All posts by robertdoswell

Identity management in the cloud: What does it actually mean?


Identity management in the cloud? What does this actually mean to us? We don’t yet have an established definition of cloud identity management – and there is not even a Wikipedia page yet, although identity management is well founded. That says it all. I’m going to attempt to draw up a definition.

Using cloud applications has now become commonplace for many organisations. Certainly in education, cloud applications have been used for years, such as Office 365 and various electronic learning environments. Educational institutions are far ahead of other organisations when it comes to using cloud applications.

To stay within the context of identity management, these are mainly target systems that run in the cloud. Just to be clear, an identity management process encompasses one or more source systems – often the HR system or school information system, where the identity is registered, personal and contract details are maintained – the identity manager, and the target systems. The target systems are those where the identity must be ascertained and access must be granted.  

Business applications to the cloud?

When the target systems are mainly cloud-based but the source systems are still not, I don’t believe we can yet speak of cloud identity management. In fact, this is a hybrid situation where a number of applications are running in the cloud, but the most critical business applications are still running on-premises.

Why don’t the critical business applications move to the cloud? Quite simply, they are just too critical. Consider the electronic health record, for instance. This is packed with confidential information and patients would feel uncomfortable knowing that their medical details are in the cloud. At the same time, many organisations, particularly those involved in corporate service provision, have heavy legacy business applications that were developed for them years before, and which would involve too much effort and expense if they were to be made cloud-based. New arrangements would have to be made with suppliers, and this is often not the suppliers’ priority.

When these target systems are probably not going to be offered as cloud-based in the near future, there’s also no necessity for organizations to nevertheless move their source systems to the cloud. Yet there are a few suppliers of source systems (HR systems) that are introducing the step to the cloud. They are now offering their applications either for the cloud or on-premises, but in the future will probably only offer a cloud version.

Alongside the source and target systems, there is the identity manager, the system which has to ensure that the digital identity is revealed in the various target systems, so that the authentication and authorisation for the identity is managed easily and uniformly. There are not yet many suppliers offering identity management in the cloud. In general, totally in the cloud is also not fully attainable. To be able to perform the processes, a small agent always needs to run on-premises. The business logic does then run centrally, and is thus outsourced.

Full cloud identity management

But what then is total identity management? Unfortunately, we still don’t have an answer for this. I believe that total identity management is only possible when alongside the source and target systems and the identity manager, the primary log in (authentication) for and by the user is also done in the cloud.

This means that the source against which the user is being authenticated, the Active Directory, must be in the cloud. An Azure Active Directory is generally also associated with outsourcing the entire management duties for the Active Directory to a third, outsourced party. This party could then also be responsible for ‘having control’ over the data, in other words managing the data and delivering the required reports for audits. SLAs would have to be agreed with such a party, involving the logical access security standards.  

For now, complete identity management, where the source and target systems and the identity management system are partly in the cloud, along with the Active Directory, is only achievable for educational institutions and the SME sector. Using an Azure Active Directory has now become very common in these sectors. Complete cloud identity management offers many possibilities. For instance, it would be easier to offer users single sign-on. With a one-time registration, from any device they could gain access to thousands of cloud applications. With WebSSO, users could employ their company credentials to launch applications from a portal or a mobile app. This means users would not have to remember the log-in details for all the different cloud applications.

Unfortunately total cloud identity management including a cloud Active Directory is not going to be the way ahead for every organisation – but the possibilities are certainly coming steadily closer.