When you look at the sky do you see a cloud? I bet more often than not you see clouds. And this precisely is the problem with many of the cloud providers. They exist in isolation, and often do not help companies deploying to multiple clouds solve many problems (especially in the security area) effectively.
Let’s take an example of a hypothetical XYZ Corporation. XYZ decides to leverage a few SaaS providers for its need in the area of Human Capital Management (HCM), Finance & Payroll, and Customer Relationship Management (CRM)-XYZ signs up with three different cloud based providers.
While all looks good on the surface, there are problems.
Let's walk down the triad of AAA (Authentication, Authorization, and Audit) issues with the above setup.
- Authentication: Where is the source of Identity hosted? Is it hosted at XYZ or is it hosted at a Cloud Provider?
- How does the cloud provider trust an external source of Identity
- How does XYX securely provide its users/employees/contractor to the hosted cloud provider and continue to keep its users in sync with the cloud provider.
3. Since we are talking multiple SaaS providers, what if a user John Doe is represented in various ways in the SaaS provider’s identity store. Representation from jdoe, john.doe, and jodoe has all been in corporate LDAP for years. Now imagine trying to reconcile John Doe across SaaS providers.
Typically SaaS (Cloud) providers are not aware of other cloud providers and they can’t offer services that leverage other providers.
For example if there was a business need to ensure the principle of “separation of duties” continued to be enforced when the John Doe is a user in HCM and Finance & Payroll offered by different vendors. How does one ensure that the HCM and Payroll system do not allow John Doe to both change his pay grade (an HCM function) and release payment (a Finance and Payroll feature ) on his expenses.
The separation of clouds causes problems in Authorization and Audit too. For example how does one audit that John Doe did not access HCM function when a given CRM function was accessed.
There are a few ways to solve this problem:
- If it hurts, don't it – don’t sign up with multiple cloud providers - just kidding.
- Put a level of indirection, a service like apigee may help
- Standardize – Cloud Interoperability standard under development and JavaEE 7 will help, but a lot more is needed.
- Cloud vendors to externalize some of their data to allow third party reconciliation, audit, authorization checks etc.
This is a hard problem, none of the solutions are easy, without side effects, or will work for everyone.
Do you face this problem? What are other ways to address this issue? Is there any effort to address this issue?