IT needs ID-as-a-service for move to cloud, expert says

IT needs ID-as-a-service for move to cloud, expert says

Summary: Existing IT identity management systems don't provide the fuel to run cloud's motor for privacy, security


Broomfield, Colo. - The cloud’s motor needs identity to run, but existing enterprise ID infrastructures are not fuel for that motor, according to identity expert Kim Cameron.

“In IT, we are still back in 1890; everything is hand-made, handcrafted,” said Cameron, the author of the Seven Laws of Identity and Microsoft’s identity architect. He delivered a keynote Wednesday at the annual Defrag Conference.

Enterprise identity management needs to be more flexible, Cameron said, and it has to align with cloud service architecture, namely the emerging API economy. That economy is characterized by billions of API calls to support services sharing data on a massive scale that stretches across the enterprise and the cloud.

“If organizations want to survive they need breakthrough change,” he said. “The reason the API economy is so huge is the fact there is this new division of labor. The cloud is not about ‘I am going to cut my costs,’ it is a whole new way of producing IT.”

That division of labor allows IT to off-load work to cloud-based services for capabilities such as platforms, applications, storage, identity and other IT functions.

Cameron said enterprises, governments and other organizations that are following consumers into the cloud need different access controls and have different expectations.

“They won’t stand for being molested around privacy the way consumers have been,” said Cameron. “They are going to demand protection of their data and privacy.”

He said identity-management-as-a-service (IDMaaS) will meet those demands.  

Cameron clarified privacy saying it is not about individuals, but privacy for parties involved in transactions – enterprises, governments and service providers.

“All of them have the right to have confidential data and protect it," he said.

As way of example, he noted Microsoft’s first attempt at an identity service, which was called Passport. Widely panned, Passport failed because the service did not protect a company’s sensitive data, such as customer lists.

IDMaaS has come of age because the rise of cloud computing is driving enterprises to be leaner and more “fit to purpose,” Cameron said. 

“The functional specialization driving cloud economics needs a new model of identity management that has cloud-era capabilities,” he said.

Cameron said there are two caveats to the success of identity management as a service; trust frameworks are needed and privacy boundaries have to be as important as security boundaries.

Topics: Cloud, Networking, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I trust Loverock Davidson to protect the cloud

    Lovie is always high up in the clouds :-)
    Over and Out
  • Oh, no, the cloud has problems...

    Oh, dear, not only is the cloud forcing people to place their sensitive data into the hands of a third party, enduring security risks of hacking, etc., running into downtime periodically, vendor lock-in, higher bandwidth costs, now it wants "a whole new way of producing IT.”

    “They won’t stand for being molested around privacy the way consumers have been,” said Cameron. “They are going to demand protection of their data and privacy.”

    What better way to do this than to give your data and processing to a third party (Sarcasm alert), as opposed to keeping in in-house where you have total control?

    All I get out of this blog is that the cloud has problems and serious enough ones to force you to have to change the way you do things.

  • ... Its a valid point

    There already are cloud based authentication services that integrate with in house directories.

    Federation services are available from may vendors. They suffer from horrendous reliability and design issues but they are there. Hosted security or simplified synchronized security services are the next step. They are currently complicated because, they simply need to be. Token signing is the usual method but the infrastructure to maintain trusts makes it unreasonable for most SMB's.

    The liability when cloud based systems break will be massive though. Despite that, it is well understood. Its just a matter of time before the right set of partners takes advantage of the opportunity.