BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
If you are like many organizations, you have long used the default choice of Microsoft Active Directory to provide...
a service for workers to identify themselves as having resource permissions. But today, a tidal wave of change among users and the data center has made organizations reexamine their authentication and identity management needs.
A few things have affected admins' ability to support on-premises authentication and identity management services like Active Directory (AD). Now, workers are frequently using devices that don't run Windows and aren't conveniently sitting on the organization's private network or VPN. Plus, many organizations employ cloud-based applications and data. In some cases, the on-premises server has been moved to a cloud infrastructure provider like Amazon Web Services or Microsoft Azure. The data, application and server could all be mixed in the public/private cloud.
The other game changer is authentication itself. In the age of HIPAA regulations and identity theft threats, organizations can no longer rely on weak single-factor authentication based on passwords to secure critical data.
With these resources no longer confined by traditional boundaries, and with security in need of strengthening, it's time to look at cloud-based options for authentication and identity management services. Cloud services can improve security while offloading the complexity of standing up an on-premises infrastructure. This is certainly not an exhaustive list of providers but a sample of the capabilities of the most high-profile choices.
Google Account is a service used to authenticate access not only to Google services like Search, Calendar or Gmail, but it can also be called by others to broker access to a Web application. Google Account uses the OpenID standard. Any site registering with Google's service can use it to broker a login using an existing Google account. Google Account logins can be further secured by adding multifactor authentication (MFA). Google supports text messaging or calling a trusted phone with an automated message to deliver the code to complete the login. This MFA can be optionally suppressed by the user for subsequent logins from the same device.
Facebook Login service links an application with the login service for the popular social network. Facebook Login, like Google Account, uses the OpenID standards. It supports MFA known as Login Approvals by sending a code via text message.
Microsoft's cloud authentication and identity services acknowledge that even an on-premises Active Directory infrastructure needs a helping hand in the growing cloud-connected world.
Azure Active Directory service allows an organization to employ federations with on-premises Active Directory forests. This allows it to graft together its existing service and extend the cloud-based service without major disruption. An organization may do business with others needing identity on its systems (be it in Azure or locally hosted). In this scenario, Active Directory Federation Services (ADFS) can be used to tie disparate AD forests together -- without messy forest or domain trusts. ADFS also doesn't require provisioning special VPN connections to have the directory servers talk to each other securely.
Azure also supports Facebook and Google authentication services as an alternate means of accessing Azure servers and applications.
Azure provides a multifactor authentication service, which can be used with on-premises Active Directory, Azure's cloud-based AD service and/or other directories accessible by LDAP or RADIUS. For on-premises deployments, Azure provides a downloadable MFA service that can be installed on a local server.
The extra factor in the MFA service is provided by the Azure cloud. Microsoft provides native apps for Android, iOS and Windows Phone devices. These apps generate a one-time password (OTP) usable by the MFA service. Other factor options include SMS or text messaging of the OTP to a trusted phone number, or automated voice calls placed to a trusted phone. The user simply presses the pound key to complete the login when hearing the message.
Azure MFA is included with the subscription for administrator users. Regular users will need to be licensed by one of two license types: by user, in which a license is assigned to a regular user (an employee, for example, who logs in each workday), or by authentication, which is best suited for the infrequent external user.
Amazon Web Services
Amazon's offering is called Identity and Access Management (IAM), which is integrated into AWS. Access control, permissions and authentication all go through IAM in the AWS cloud. Like its counterpart, Active Directory, IAM contains the essential elements of access control, offering security groups to organize and set specific permissions for users on AWS functions.
IAM can federate with other directory services by supporting the open Security Assurance Markup Language (SAML) standard. Many identity providers support SAML. ADFS talks directly to Active Directory and allows other SAML-compliant services to connect to it including IAM. This allows IAM to use Active Directory credentials to authenticate.
In addition, IAM supports Google and Facebook identity services. Amazon recently launched its own similar "Login with Amazon" service which IAM also supports.
IAM supports authentication by key pair and X.509 digital certificate. These methods are useful when a program needs access to an AWS service without having to interactively log in like a person would; plus, it's more complex than a simple password.
IAM has multi-factor authentication capabilities that any IAM user can enable. Plus, IAM has software (virtual) and hardware MFA options. Virtual MFAs include the Google Authenticator app available on iOS, Blackberry and Android devices; an authenticator app for Windows Phone; and AWS Virtual MFA for Android. Hardware MFA tokens can be purchased from Gemalto; these key fob-like devices generate the six-digit access codes without the need for an app. IAM's MFA service, unlike Microsoft Azure, is not metered and can be used without additional cost.
Provisioning users in the cloud
Guide to identity management in the cloud
Quiz: Test your cloud IAM knowledge