Webinar Recording

Intelligent Identity Management in the Cloud - A Use Case


Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning. Good afternoon. Well, good evening, depending upon what times zone you are in. My name is Graham Williamson. And along with Shane gay from unified solutions, we're going to present this webinar on cloud identity management. For those of you in other time zones, apologies for having to get up late or get up early, the recording will be made available to the registrants that are unable to attend. The intention of the presentation today is to identify some issues with identity and access management and talk about a potential solution. Capol has a long history of involvement in the identity and excess management space. And we ran, we, we run webinars on a regular basis and we have a repository of information that's available addressing the issue of identity and access management. Just a, a couple of points on the rules for the webinar today because we can't accommodate audio from all of our attendees. You will be muted, but we do appreciate your comments and questions, and we will address questions at the end of the webinar. So if you would go into the question box in the webinar control panel in the bottom of the control panel and type in your question, we'll get to those at the end of the presentation. And as I mentioned, the re webinar will be recorded for those who weren't able to attend in real time.
Just a word about KAA Cole, for those of you who are not familiar with us, the there's basically three strengths to the bow research services provide access to documentation on just about any aspect of identity and access management. Going back many years, that research repository is available via the website. And if you click register up on the top right hand corner, you will get access to the research repository for period of 30 days. And then if you wish to subscribe, you'll get continuous notification. As new documents are put into the repository, we have a number of advisors on around the globe who can advise on virtually every aspect of identity and access management and cloud migration. And if you would like a telephone conference with one of those analysts, we can arrange that if you would like an Analyst to attend on site, we can arrange that as well.
So do avail yourself of those services, if that's of interest. And finally, the events KA Cole runs the European identity and cloud conference every may in Munich, you're most welcome to attend. That is five streams of information on identity and access management, all aspects of it, and a good time of networking and a very large vendor exhibition as well. 50 vendors attended 2014. We're also running an event in China at the end of January and one in July in Australia. So do check the website and keep yourself up to date with the events that we are running in this space, in terms of the agenda for the webinar we're going to, I am gonna start off with a little introduction to the whole concept of identity in the cloud and the issues that arise because of that. Then Shane is going to tell us about the identity broker solution, and he will go through a use case using an HR package and show how that service can be made available in, in the cloud, in the cloud environment. And then at the end, we will have get to your questions. So please don't hesitate during the webinar to enter that into your, the question panel on your control at the bottom of the control panel.
This graphic is from a document produced by Martin Kuppinger discussing governance issues when it comes to identity management. And that's one area of import. When we come to manage identities in the cloud on the left hand side, you'll see we have our standard on-prem identity and access management and our, our governance tools that we're all familiar with and are happy with in terms of our on-premise environment. But then we also need to provide that facility within the cloud. And we are into the situation where we need to have an identity management service that we can provide to the various applications that we have on premise, as well as in the cloud. And we then need to start building the cloud-based solution in the middle of the panel. We have those items that we're happy with on premise, but need to provide in the cloud. So for instance, a single sign-on is one aspect of managing our access to applications, but we do a lot of work to put in place in our, on premise environment.
Particularly if we're running windows, the windows integrated authentication capability provides us single sign on to, to applications on premise. But then when we move into the cloud, because it's a little bit more difficult because potentially our software as a service solution provider is not providing single sign on capability. We let that go. And it's our users that suffer. If we start taking a strategic view to move into the cloud, we will put in place those facilities. We need to look after our requirements there, identity providers will typically find that in the cloud will have multiple identity providers where we have to maintain identity in multiple locations in terms of Federation services. That's a solution that we should be looking at in terms of our cloud infrastructure, so that we can indeed federate between different identity providers and provide a single sign on capability. Strong authentication as, as a service is also very important in this space, which number of high profile issues about release of celebrity pictures.
You know, we need to make sure that we have capabilities of increasing the, and protecting our on in, in, in the cloud data, through some form of strong authentication. And fortunately, most service providers now do provide capability of going into a multifactor authentication capability that will allow us to protect our, our documents, pictures, and log on capabilities in the cloud. So we need to build this cloud user and access management capability on the right hand side, you'll see industry collaboration. And this is not noting that in some cases, your industry might require you to participate in a collaborative network. So for instance, if you are selling to Boeing, you need to make sure you are working within their network. In order to do that, that industry requirement should be wrapped into your strategic approach to cloud services. You need to consider it holistically in terms of the direction.
Now we are seeing in cloud service, and what we would recommend in terms of taking a strategic approach is you should be looking to integrate on-prem in cloud. It should become one. We are in a situation where for a number of years, we're going to be in a hybrid environment. You cannot move everything into the cloud all at once. So during the time we're in this hybrid situation, in terms of our identity and access management, we need to put in some work to make sure that it is unified in terms of provisioning and access governance. We need to take a, a holistic approach. So when we want need something, if governance says we need to do something in the on premise, we then need to replicate that in our cloud environment, in terms of, of standards, we do strongly suggest that you adopt a standard based approach.
I've just listed three. There are popular protocols that are used in the cloud. Skim is the protocol to use for the transmission of identity data and attributes between services and applications. SAML is the protocol to use for authentication to assess application. So if your SaaS application doesn't support SAML, we would suggest you look further. A field exact Mo is the protocol to use for authorization of users. So if there's a requirement with your SaaS application, to be able to look at a fine grained authorization attributes, exact Mo might be the, the solution for you there. So do adopt a standards based approach when it comes to looking at your identity in the cloud. And of course, integration with active directory is a requirement. Most organizations are relying on active directory for their on-premise authentication services. The active directory is typically a rich source of information in regard to, for instance, active directory groups that will determine a person's access to particular application. In many cases, active directory groups are not migrated to the cloud, and we tend to have a less useful identity repository in terms of controlling access to software as a service applications, not a good idea. We need to make sure that we have this integration with our, our active directory.
I did want to have one comment on generic cloud service, providing decisions, a decision behind selecting a cloud service provider. We do recommend, in fact, this is a slide from Mike Small. Who's a Analyst in the UK, and he recommends a four pillar approach to selecting your cloud service provider first is to make sure you've got a good definition of the service level that you want, know what sort of performance you want to achieve, any requirements you have in terms of encryption or backing up of data, make sure that those are documented and you've got agreement that those are a part of the, the requirements include also nonfunctional issues. So architecture, we recommend that your architecture be extended to include your cloud service requirements. There might be some legal requirements too. So include all of these in the service level, definition, document, and get agreement within your organization.
As to those those requirements do then look at standards and certifications in terms of certifications. There's, we've observed that a number of organizations go to great lengths to make sure that they do apply to various certification bodies and get accreditation from those certification bodies for their on-prem environment. But then they'll adopt software as a service applications in the cloud that don't adhere to those standards. Not a good idea. You need to make sure that those requirements are migrated to the cloud as well. Division of responsibility is another important one. Don't assume anything in this particular instance, if you've got cloud service provider providing a database service for you and, and a lot of companies are now putting their data into the cloud for a variety of reasons, make sure that this agreement on who's backing up that data. Don't just assume that your cloud service provider will do that.
And finally, the monitoring and audit capabilities, you need to make sure that your cloud service applications plug and play with your requirements in that space as well. Again, we've observed that a number of organizations do a lot of monitoring, auditing and reporting for their on premise environment, but then when it gets to the cloud, they negate to do that, particularly if you've got event monitoring. So there's a security event monitoring happening within your organization do require your cloud service provider to plug into that capability as well, because those are available in the major from the major providers of cloud services. As we, as I mentioned earlier, though, they're really elephant in the room here is identity. And that's our focus for today. Many places, many in many cases, we, our organizations have very good on premise capabilities. So as a mature identity and access management environment where our human resources application is updating our active directory on a real time basis, then we need to connect to software as a service application in the cloud.
And we find, we need to then synchronize our directory information to a repository to support that cloud application. Then we might decide, well, we are going to move to office 365 or indeed SharePoint online. And then we find ourselves in the Microsoft Azure environment. And again, synchronizing our directory information into Azure. And you can see how this could well proliferate. Now, some organizations to come up and, and have an identity provider service in the, in the cloud. And that's what we are suggesting is a good strategic solution to this issue where you as an organization are managing the update of your directory service and you are managing access to your identity provider service to multiple cloud applications. And indeed can then from that cloud-based infrastructure update your on-premise ad to support legacy applications in that environment. That's the approach that we're talking about today, and I'm going to transfer to Shane now, and he's going to take us further in discussing the identity broker service in an, on, in a cloud base basis. Just transfer to Shane. Thank Instagram. Take away. There you go.
All right. Thank you very much audience for their time today. I know again, it's going to be late for some of you and early for some of you, and we appreciate your time
Just before we do identity broker, which is the focus of our use cases today. Just a quick background on unified solutions, muted unified solutions have been established as IM experts for the last 10 years in the Asia Pacific region. And yeah, we've spent a number of industry sectors such as legal finance education, government utilities, and health. One of our philosophies has been in the past is to have a product that assists us, be able to do certain parts of identity and access management easier because a lot of identity management in itself focuses on identity being a piece of infrastructure. Instead of part, part of your, part of your business infrastructure identity broker is a product about that allows us to do application driven identity management. We talk to applications within the enterprise at the application layer rather than the infrastructure layer. We'll go more into that soon F event brokers and other flagship product that we have, which brings event driven, realtime identity management to the Microsoft forefront, identity management stack, and you know, to the Microsoft identity management stack, which is a around the corner. And we have a number of services centers, including our business center, our Microsoft identity practice team, which is one of the largest in the world and our ping identity practice team
And aligning with Botton Graham just said about what you need to think about in terms of adopting cloud services or identity services. We, we go all the way from strategic planning and roadmap advice from and business analysis right down to the nitty gritty of the technical implementation technical implementations of your identity and access management solutions.
So the focus of today is showing how identity broker can be used to solve a particular point problem with cloud identity management, a traditionally identity breakup was connectivity framework that was designed to deal with enterprise applications at the enterprise application layer. Some, some people in the audience will be familiar with the concept of enterprise applications being best of breed, and they may not, although they may be good at a specific purpose, they may not be good at interacting with other things within the enterprise identity broker allows us to do data modeling with these applications so that we can work with the data model of the application and the service contract or API of the applications, and translate that into something which makes sense at identity management lamb. So we are able to present relational or ad hoc type data models to identity management platforms such as Oracle or Microsoft or net IQ in the directory hierarchical structure.
And this allows us to build repeatable connectivity. So part of our business model is to partner with the application vendors. So we may partner with an best breed HR application vendor. Yes, someone that's very good at a particular particular sector and may have hundreds of implementations within that sector. And we are partner with them to become their identity management partner and enable their applications to participate within identity and access management solutions beyond just things such as single sign-on. So we may enable an HR system to be, to become an authority source within an identity management solution. We've also in, within the last couple of years, we've provided a new version of this called light, which allows us to do a tactical point to point synchronization and provisioning for, from persistence, such as HR to, to an active directory. So a typical configuration of a larger scale enterprise customer would be having an identity management platform, one of the large, large vendor platforms.
And that synchronized that, that with that system to directory and other potential downstream systems, identity broker has allowed us to have a layer which may, which will interact with systems such as an HR system or a communication system or anything else that may be an authoritative source of data and allows bidirectional, bidirectional communication between an identity management system and that system without the identity management system needing to be aware of the complexities of the target or source system and vice versa. When I spoke about a light light allows us to do target an authority source and synchronize that with a directory and unable to do that at a much lower cost cost point than your traditional identity management platforms. So one of my philosophies has since becoming the chief technology officer at unifies that is to enable small and medium businesses to participate in being able to get the full identity and access management benefits without having to pay the full enterprise cost for doing so.
And the identity broker light was our first step towards doing that. Now, if we look at a typical set of use cases, which are covered by our cloud scenario, which are the next slide will cover, it covers the, the most basic things which don't get covered by most of your cloud identity providers. The reason they don't do these things is because there does tend to be a lot of business analysis and development work surrounding getting things which don't necessarily participate in the standards, which Graham was talking about recommending incidentally, I do recommend choosing, choosing things which adhere to standards, but the basic use cases will be the joiners and that enables you to enable it services, make sure people can log in and be able to start workflows around procurement or training or whatever needs to be done. It enables you to be able to get details of changes, so someone's changes position or their, their personal details change.
It enables that to be updated in the active directory. And also your most importantly, when you think particularly when you think about security audits, the use case of believers and being able to disable it services, and, you know, these are pretty standard use cases for identity and access management solutions, but it's been our experience in our, in our market, particularly that most enterprises below about 2000 seats couldn't afford a normal identity and access management on premises solution. And a lot of them obviously are going down the path of moving to consumption of cloud services. So if we talk, you know, targeting this Chris 21 stuff we would, we're looking at and actually about to launch as cloud service where the light service, which enables those joiners movers and levers from an on-premise solution, this now becomes a service that even the smallest business, if, if it starts to get difficult to manage or govern their directory, they're able to rent this identity broker cloud service from where we are able to, to read employee data from a hosted solution or from their on-premise solution, and synchronize that with the active directory solution so that they're able to govern the active directory.
And the, the main reason for needing to do this is to this is in my opinion, step one of the two steps to enable your users within the enterprise to access cloud solutions. If you don't govern your, your directory source, then you are not governing their access to, to cloud applications, unless you can be sure that your own on-premise environment is only allowing access to those who should be getting access. You can, you can't use your directory or authentication directory as a source of authentication information for cloud services. You're basically perforating the, the boundary problem. And you're not containing your security within your own firewall because you are actually getting, allowing people access to cloud based systems.
So the benefits of such an approach once you've got a governed active directory or authentication directory, is that you can use this for a single identity provider for access decisions, no matter where these decisions need to be made, whether they're your more traditional on-prem solutions or your cloud based solutions, you know, that you've got a single point of, of reference for, for authentication and authorization decisions. The HR system integration provides you with automated identity provisioning and streams streamlines your administration workflows, and means that you can be, be sure that your directory is in the state. It's needed to get let, to let your staff get timely access to systems.
And it also means that you should be able to facilitate passing security order reports and be able to start producing at station reports based on something that you know is an automated process, where all the rules are being applied at that particular time. And as I mentioned before, this is the first step of the hybrid cloud migration. Once you have your enterprise directory, right, then you can start to use access management solutions provided by people, such as Microsoft with their Azure OD solution or ping identity with ping one or Okta or any number of solutions out there, which are enable Federation patterns to allow single sign on to cloud applications. So that Don Graham just hand back to you for the rest of the presentation I'm muted.
Okay. Thanks. Thanks, Shane. Appreciate that. And your, your comments. I'm going to switch back over to my PC now and just go through, I want to show one slide of the various documents that our attendees might be interested in. Now, as I do that, please input your questions. We welcome the questions of any aspect of what's been presented today, either on the strategic approach to identity in the cloud, or indeed on the unify identity provisioning service and how, how that's operating in, in, in the cloud in terms of documents, you might want to look at, there's a number that impinge on, on this topic. One is the dynamic authorization management leadership compass that describes the tools that are available now to provide a fine grained access control within the cloud. The scenario report there, understanding identity and access management is one of my favorites. It was a couple years old now, but it does go into all of the basics of identity and access management and gives you a good grounding on what you need to consider for both on pre and in cloud identity provisioning as the leadership compass that addresses the major products on the market at the moment that are actually provisioning, doing provisioning activity.
The new ABC for it is a best practice report by Martin discussing agility businesses. Today must be very agile. You're finding that your users are adopting particularly cloud services in increasingly like finer, like various departments would want just one particular application. And then these are coming at, at us, an increasing frequency remaining agile in that sort of scenario is very difficult. So I do take a look at that best practice report. The cloud, I, I G leadership compass goes through some of the major companies providing identity and access governance solutions. And again, good information on how to properly determine your requirements as you go into the cloud. And if you're really brave, you can look at the cloud standards, cross reference, Mike Small did this, and it basically discusses virtually all of the, the standards you might come across as you move into the cloud. And again, that'll give you some background for, as you approach cloud service providers to ask them the right questions in terms of the support for your particular requirements. Okay. We've have one, one question here on this is for you, Shane, how do you connect the HR system to identity identity broker? How, how do you do that to do that connection? So you, you mentioned that there's a data modeling activity that needs to be undertaken there in order to determine, determine what it's going to look like in the cloud. Can you just elaborate a little bit on that aspect of it?
Yep, absolutely. Okay. So the question is how, how do we connect to the HR system and how do we do the data modeling aspect of it? So the, how do we connect to it is a little technical. It does depend a lot on the actual HR system. So if we take the use case of frontier Chris, 21, they have something which is called general transaction record. You know, it's based around the concept of, of batch reporting in, in HR systems and they have a particular data model and we can interact with each of these tables through it. So these tables are exposed by they're exposed by a web service, and we interact with each of those tables through the web service. And I've got, I have a diagram for this ground. Did you want me to show them?
Okay, just a second. Okay. There you go.
Okay. There we go. So like a lot of HR systems, it has a very relational type thing where a relational type data model, where you have details about a person or an employee and details about positions within the organization and organization structure and a placements where, excuse me,
Sorry, an employee is placed into a position from may start date and an end date and interaction with this with Chris 21 is through a web service API, and which enables us to interact with, regardless of whether it's on premise or, and one software is hosted hosted environment. And our data modeling engine allows, allows us to get details from each of those object types and then demonize that data based on a set of criteria, such as this, this build is a start date. This build is an end date, and we can feed that through to an identity management provisioning engine at the time that the, the change or when the placement starts and ends, we can feed that through at timely now. And obviously with our own particular service, we're able to do that as well. We obviously able to pick it up the same, the same triggers within, within that. And the good thing about being able to model it that way is that those details don't need to be exposed to the identity management engine. So the focus can be purely on the business, the business rules within the identity management engine. Does that answer the question?
Okay. So that would be done as an initial professional services activity at upfront. What then if something changed, what if I have a change I've got, I've added a new position, or I have an OU change. What do I then need to go into identity broker and change my data model? Is that how it works?
No, because the data model itself, why change when you do those things? So we'll read the, we'll read the organiz, the reorganization say you have a real, and people's positions are moving into different organization structures and they you'll have new ones. All that was captured by our service and presented to presented to the identity management platform. You may need to do some professional service analysis analysis about what that means downstream. If you have a full right full blown enterprise system, but from a point to point solution that won't matter with, with, for example, the Chris 21 solution, Chris 21, we have that we have this data model out of the box. So there is actually no professional services required to set, to set up that data model in itself. That's part of the commercialization of, of this particular product or service, particularly with the cloud ones. You don't want much friction to be able to start one of these services up and, and shut them down again. So we've take his care of, of as much as that as we can, there does need to be some readiness or data cleansing that might have to happen within a directory before it starts up. But that's certainly something which our system can give a pretty detailed report on what needs to happen before, before you go live with it.
Excellent. Okay. Thanks for that, Shane. Appreciate that. Okay. Do we have any more, there's no more questions coming through here, Shane. So I think, I think we've, we've satisfied the requirements of our attendees. Again, if this comments or questions that do come up subsequent to the webinar, please drop us a line. And we are very much appreciative of receiving feedback, good or bad on any aspect of our webinar service. So thanks. Thanks for attending. And we look forward to meeting you at another webinar in the near future.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00