs and purposes of your organization. Something which is not as easy to come by with an on-premise installation.
And even when it is, it can be quite costly in terms of either providing a sandbox environment or setting up new hardware and so forth to do that again, an advantage of being in the cloud, another one, enhanced collaboration with those non-employee users, your customers, your distributors, your suppliers, your partners, any of those people find it much easier to work with your offerings and you find it much easier to allow them access to just the things that they need to enhance their working relationship with you. It makes a big difference.
Now, another benefit for the finance people to look at, of course, is the most likely reduced cost for it. Management by moving IAM into the cloud. For example, all those people who normally have to take care of your directories and your provisioning and your workflows and so forth can be consolidated. A lot of that activity will not take place in the co cloud. It'll be done by the cloud service provider. It'll be done on a subscription basis. So if you have a service level contract with them, you know, it's up to them to provide the right level of service. It doesn't cost you more.
When that thing, when that happens. The other thing that goes hand in hand with that, of course, is scalability. You can change, increase, or contract your capacity as, as needed. You're only buying the capacity that you need, certainly for businesses, which can be somewhat seasonal. This is a tremendous, tremendous benefit because when you have to do it in the data center, you have to stock up and staff up to what would be peak levels.
And that stuff is just gonna be sitting there during non-peak times when you're working with cloud platforms, of course, you just expand to the level that you need at any given time, great savings and money. There. There's other things that can become very beneficial, like backup and recovery are automated. They're done by other people. You don't have to expend your time and effort on doing those sorts of things.
Capacity planning, because of that, elasticity is much easier to handle maintenance and upgrades of course, are being handled by the cloud service provider and the software vendors, the application vendors, one area, which doesn't often get looked at, but which should be, is business continuity. When all of your stuff is in your data center and your data center burns down. You're in trouble here to, for what people had to do was maintain a second data center with replication of everything. This was expensive.
Now, if you move the stuff to the cloud, you know, and your, your office blows up, all you need to do is find some empty space, get some computers and some connectivity. And you're back in business again in a day or two, make sure however that your cloud service provider has a business continuity plan so that if his premises blows up, you can still keep on going.
Finally, one thing at the bottom line, most organizations are just not in the IAM business. It's not a core value add business function. So outsourcing IAM frees up resources so that your it staff can have a more strategic focus on what it is that your business is doing something to strongly keep in mind. Those are the benefits. Okay. Are there challenges when you move? I am to the cloud?
Well, certainly there are concerns and some of those concerns have been voiced by clients to us, the things they worry about when they start thinking about moving IAM to the cloud. And the first thing that comes to mind is security. People worry about security all the time. They worry about security. When they think it's out of their hands, they think they no longer have control over the keys to the kingdom.
In fact, however, the cloud service provider, where security is part of its core business is much more focused on it than your enterprise is. Again, it's something you want to look at and question the vendors about, but they're probably doing a better job of it than you are. Customers worry about integration with their existing it infrastructure.
Now, as we said, for a number of companies or departments, you know, it's a cloud force cloud only strategy. They don't worry about this. Other people do, can they move IAM to the cloud and still manage their on premise absence services as well as they did before. If they can't, then they need to look somewhere else for an answer, but something to look at, okay. Loss of control over identities.
Well, no moving IAM to the cloud simply means moving applications and services to the cloud, not management, you still manage the users and the identities. It's just that the data resides in a different place and the applications and services and management modules that you're using reside in a different place. Not a problem vendor lock in on the other hand, vendor dependence is a concern, but not just for cloud-based solutions, vendor lockin can happen. No matter what you're doing.
The important thing is to look at what the vendor, what those publicly available standards, so that you can easily move to another vendor who also supports those same standards and protocols. And so we should look at the role of standards when we're talking about IAM and the cloud cloud identity standards are slightly different from the ones we use on premise, okay. SAML security, assertion, markup language it's widely used in the Federation space, but it can also be used for in the provisioning space and in the synchronization space. It's adaptable for that.
It's widely used by a lot of major cloud vendors, such as Salesforce and Google apps and others it's out there also, oof, oof is a token based authentication protocol, highly valued because it's, it's very fine grained in its controls, only passing the minimum amount of information that's needed in any particular situation. In fact, it's, it's more privacy protecting and more secure than whatever protocols you're probably using within the enterprise. And then there's open ID and open ID connect.
So called user centric protocols, open ID connect is fairly new, but is much more robust and has better security mechanisms than the original open ID did, which was fairly open. These are, this is the protocol that things like Google ID and, and Facebook connect are, are built upon or adapted from. So you can get an idea O of what they're like now in the provisioning space, SPM L service provisioning market language has been around for 10 or 12 years, and nobody's done very much with it. It's not used very much within the enterprise.
It's not gonna be used very much within the cloud or between the cloud and the enterprise, but a new protocol skim simple cloud identity management has just arisen. And in fact, just yesterday, there was a, a demonstration project done in, in Paris at the I ETF the internet engineering taskforce meetings to demonstrate interoperability among various cloud service providers and provisioning vendors using skim skim will now be turned over to I E F to be formalized into an I ETF protocol. And it's something that, that is going to be used much more in the future.
One concern people have about skim of course, is that it is originally designed to work with cloud apps and maybe not so much with premise apps that's being changed. Provisioning vendors are getting involved, creating extensions, and there's gonna be a lot of talk about skim at the EIC in April. A number of sessions on that. A number of the designers of skim will be there to go into it. I believe there's even a workshop on skim that's going to be done. So it's something that, that you can really get involved in.
Now, another standard that's not on the screen here is exact mold. The extensible access control markup language very, very widely used in, in business specific apps, very used in rules based engines, something that can handle fine grained authorizations, and it needs to be part of whatever scheme you're using for your IAM in the cloud. And something to, to talk to those vendors about single sign on very important. When you're, when you're moving to the cloud, you do not want users going to the cloud platform and entering usernames and passwords. Why?
Because that means they can get there outside of your controls and protections and do it. You don't want 'em to do that. You want to control their access to those cloud based services and applications.
Two, you can give it to explain it to your users as giving them greater convenience and broad activity. They don't have to remember a whole bunch of passwords. They don't have to keep calling the help desk. Let me forget their passwords. Another cost reduction for you using a good secure SSO implementation, eliminating a lot of security concerns users. Aren't using the same passwords for multiple apps. If you're enforcing strong password policies, they don't write them down and, and sticky them to their, their monitors for others to see if you don't want 'em to do that.
So you don't enforce strong passwords, then they have easily guessable passwords, you know, so you need to do it yourself. You wanna look for good support for things like SAML and oof.
In SSO, when you're looking at IAM in the cloud, you should also be looking at strong authentication. Can you do this strong authentication, like two-factor authentication. This is what you want for what you might wanna call the crown jewels, your, your data that should be kept private, your privileged information, business, proprietary information, any data that's regulated heavily. You want to have strong authentication for that. And there are three ways to do that. You can do it by a hardware token, like secure ID.
You can do it through biometrics fingerprints, facial recognition, voice, and so forth, or there's software tokens delivered from your mobile devices and with B Y O D bring your own device being so important these days. It's nice to know that most mobile devices do have the ability to handle software tokens. This also allows you to do self-service registration of these things for your users and, and makes it's job a lot easier. There are pluses and minuses to all of these.
We all know the problems that RSA had recently when there was a break in to their site and things were stolen, which could compromise secure IDs. And a lot has been written around about that. You should follow that and make up your own mind. Biometrics have been around for 15 years or so.
And yet I've never really caught on because hardware devices weren't available everywhere and users were somewhat leery of having things shining into their eyes or giving their fingerprints to anyone but newer biometrics, like keyboard biometrics, where the style of your, of your keyboarding and the rates and so forth are taken into account. I've shown great promise and, and being useful in the future software tokens, as I say, are gonna become bigger and bigger and bigger as mobile devices improve and increase. And we'll see about that.
When it comes up, we've talked about managing user provisioning and deprovisioning deprovisioning extremely important, so that how you can keep users away from that privileged data that you have out there. We talked about ways to do that, but it's it's if you're going to do I am in the cloud, you need to have strong user provisioning and deprovisioning. These are things, all these things that we've talked about, you need to be looking for when you're evaluating the, the cloud based identity service provider, the IAM, something to keep in mind.
But let's, let's go over that again, just so, so we're safe on all of this provisioning, as we just said, very, very important. You need to have the provisioning and deprovisioning. The provider needs to have strong authentication. So you can be more secure in the abilities of your users to stay within the, the guidelines that you wanna set for them. You need the single side on so that they can't go outside of your guidelines to get into the cloud. The provider needs to be a trusted provider, and that's, that's not something you can exercise there's yet.
We don't have good trust metrics, essentially. It's just, do you feel good with this particular provider? For example, after the RSA break in a lot of people lost trust with RSA, and it's gonna take them quite a while to get that back. Other companies like my colleague here in this, in this session today, Intel, we've always pretty well trusted. They've always been honest with us. They've always done what they said they would, and never tried something that, that they said they wouldn't. Do.
You wanna look at centralized management when you're dealing with a cloud IAM and, and here we want to talk about being able to manage both identities in the cloud and identities on premise. You don't wanna have separate management modules, if you can, at all help it. And finally, you wanna look at your vendor and say, okay, you can do IAM. You can connect me to some cloud apps, which ones. And there's two ways to look at this. You want to be able to connect you to a lot of different things, of course, but especially you want them to be able to connect you to the ones you are using.
That's the important ones for you now, are there people who can do this well, Intels one and is here with us today to do a presentation on a recently announced product from Intel, which is the cloud SSO product. And if we can get his slides up on the screen, I'll turn it over to him. So he can take over from here if welcome everyone. And for those joining late, let me reintroduce myself. I'm director of product management and Intel application security and identity product. I'm excited to introduce you with the new Intel cloud SSO service.
It's a cloud service that we had launched the beta program last month at RSA conference. The service is running on the Salesforce platform and is providing access to hundreds of different cloud applications. We are working to, we talk about being a trusted provider and in order to show all the different control metrics that we adhere to, we are working with the cloud security alliances started program to get ourselves listed shortly.
The service works with on premise solutions, such as our own cloud access 360, which was released last year to get access into the corporate directory that customers might have drives a quick on investment by providing service infrastructure. That's backed up, that's resilient for business continuity, and it provides any device access. So you can access the service from either laptops from mobile devices or from the iPad and other smart devices. There are three main features that the service provides account provisioning.
So you can provision user identities into the target systems, or deprovision them a single sign on with a built in Porwal for quick access for the end users to all these applications, as well as providing control to your administrator on what application is allowed to what user and finally a built in one time password functionality. So you don't have to go to another vendor to get one time password, which is provided with the service itself. It delivers the same level of control as you would expect from an on premise identity and access management application. Okay.
The Provisioning Of access can be done by identities that are reciting in the cloud identity repository, or from your portrait active directory. The profiles can be synchronized from your corporate active directory into this cloud service as well. From the context of your authentication perspective, you can selectively apply second factor of strong authentication based on one-time passwords for applications which are containing regulated data, which require some kind of strong protect protection.
These types of authentication methods are supported for the second factor, including soft token from mobile devices, hardware assisted soft tokens from Intel's IPD platform based S and SMS email. The secure single sign on works independently, where you can log in once and get access to all the applications, but also can work with your windows login, where you can just login into your laptop once get connected to your active directory. And after that seamlessly signing into the service, as well as all the applications that the service allows access to.
And finally, from the regulatory compliance perspective, there are out of box report that helps you get audit trail off, which user was provisioned accounts in what applications, as well as when a particular user accessed what application logged in, logged out event for recorded and available and reports. This Is a screenshot of the Porwal, where you can quickly get access to all the applications. An end user knows. These are the applications that they have access to and launch them with a single click off a button.
They can, some of these applications that are often used, or they can categorize based on how they want to use these applications. There are hundreds of Porwal box connectors to SaaS applications, but it also comes with connector that you can use to connect to other applications that are not provided yet out of the, from the administrative perspective, it's a simple pro three step process of configuring or connected to a particular application.
You would establish an activity as the first step, then assign users to the particular application and then decide how do you want to establish some access restrictions? So the first step of configuring connectivity with the app, you would enter information about the app itself. For example, in this case, you're entering Google apps, domain name, what is the single sound settings that you would be copy in from the Google apps over here, as well as exchange certificate, you would be downloading certificate from the Intel cloud SSL and uploading it into your Google apps to main account.
Finally, you would enable user provisioning or disabled. So on a per application basis, you can decide if you want users for this application to be automatically provisioned or not next, look at how the users are assigned. Assignment of users can be done either on an individual basis with each user name entered or on a user basis where the rules can be mapped to either particular user profile attribute or groups. And it can also be mapped to your on-premise active directory groups.
Finally, from the, how do you want to restrict access to a particular application can be done based on IP address ranges based on what mobile browsers they're coming in from. They can come in from you can selectively decide if you want to block access from a particular type of mobile device for this particular application or day in time restrictions.
And finally, for the strong authentication, you can decide if you want a one time password to be entered before they access this application, as well as do you want to leverage if this user is coming in from the Intel IPT based client devices, such as Ultrabook and new based devices, then do you want to leverage the builtin I P T technology? So let's look at couple of use cases. These are end to end use cases.
The first scenario is a hundred percent in the cloud, a pure cloud scenario, where you are using the identity repository in the cloud itself that is embedded or present within Intel cloud. So the administrator can log in and create, modify, and delete identities through the Intel cloud SSO itself. The end users will log in into Intel cloud SSO through any type of device, and then get seamless access into all the different applications they're allowed to access.
This scenario can work independently where you can install Intel cloud SSO in a standalone mode, or you can leverage, you can install Intel cloud SSO onto your existing Salesforce CRM system and leverage the existing CRM identity repository. So again, both mode are supported. You don't have to recreate an identity repository if you already have it. And you want to just leverage that.
The second scenario is where Tel cloud SSO is interacting with your on premise identity system, such as active directory, where users can join the ad domain and have a KBO ticket when they login into their machines. And after that using IWA and our on-prem software, which is Mac cloud identity manager connectivity into Intel cloud SSO is both from the point of view using Sam and provisioning of users from active into SSO using APIs.
So we talked about single sign on provisioning and strong authentication as the main features, but there is centralized management of how you want to decide access or identity and access management, centralized management for your cloud applications that it provides as well as monitoring and audit reporting. The pricing structure is very simple. It's an subscription based pricing, which ranges from dollar one to dollar five per user, per month, based on the user volume and multi-year discounts. And there is no per application pricing.
So you get access to unlimited number of SaaS applications for the same price. The 24 7 legendary Intel support is included as part of the base price. It don't have to pay extra. And there's a freedom licensing that is provided, which allows you to either use our on premise version or use the pure cloud version, which is the Intel cloud SSO or user hybrid model. So some customers can start with the on-premise deployment and slowly migrate to the cloud.
Some people can start directly from the cloud and some people can go with the hybrid model along the journey, or start with the hybrid model where they want to use the, the in the cloud version for customers and partners and the on premise version for their employees and contractors. You can find more information and download assets from Intel cloud. That's the website. And there is a cloud identity guide that you can download as well as what, some of the, to more information, the product that Q and a.
Okay, thank you very much for that presentation. Was, was that you and the videos Fe, are you a movie star?
Yeah, We've gotten well, I'll have to get your autograph later. Then we have a lot of questions that have come in, so we'll try and get to them and get to as many of them as we can. And the time we have allowed it first, a number of people have asked whether these slide decks will be available and they will be, they'll be available along with the podcast tomorrow. You will get an email to the email address you registered with telling you when they, they are available and where to go, what to click on to have access to them.
First question we have here is how is biometric authentication handled via a cloud component? In other words, well, because I'll let you, I'll let you go with that one.
What the, what does client SSO support in the way of biometrics? So we have actually done an integration with a company called bio ID, which a, which has a cloud-based facial recognition system, where you can use to face as a mechanism to authenticate or do a second level of authentication.
Now, biometric, if it's, you know, facial recognition is one type of biometric, there are fingerprinting, but just to give an idea that yes, solutions exist today in biometric, and we have integrated with one of them. Okay, next question. We have maintenance and upgrades are handled by the cloud service provider is something I said, it's not quite that simple. According to this listener, is it the cloud based IAM solution is often integrated with the customer's it systems, for example, provisioning user accounts to the customer's active directory.
How do you make sure that those integrations remain intact after each upgrade? Doesn't that require some participation from the customer? And it does. I may have glossed over that a little bit.
I mean, you're going to have to ensure that the upgrades work, but one of the benefits of having these things in the cloud and with the elasticity you have in the cloud is that the cloud provider can set up the new system, do a switch over for you when you are ready to test it. And if anything is wrong, quickly, switch it back. So that there's really no loss in productivity. It's not something that you can do that easily when everything's on premise because of the limitations you have in hardware and connectivity and other resources.
So yeah, it does require some participation from the customer, but it's minimal and it shouldn't impact anything that that's going on. Otherwise Now this questioner asked, it seems you focus on authentication. What about authorization? That's an important point. Vis does cloud SSO do anything with authorizations? Yeah. So cloud SSO pro has rules that can be enforced at authentication time.
So we call it authorization at authentication time, such as how do you use the context to ensure whether a user should be allowed to create a login session of the target application at all, or a second factor authentication. And you saw some of those input such as whether the user is coming in from a mobile device or coming in from a certain set of IP addresses. So that's authorization at the authentication time. Now authorization on the per transaction level is something that the cloud providers will be doing themselves today.
And that's where it's very important to provision the user profile into the target applications because only the target application would know whether a particular page should be shown to a certain user or not. So that's something the cloud service provider does, right? And it's also gonna going to require some user interaction because, you know, it's only the, the, the user or the user's security people who can determine what the correct authorizations are, but then in this, up to the cloud service provider to implement them and, and keep them going.
And as you say, the vendor of your IAM solution should enable You to do these things. And, and they do through the, through the various public protocols that we talked about, we may have talked about them in terms of authentication, but there are also involving authorization. And as Veka mentioned, context based access control is really something that you want to implement in these situations because the access should really depend on who the user is, what platform they're coming in from what it is they want to do, and a number of other factors. And that will change from, from time to time.
But it's all possible with these cloud IAM apps. Okay. Question asked, excuse me, within Europe, is there an issue with storing identity information in a cloud that may cross national borders, or even be outside Europe? Can this breach data protection regulations it's possible? This is something that the customer will have to look out and look at and, and consult with their cloud service provider to talk about where, and when things are stored. It's not something really that the, the IAM vendor would have much say in, I wouldn't think Fe you want to add anything to that? Yeah.
So one strategy that such customers can take is using the more hybrid model where they leverage their identities and to directory yet not have to deploy the policies that could still be in the cloud and until cloud SSO. Okay. Let's see. Question is, can you also use cloud-based IAM solutions to provision deprovision access to active directory based on a feed from an HR system? Are there any additional issues to consider when attempting to integrate HR and ticketing systems with the cloud-based IAM solution?
Well, I think you showed that cloud-based IAM can interact with your on-premises active directory very easily, but are there any additional issues or considerations the users should keep in mind? Yeah, so some of the things that we are looking for implementing in the short future is interaction with ITSM based systems or HR systems, where we can take a feed from HR systems, such as Workday or feed from on-premise HR systems, such as PeopleSoft, and then use that to provision identities both into, to directory, as well as into our cloud.
Now we have our on-premise MacAfee cloud identity manager that can integrate with on-premise HR systems to provision users, interactive directory. So there is one solution available today, but we are looking into expanding over in the cloud functionality to also feed from in the cloud HR applications pushed her, wants to know if you integrated fine grained, token based identity access mechanisms using, for example, Zal into the product yet. So the context based authentication that we have internally uses Zal as a protocol to define the policies and execute them.
We do not expose the complexity of Zal to the outside world, through the admin, because, you know, it's, it's hard to, to, to show that. And so we, we hide that complexity, but underneath the implementation of context based access is based on Zol. It's an interesting question. Someone asked if any vendor provides authorization as a service. I don't think there's anyone who provides it as a standalone service.
No, the way say there are some authentication as a service providers out there such as well. Facebook connect is authentication as a service authorization is, is gotta be more tightly integrated with some other things before it could, it, it can be offered like that. You really need to tie it to the authentication, to the context and so forth. So it needs to be part and parcel of a, of a large IAM implementation, I think.
And Dave, just to add to, because this question came couple of times today, one of the things about authorization is a lot of existing on-premise vendors require agents to be installed in the target applications for fine grain authorization, and with SaaS applications today, SaaS applications do not provide any way to put your agents into their systems. And that that particular observation is important is into why externalizing your authorization for the cloud providers is a little difficult task till they open up their systems. Okay.
We had a couple questions here, two or three of them, at least on Homegrown applications and services, whether they're homegrown SAS solutions or homegrown solutions in the data center, can they be integrated into Intel's IAM and the cloud solution? Yeah, absolutely. So if you have your homegrown custom applications deployed on public cloud, such as Amazon or Rackspace, then you can use our agents to it, into those applications. We have agents for java.net and PHP that you can inject into those applications.
And suddenly they will be able to get single sign on F access into those applications. The same is true for on premise applications. If you have SharePoint, if you have your custom Java applications that you deployed on Java application server, you can deploy agent and then do applications can be part of our application.
Okay, let's see if we can get through some more of these fairly quickly, cuz we're about to run out of time. So I'll take a stab at these and, and we just jump in.
If, if there's something you wanna say about it, someone asked, does it mean entry to the cloud first? And then you see the apps with another login or entry?
No, as we said, you should be looking for SSO simplified sign on or what some people call single sign on so that the user only has to authenticate once. And then they're authorized to get to all of the apps that, well, then they can get to all of the apps that they're authorized for so that they don't have to do a second set of a second authentication ceremony.
Someone asked if cloud vendors have minimum or maximum number of users, Certainly not a maximum number of users because that's one of the benefits, the elasticity, so that it can grow to what you need, depending on the service you're talking about. There may be not necessarily a minimum number of users imposed by the vendor, but from the businesses point of view, a practical minimum. In other words, you know, you may not, some of these things may not be useful for one to five users because it's gonna be quite expensive and it might be less expensive to do something on premise.
So there's, there's really no limitations that way by the, the cloud vendors. As far as I know, Avius do you know anything different on that?
Yeah, there's really no limitations around how many users that can be using the system. And while we were talking about elasticity, one important point to keep in mind is that the 9:00 AM authentication syndrome where when all the users, you know, try to login it once in the morning to start their work. Cause the cloud is elastic. You don't have to, you know, the, the capacity that you have to use, you have to build for your on-prem applications to take care of those scenarios. You don't have to worry about that for, from the cloud applications. Okay.
Just a couple of quick ones here in terms of active directory, does it mean pass through authentication? I'm not sure what the questioner means here, but generally speaking, yes, you can set up your authentication. So it's done on premises through active directory mechanisms, which automatically through the use of tokens connection to the cloud-based apps or vice versa. And another one asked about role-based authentication apps that have their own role-based authentication can be connected with cloud based or a cloud provider role based authentication.
The answer again is yes, because there should be a connected there in place to put them together. The final question we'll look at here and I better take this one, cuz I know what will say. And what do you think about open source IAM or SSO offerings? They can be quite good. And if they meet your needs, they certainly were. The look at one problem with open source is that generally speaking, open source program services and applications are created to scratch an edge that the creator has. If you don't have the same itch, it may not work quite as well for you.
If one of the contributors doesn't have the same itch as you, then it may not work quite as well for you generally speaking, an open source, you can't go to the quote vendor and ask them to extend it for you. You're expected to do that yourself. So if it's a good fit, take a look at it. If it's not a good fit, don't expect that it will become a good fit later on. And with that, I think we're just about wrapped up for today.
I wanna thank vis Jane from Intel, from being here and going through the new cloud SSO product from, from Intel, showing us that moving I am to the cloud is not as difficult as a lot of people believe. Okay. Hopefully I'm going to get to see a lot of you in Munich in a few weeks at the European identity and cloud conference. And if not, I believe we'll be back here for another webinar the first week in may. There'll be more details about that coming out soon. So until then, goodbye. Good night. Good afternoon. Good luck. Thank you very much.