Managing cloud users

Cloud or SaaS applications are increasingly used in enterprises. This is a strong market trend, as this technology makes it easier to provide applications and helps service providers be closer to their consumers, with no need to go through IT.

Enterprises must take into account these new application management modes. Indeed, companies are decentralised and although they use state-of-the-art interfaces, the people in charge of these applications have to manage users “manually” which, potentially, is a source of errors. The consequences of this type of management are well known in terms of security (passwords forgotten by users, multiple dormant accounts, weak password policy generating security holes), and in terms of cost (the price of the use of the service depends on its usage). The IAM solution (Identity & Access Management) which integrates support of cloud or SaaS applications is key as it gives control to people operating at a functional level.

How to perform cloud provisioning?

Il n’y a pas aujourd’hui de standard unique pour gérer le provisioning des applications en mode SaaS. Le standard SPML (Service Provisioning Markup Language) n’a pas pris sur ce segment. Quant au SCIM (System for Cross-domain Identity Management), il est encore très peu utilisé, même par les promoteurs de ce standard (Google, Ping Identity et SalesForce par exemple, ne l’utilisent pas pour le provisioning de leurs applications) , ou bien il est utilisé comme bannière marketing pour les nouveaux arrivants sur le marché de l’IAM. Il n’en reste pas moins que le standard SCIM, qui sera plus abouti en version 2.0, a de nombreux atouts pour l’avenir car il est simple d’utilisation via son interface REST, plus facile à paramétrer que le SPML et enfin plus extensible dans la définition de l’utilisateur.

En pratique, la gestion du provisioning de ces applications est basée sur des connecteurs réalisés « à façon », par exemple :

  • GoogleApps provisioning is based on REST APIs. The initial versions also had Java and Python implementations, but this is no longer supported by the current version. Google provides a very comprehensive API and enhances it constantly: so it is necessary to keep up to date. Note that the API has limitations in terms of use (frequency of use, for example) and that Google disclaims any responsibility concerning the use of the service.
  • The provisioning of Office 365 and Exchange Online is really operational only when using the PowerShell APIs, the REST interface is used for queries more specifically. The complexity lies in mastering the execution of the PowerShell from the dedicated Microsoft servers. Salesforce is interesting from an account creation management perspective as it can be performed on the fly, at connection time. For this, an identity federation must be implemented, where the identity server indicates to the Salesforce service the parameters required for the creation of the user, thus performing Just-In-Time (JIT) provisioning. Concerning the management of account modifications and deletions, the REST API must be used.

How to implement cloud provisioning in enterprises?

Cloud computing revolutionises business practices and the way enterprises use and manage their services. As far as identity management is concerned, it must continue to guarantee the company’s security policy that must be unique and centralised while flexible at the same time. Tools promoting identity management for cloud computing only are on the wrong track (or simply not good enough). Identity management tools must be adapted in order to manage cloud applications in the same way as internal applications. The level of service and ease of use of identity management functions do not depend on the location of servers!

We should also mention how Identity Federation mechanisms can also strengthen the security of these systems. This will be the topic of a future post.

As a conclusion, IAM solutions have a great future because if we want to control security and costs, we must be able to manage internal as well as external users – internal and external service consumers – in the best possible way.