Are Network Perimeters the Berlin Walls of Cloud IdM?

A single enterprise wide identity and access management (IAM) platform is a noble but unattainable goal. The network perimeter is now a metaphorical “Berlin Wall” between the two identity platform domains of Cloud and On-Premise. It is time for enterprises to formalize a strategy of integrating their IAM silos using identity middleware.

 Over the last decade, Identity Access Management (IAM) has grown into a well-established product category anchored by the three big vendors: CA, IBM, and Oracle.  Despite all the hard work and technologies developed, most customers have implemented just basic web single sign-on (SSO), have provisioned only a handful of core systems, and still have far too many directories.  Oh, then there is still that Microsoft problem.  The integration of Microsoft technologies such as SharePoint with enterprise IAM is still like mixing oil and water.  Microsoft centric customers turn to Microsoft centric vendors such as Quest and Omada, while other customers treat Microsoft integration like a red-haired stepchild.  Furthermore, whilst most organizations are still struggling to implement enterprise-wide IAM across on-premise assets, along came Cloud Computing to muddy the water even more.

Cloud based services post a new set of challenges as they are not owned by the enterprise and each service offers its own flavor of IAM integration.  Vordel’s CTO Mark O’Neill has written extensively about the different challenges of IAM integration for IaaS, PaaS, and SaaS.  Mark affectionately refers to this topic as “covering your *aaS”.  As often is the case, leading IAM vendors are slow to address the Cloud integration problems.  Seeing opportunities, new IAM vendors have emerged offering Cloud based IAM services.  This group of vendors includes startups such as Okta, Symplified, and Tricipher (acquired by VMware), as well as large vendors like Intel/McAfee and Symantec, new to the IAM space.  The basic offering of these Cloud based IAM services is a Security Assertion Markup Language (SAML) based security token service (STS) with pre-built SSO integrations to popular Cloud based services, usually referred to as “application catalogs”.  There is usually some means of integration with an enterprise directory using an on-premise agent.  These services make it very simple to SSO into the most popular Cloud based services, and have gained good traction from enterprises large and small.  That is positive progress, right?  Not exactly.

Instead of further consolidation and moving towards a true vision of enterprise-wide IAM, enterprises now find themselves with more identity silos than ever.  Let me count the ways:

  • “Enterprise IAM” solutions from CA, IBM, Oracle, or one of the smaller vendors.  Many large enterprises have more than one of these.
  • Microsoft silo with integrations directly to Active Directory using Integrated Windows Authentication (IWA) and Active Directory Federation Server (ADFS).  Each Windows domain or SharePoint instance may be an individual silo.
  • Many point solutions exist specifically to solve the SharePoint mobile access challenge.
  • Mainframe IAM integration is notoriously challenging.  Instead of tackling RACF and ACF2 integrations, most companies opt to delay these projects, hoping these legacy applications will be modernized soon.
  • Cloud-based IAM for Cloud-based services.  This is often adopted by the business, bypassing enterprise IAM efforts.
  • Large business application vendors such as Oracle and SAP continue to push integrated IAM capabilities.  This limited interoperability is by design, leveraging their business application footprint as a mean to push their middleware sales.


This proliferation of IAM silos has led to an explosion of agents, proxies, plug-ins and integration modules.  For many enterprises, the management of these integration points consumes the majority of their IAM project resources.  For some, they have long lost track of how many of these integrations modules exist in the enterprise.

I think it is time to pronounce that a single enterprise wide IAM platform is just a noble but sadly unachievable idea.  While enterprise should strive to reduce the number of IAM silos, at some point the effort becomes prohibitively expensive.  However much we wish it to be the case, Cloud based IAM services is not the solution to this problem, it is just compounding the problem.  It is time for enterprises to formalize a strategy of integrating their IAM silos.  It is time to introduce the concept of “identity middleware”.  Identity middleware is a class of technologies that integrates identity silos introduced by different technologies, vendors, standards, network boundaries and business ownerships.  Identity middleware does not duplicate capabilities offered by standard IAM products.  It does not introduce another identity silo.  Identity middleware’s sole purpose is to consolidate IAM silo integrations into a single technology and platform to enhance manageability and scalability.  Identity middleware should have these capabilities at a minimum:

  • Exchange standard-based and proprietary tokens (security token service)
  • Authentication scheme that can handle combination of user, device and application identities
  • Encryption and signing
  • SSL termination
  • Certificate and key management, with integration to key stores and certificate authorities (CA), as well as integration to Hardware Security Modules (HSM)
  • Token and session caching and management
  • Add, delete, and modify security artifacts to and from messages and APIs running on HTTP, FTP, TCP, and other popular protocols
  • Configurable orchestration of IAM mediation tasks
  • Route messages and API requests based on policy
  • Out-of-the-box integrations with leading IAM products and services
  • Support leading standards, such as SAML, OAuth, WS-Security, XACML, OpenID… etc.
  • Secure operations at the edge of the enterprise and edge of the Cloud to mediate both Cloud-based and on-premise access
  • High performance and low latency


IAM is not a pure infrastructure technology.  IAM technology shares many of the characteristics of business systems.  It is closely integrated and often embedded within business systems.  It also needs to integrate with other IAM systems from business partners.  Just like application integration requires mediation middleware, so does IAM integration.

Where can you find identity middleware technologies?  While identity federation technologies handle standard token mediation tasks (mostly SAML based), it lacks the configurable orchestration and message manipulation capabilities required to be a true identity middleware platform.  Today your best bet is look to integration technologies such as application gateways and enterprise service buses.







Look for a gateway or service bus that offers:

  • Out-of-the-box integrations with leading IAM products and services
  • Strong support for Microsoft security technologies, namely Integrated Windows Authentication, Kerberos, and SPNEGO
  • Support for mainstream standards such as SAML and OAuth

If your use cases involve integration across network boundaries to Cloud, B2B, and mobile endpoints, then only the gateway will suffice, since enterprise service bus is not suitable for deployment in the DMZ.

Ed King VP Product Marketing, Vordel
Ed has responsibility for Product Marketing and Strategic Business Alliances. Prior to Vordel, he was VP of Product Management at Qualys, where he directed the company’s transition to its next generation product platform. As VP of Marketing at Agiliance, Ed revamped both product strategy and marketing programs to help the company double its revenue in his first year of tenure. Ed joined
Oracle as Senior Director of Product Management, where he built
Oracle’s identity management business from a niche player to the undisputed market leader in just 3 years. Ed also held product management roles at Jamcracker, Softchain and Thor Technologies. He holds an engineering degree from the Massachusetts Institute of Technology and a MBA from theUniversity ofCalifornia,Berkeley.

Cloud Market Maturity

by Henry St. Andre, CCSK | Trust Office Director | inContact

The Cloud Security Alliance, in conjunction with ISACA will be initiating a new working group to perform research on what it means to have Market Maturity in the Cloud.  This is a very interesting subject for me.  I have been working in the telecommunications and data industry now for over 25 years.   During that time, I have observed in real terms the application of the phrase ‘ahead of its time’ and what that can mean to a nascent industry or technology.  As an example, people are amazed to discover that the technology that would become the fax machine was first invented in 1843, in England by Alexander Bains (a psychologist).    Yet it took almost 100 years for the fax machine to become the common business tool it is today.   Some of the technological factors that influence the maturation of a product include communication, computing, fabrication, miniaturization and materials.   Ultimately, one of the most critical factors is whether or not the technology exists to manufacture the product or perform the functions in a cost effective fashion, and whether there is sufficient ubiquity of that technology to allow the masses to utilize it.  There are, however, two other important elements, I believe in the maturation of a product or service.  Are people psychologically disposed to using it and is there a legal and regulatory environment that describes its use?

Psychology has a huge impact on the acceptance and use of a technology and product.  I am 50 years old now, and I remember slide rules, record players, cassette tapes,  typewriters, Cobol , acoustic modems, DEC Writers, Archie and Gopher.  I have been engaged in technology all my life and am fairly comfortable with it, but still, I know that I view technology and in particular the Internet very differently than my children do.    Take my smart phone.  It does 101 things, and oh yeah it makes phone calls.  I know about those 101 things, and I some of those 101 things, but the main reason I have a cell phone is to make calls.  But, personally, I prefer not using a cell phone to make calls.  I think it is inferior to my traditional ‘land line’ phone and I will use a land line phone if I have the choice.  My children, on the other hand, use their smart phones for 101 different purposes, and sometimes to make phone calls.   Similarly, I find that the maturity of the cloud as a product that is both used and accepted by the masses is not simply a function of whether the technology exists to provide the service in a cost effective fashion, but also whether or not people are comfortable using it.   For this reason, I believe that the younger generations, will be greatest drivers of the cloud market and its maturation.   People of my generation are adopting the cloud because of the economics.  Our children will use the cloud because they will think it is the obvious way to do things.

Finally, laws and regulations, in some ways we hate them, but ultimately businesses need them.  While it is true that businesses can be choked by over regulation, it is also true that businesses flounder when there is uncertainty.  When there is an absence of laws and regulations that establish the rules of the game and the field of play, it creates uncertainty and fear for businesses.  Uncertainty and fear can kill a business model.  Because the cloud and the technology that has supported and enabled it has changed and developed so quickly, laws and regulations are struggling to keep up.

That is changing, and organizations like ISACA and the Cloud Security Alliance have been and will be instrumental in that change.

This Cloud Market Maturity project will be an important endeavor.   The results and guidance from this project will provide legislators, technologists, consumers and businesses with the guidance and information that each needs in order to further the progress of this new Cloud Model.

Outsourcing B2B Integration: The Forgotten Option

Business continuity remains a major concern for enterprises as they move more mission-critical processes to the cloud. Outsourcing B2B integration while ensuring cloud security in order to effectively integrate business processes is challenging at best and ambiguous for certain.   All too often, IT professionals feel that they will lose the reliability and availability needed if they don’t implement an on-premise cloud environment.  However, there can be strategic approaches to outsourcing integration that include both a secure cloud environment for business processes as well as reliability and availability that extends beyond traditional borders.


Gartner defines outsourcing as follows: “A model in which a business acts on behalf of consumers of one or more cloud services to intermediate and add value to the service being consumed. Providers of cloud services can also benefit through the establishment of an ecosystem of partners which enhances the provider’s service and draws customers to it.”  October 2010: Defining Cloud Services Brokerage: Taking Intermediation to the Next Level.


When comparing outsourcing B2B cloud integration to on-premise solutions, a major area of consideration is the security of cloud implementations. The burden of addressing the needs of an enterprise’s partner community while meeting the needs of moving to a more secure connection methodology is difficult, especially when it comes to the disparity of transport protocols utilized. And let’s not forget the cost of adhering to the multiple of security compliance organizations to help safeguard the data can be astronomical. For example, an outsourcer gets to spread the cost of implementing PCI DSS compliance over their multiple tenants. Everyone benefits without the individual capital outlay.


Before implementing any cloud strategy, there’s a basic set of questions that all organizations should address before moving forward. This includes: ”Which cloud implementation is best for our company’s needs? Do we outsource the cloud or manage it ourselves?”  Also be sure to educate your self on common industry terms and jargon such as cloud outsourcing, cloudsourcing, and cloudware. Eventually as you continue to compare outsourced and on-premise cloud security concerns, you’ll notice that it ultimately boils down to whether both options can be as secure as enterprises require.


Clearly, one of the implementations an enterprise can address is B2B integration. The process of an enterprise extending its IT processes to its business and trading partner community including customers, vendors, suppliers and distributors is no easy task, but can be done efficiently and securely. The pressure for enterprises to connect more closely with their partner communities, tear down walls and optimize business processes such as procurement, eCommerce, supply chain management, inventory visibility, and logistics optimization is higher than ever.


It has been debated whether B2B integration is really needed by enterprises or whether companies can get by with putting their applications in the cloud and provide broader access.  From thorough conversations with enterprise customers, it is evident that there is a lot of pressure on IT departments today to mitigate data center overhead and provide a more efficient way to incorporate others into their ecosystem.


Many in the industry also question whether providing B2B integration on-site is an IT department’s charter or whether the IT pros should instead spend their time on more strategic projects and initiatives to help drive revenue. If there is agreement to integrate processes, which more and more companies are considering, then the options are: keeping things as status quo, build it yourself and keep it on premise, as many IT departments have today, or outsource to a cloud-based platform.


Taking a look at these three options can certainly result in a lively discussion.  Keeping things at status quo for most organizations means having manual processes, time-intensive quality control resulting from errors that occur, requires in-house expertise on subject matters such as cloud security, and the loss of revenue and/or opportunity because of the lack of implementing in a timely and cost effective manner.  However, building the cloud integration environment yourself and keeping it on-premise may solve a specific integration challenge but does not necessarily provide the broader implementation that is conducive to the changing business environment.


The burden of finding and selecting the right combination of software, middleware, appliances, and hardware falls on you as opposed to relying on someone else that already has the environment where those decisions and tests have occurred. The outsourcer has invested their time and resources to ensure a secure and robust environment those other companies can leverage. This allows for quicker implementation resulting in achievement of business goals.  In fact, the high upfront and ongoing capital expense to create a battle-tested cloud environment is clearly something all IT managers need to consider. Typically, the cost just to get started will entail a $50K to $100K hardware and software expense; implementation and consulting services is about $25K to $50k or more and the cost for the on-going support and maintenance is at least $50K to $100k annually.


However, by leveraging a cloud platform to integrate your business processes, companies don’t have to pay any of the upfront cost. Instead, they can leverage the power of the internet without having to install additional hardware or software.  The limited upfront cost is focused around getting an organization and its community on-board quickly. The subscription based model that the “outsourcer” adheres to is an operating expense and eliminates the capital expenditure approval process.


While there is criteria to evaluate when considering whether to build or outsource, many organizations will find that planning resources related to the core competency of a business as opposed to whether a team has the skill set to implement and manage the B2B integration will be another hurdle they must address.  The ability to minimize the time-to-market, enabling enterprises to be more competitive in a timely manner, is critical to meeting the demands of the ultimate consumer.  Do enterprises have the resources needed to on-board partners quickly? Most, if not all, do not.


Last but not least, we must consider the security and compliance implications. When an outsourcer has integrated data it’s important to transport security into their model as well. This indication is best suited to ensure a safe full loop data process.  Since many companies work with partners that have their own security policies, it is unrealistic for the enterprise to expect their community to follow their security guidelines.  An outsourcer mitigates the disparate security policies to ensure a smooth and secure experience.


As companies continue to evaluate their cloud strategy and debate the implementation of an on-premise solution or utilize an outsourcer, there are many considerations to ponder. Discuss these issues and realize for your own organization that there are many ways to successfully implement a cloud integration strategy.

About the Author:

Stuart Lisk is a Senior Product Manager for Hubspan, working closely with customers, executives, engineering and marketing to establish and drive an aggressive product strategy and roadmap.  Stuart has over 20 years of experience in product management, spanning enterprise network, system, storage and application products, including ten years managing cloud computing (SaaS) products. Stuart holds a Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance, and a Bachelor of Science in Business Administration from Bowling Green State University.  For more information, go to or follow the company on Twitter @Hubspan