Article by Chandrashekhar P. More
In a typical organization, an user of the enterprise services have multiple identities- the user identity in the biometric or badge services are different from the user identities in the HR services, Payroll services, SAP or mainframe applications used in the enterprise. The mismanaged multiple identities of the enterprise users can lead to the faulty implementation compromising the integrity of the service ecosystem and will become very difficult to manage the identities in the Cloud computing platform.
Like previous article ( SOA and Cloud Computing), in this article I will provide a cursory walk through a Identity management service for the cloud computing environment.
Scenario Background
Note:
The scenario explained in this article is an extension to the scenario explained in SOA and Cloud Computing article.
XYZ Company wants to efficiently manage the enterprise user identity and also provide an ability to perform health check on all the identity management system. The company also wants to implement a policy to issue temporary ticket daily to the store employee or the contractor to access the store services during their assign shifts only to avoid any intrusions to the system during non-office hours.
Define Identity Management Service
Following are the two services that are recommended for the XYZ company
1. Enterprise Identity Management service with the Cloud deployment
Enterprise identity management service will effectively manage the enterprise user identity and also support the "Pluggable identity management sub-system" for the new Cloud Computing Platform.2. Consumer Identity Management service
The consumer identity service is out of scope of this article, so, I will explain the Enterprise Identity Management service only.
Enterprise Identity Management service with the Cloud deployment
In the service oriented architecture (SOA) definition process or during the business process modeling, the identities of the providers and consumers becomes very important to perform the handshake and meet expectations via the Service Level Agreements (SLA). The large number of the services in the organization and complex nature of their dependency on each other can complicated the tracking of intrusions and/or leakage of information significantly impacting the integrity and trust in the data. The need for Enterprise Identity management service will therefore be very important to manage the identity across the organization services.
Following picture shows the services deployed on the cloud computing platform with enterprise identity management service for the XYZ Company.
As indicated in above diagram, the enterprise identity management service will require at least following components:
1. Enterprise identity repository
2. Identity Service Framework
3. Identity Governance
4. Single sign on service providers for the Cloud and the non-cloud services
Enterprise identity repository
An enterprise repository is a Meta repository that will contain the information of the enterprise users. The repository can be single instance or multi-instances. The identities for the service consumer should be stored in the single repository and then distribute it to the physical directories.
Identity Service Framework
The identity service framework will provide secure identity creation, updating and synchronization ability to the subscribed enterprise service or application.
The framework should
- offer a web service API to enable the applications to submit the identity in the identity repository
- offer a automatic or manual workflow to approve the identity
- broadcast the identity to the subscribed services or the applications after the identity is published and approved
- provide user provisioning ability to allow the business user to access services during the shift hours for the identified services
- Audit log the each request
- Provide monitoring ability via Dashboard or provide an ability to integrate with COTS monitoring dashboards
Identity Governance
The identity governance team will help to setup the identity management principles, security standards, and also will be responsible for the identity architecture, risk management via capacity planning, health check, intrusion detection and control, disaster management etc. Along with risk management capability, the identity governance team will be responsible for the user provisioning, policy enforcement like identity data retention or access policies, data operation support etc.,
Single sign on service providers for the Cloud and the non-cloud services
The enterprise services for the XYZ company are deployed on both cloud and non-cloud environment. As indicated in the figure above, XYZ will be using both
- dedicated sign-on service on a single cloud and
- Single Sign-on Service across multiple clouds
The store services for the XYZ Company are multiple instances type and are deployed on the cloud. The store employees will be able to accessing the stores services for the designated stores only. The XYZ Company will use the Identify cloud service that will work with the enterprise cloud service directory. It will also help XYZ company to enforce the polices for allowing the store employees to access the store services of the designated store during their shifts only and will also be able to provide 24/7 access to their performance evaluation on the HR system or W2 information on the payroll system deployed on the clouds.
The Identity Management is very important and should be pre-requisite for the successful implementation of the Service Oriented Architecture and the Cloud computing platform.
The organization should not consider Identity Management as another directory or single signon software but a service that will help to collaborate effectively.