Automated provisioning of cloud identities

Posted by Edward Killeen on Mon, Oct 14, 2013

 

Gartner says that while only 38% of businesses use cloud applications today, 80% plan to deploy cloud services in the coming 12 months.

That is astounding.  If you are one of the 55% of businesses planning on deploying cloud services for the first time in the next 12 months, you have some planning to do for your users and Identity Management (IdM).

automated provisioning for cloud applicationsThe first two Identity Management hurdles you have to overcome are provisioning and Single Sign-on.  Without proper IdM planning you could very easily end up back in the dark ages of manual provisioning for your cloud applications.

Say, for example, you are a personal fitness firm deploying Office 365 service to your personal trainers.  these trainers don't necessarily have Active Directory accounts so you cannot rely on Dir Sync (even if there weren't other limiting factors like multiple forests).  Same thing with Google Apps and GADS (Google Active Directory Synch).

You can either manually add all of these accounts and commit a metric ton of resources to updating their accounts on an ongoing basis, write a script, or invest in an IdM platform that combines on-premise and cloud provisioning.

Very few cloud applications get deployed to everybody, so you need to offer role based provisioning.  In our example, if role=trainer, it should kick off the workflow to provision an O365 account.  If role no longer equals trainer, de-provision the account.

EmpowerID manages these automated provisioning workflows with its metadirectory.  It populates "person" accounts in the metadirectory based on the authoritative source or sources, determines the user's role based on identity information we know about them (department, title, et cetera), and then uses a connector to natively speak to the cloud application, provisioning an account and giving the proper permissions within the cloud application.

The exact same platform and workflows and roles are used for both on-premise AND cloud applications.  Just a different connector and different role based provisioning rules.

I used an easy example, but any cloud application works this way.  Even when the authoritative source is a cloud application (for example, Workday or NetSuite).

So, there is half the battle, you have user accounts but how do your users get there?  Nothing like having half a dozen URLs, half a dozen passwords, and a deluge of help desk calls!  You need single sign-on, most likely federated single sign-on!

Most of these cloud applications support Federation using one of the standard protocols: SAML, OAuth, OpenID, WS-Trust, or WS-Fed.  For those that don't, you still need a method for secure password vaulting.

EmpowerID offers a single unified SSO dashboard for both on-premise and cloud applications.  It includes applications that are federated, using Web Access Management (WAM), password vaulting, or even authenticating with EmpowerID's virtual directory.

Given the increased need for security around cloud applications, EmpowerID provides an OATH server for two factor authentication (TFA), device registration and a full auditing capability.  TFA can be employed based on the role of the user, the security level of the application or a combination of these two.  If you are giving users access to your business applications when outside the network, make sure you know who they are.

Having the integrated metadirectory and automated cloud provisioning, you do away with the messy Active Directory requirements of some SSO providers.  Being a complete integrated single codebase IdM platform adds more functionality to the cloud equation than you can possibly get with piecemeal solutions.

Schedule a demonstration of automated provisioning or just read our whitepaper on Federated Single Sign-on and see how EmpowerID can solve the identity problems you will encounter as you move to the cloud.

Schedule a cloudy demo!

Tags: Single Sign-on (SSO), User provisioning