Cloud Identity Management

This post discusses why cloud identity is such a difficult problem to resolve.

Why Is Cloud Identity Such a Hard Problem?



This is a quick post about Oracle Unified Directory.

Oracle released Oracle Unified Directory (OUD) with very little fanfare in July last year and have now updated it to OUD 11gR2 as part of the Oracle Identity Management 11gR2 suite of products

For those of you that don’t know OUD is based on Sun’s Open DS project and has three components in common with ODSEE:

  • Directory Server
  • Proxy Server
  • Replication Server

The Directory Server provides the main LDAP functionality, the proxy server can be used for proxying LDAP requests and the Replication Server is used for replication from one OUD to another OUD or even ODSEE server.

At first I didn’t see the point in Oracle releasing another lightweight directory server until I took a closer look at the product.  In addition to the services mentioned above it has other services such as virtualization capabilities and Oracle’s Directory Integration Platform which allows for the synchronization of data with other directory servers such as Active Directory.  Oracle has also been optimizing OUD for the SPARC T4-1 hardware.

This makes me wonder what the future is for ODSEE.

I’ve had limited experience with OUD but can confirm that it works well as a OpenAM data-store.

Blogging Again

After a short hiatus I’m finally blogging again.

Some might think that I needed to recover from England’s unimaginative showing at the Euro’s and their inevitable exit on penalties in the quarter finals.

This is not true, I’ve been a busy working.

One of the things I’ve done is to get more familiar with the available open source cloud offerings, in particular looking at OpenStack, Eucalyptus and CloudStack.

I used Martin Loschwitz’s excellent instructions here for the installation of OpenStack on a Lenovo T5010 laptop running Ubuntu 12.04 Precise Pangolin.

A couple of things to note:

  • Hardware virtualization must be turned on at the BIOS level otherwise the VM fails to start with spawning errors.
  • There is only one NIC on this laptop so I created a virtual adapter for the second NIC.
  • Don’t forget to create the LVM volume group called nova-volumes.  This is mentioned at the end of step 1 but no instructions are given.  For those who need them:

dd if=/dev/zero of=MY_FILE_PATH bs=100M count=10
losetup –show -f MY_FILE_PATH
apt-get install lvm2
vgcreate nova-volumes /dev/loop0

I also installed OpenStack on an ESXi virtual machine.  There are lots of instructions for installing it on VirtualBox but very little for installing it on VMWare.  The issue is the requirement for hardware virtualization support.

It seems that there may be a way around this with VMWare’s vSphere 5 but I didn’t want to start reconfiguring the company ESXi server so I created a Ubuntu 12.04 virtual machine and installed DevStack by following Sam Johnston’s instructions here.  This is a documented shell script to build a complete OpenStack development environments from RackSpace Cloud Builders that installed in less that fifteen minutes.

I shall now get familiar with the APIs and try to determine how easy it is to integrate with Open Source provisioning software.

Cloud Computing and Security

I briefly discussed cloud provisioning in a previous post and am now going to take a closer look at cloud computing and security.

What is cloud computing?

This is computing that leverages the internet as a tool to enable remote computers to share memory, processing, network capacity, software and other IT services on-demand. The cloud paradigm provides utility computing and allows businesses to pay for what they use.

The National Institute of Standards and Technology (NIST) defines cloud computing thus:
Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The basic architecture of the cloud can be described as a cloud pyramid which is composed of three segments: Cloud Infrastructure at the bottom, Cloud Platforms in the middle and Cloud Applications at the top.

At the application level of the cloud clients are served Software as a Service (SaaS) resources and acquire access to fully functioning standard computer software.

At the platform level clients are served Platform as a Service (PaaS) resources and pass the responsibility of the creation and maintenance of the computer platform to the service provider.  However, clients have to create or install their own third-party applications.

At the infrastructure level clients are served Infrastructure as a Service (IaaS) resources and are responsible for building and maintaining their own platforms and applications.

All services provided by a cloud provider will fall into one of these three segments.

Public, Private, Community and Hybrid Clouds

When most people discuss cloud computing they generally mean the public cloud where a provider makes computing resources publicly available over the internet using a pay-as-you-use model with the resources being shared between all subscribers.  However, there are also two other types of cloud models.

A private cloud is similar to a public cloud but the resources are used by one organization. This paradigm eliminates many of the cost-benefits of public cloud computing but allows for virtualization to simulate resource allocation while assuring a more secure operating environment.

A community cloud is similar to a public cloud but all the clients have shared concerns such as mission, security requirements or policy and compliance considerations. It may be managed by the organizations or a third-party and may exist on premise or off premise.  This paradigm reduces the cost-benefits of public cloud because the costs are spread between fewer clients.

A hybrid cloud is a combination of a public and private cloud. This is becoming very popular and currently has two paradigms in use.

  • All operations are run in a private cloud with the public cloud used to increase capacity for expected and unexpected spikes in demand.
  • For the more security conscious organizations data stores containing sensitive and proprietary information are kept in the private cloud and everything else is stored in the public cloud.


There are currently no standards for cloud security. This has led to the creation of three competing organizations formed to develop security guidelines and protocols:

  • Cloud Security Alliance
  • Open Data Center Alliance
  • Cloud Standards Customer Council

The Cloud Security Alliance is a not for profit organization that promotes the use of best practices for providing security assurance within cloud computing environments.

The Open Data Center Alliance is a consortium of large IT consumers intent on developing standards for interoperable Cloud Computing. The organization was initiated by Intel as a means to push its Cloud 2015 vision of which the Intel Expressway Cloud Access 360 (or McAfee Cloud Identity Manager) is its first product.

The Cloud Standards Customer Council is backed by IBM  and CA and is focused on the standards, security and interoperability issues around moving to the cloud.  IBM has entered the cloud identity field by releasing the Tivoli Federated Identity Manager (TFIM) and TFIM Business Gateway as their cloud identity and access management solution.

The two solutions use different approaches to identity and access management for the cloud.

The Intel approach is to use an SSO portal that allows an authenticated user to select a service with each cloud solution having its own connectors. It supports simple username/password authentication and strong authentication using one time passwords. Authentication can be done against the enterprise data store.

The IBM approach uses a federated trust model where the cloud applications grant user access based on their trust of the identity provider.

August Thirteenth

We work with both cloud service providers and clients to implement user authentication and provisioning services using industry best practices and open source software. Check out our website

Cloud:User Account Provisioning

I’ve met with several prospective customers recently who are interested in cloud technology such as Software as a Service (SaaS) but want to know how to implement identity and access management.

Enterprises often use products and services from various cloud providers who need to have their own identity store for policy, access and authorization.  Consequently, there is a need for identity synchronization and provisioning mechanisms between the enterprise and the SaaS provider.

The answer is to either find a vendor who has created a solution for the problem such as Radiant Logic or create a custom solution by integrating with the SaaS vendor’s API. Different cloud vendors expose custom provisioning APIs which require enterprises to develop and maintain proprietary connectors to integrate with them.

There is a new initiative driven by Google, and Ping Identity called SCIM (Simple Cloud Identity Management). It is an open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications placing specific emphasis on simplicity and interoperability.  SCIM gives cloud application providers a consistent and simple way to manage their identities in their cloud application as well as other clouds.

There is already a provisioning standard called Service Provisioning Markup Language (SPML) but the industry hasn’t adopted it.  SPML was developed for the enterprise provisioning market and while many identity management vendors support sending and accepting SPML requests, few support SPML as their API for provisioning.   As a result most integrations from IAM vendors still use the vendor API which, as with cloud vendors, varies from vendor to vendor.

Will SCIM be adopted by the major cloud vendors?  Only time will tell.

In the meantime, if the customer doesn’t want to purchase a third-party solution, we’re left with working with the vendors APIs and uploading accounts in a format that they can understand.  If the service is exposed as a web service over SSL then data can be sent this way or it may be as simple as setting up a secure connection with two-way authentication and bulk uploading provisioning information.  Security can be further enhanced if the cloud solution can be configured to only accept connections from specific hosts.  Not very neat or scalable but it gets the job done


I’ve been quietly fuming over the last few weeks because of the pigs ear that Arsenal have made of getting the points necessary to gain automatic qualification to the Champions League.

I’ll wait until after Sunday’s game before discussing further.