Evolve Your Identity to Encompass the Cloud

Connect to the Cloud with an On-Premise Virtual Identity Hub

The big story these days is the move to cloud-based applications that deliver specialized new services without the cost and hassle of developing or managing them yourself. But securing these applications is another story. While the Software-as-a-Service (SaaS) model is expanding enterprise capabilities, it’s also putting a strain on your existing identity infrastructure.

According to Gartner analyst Greg Kreizman in his paper on Options for Coping with New Identity Islands in the Cloud: “SaaS providers often fail to adequately address enterprise identity and access management (IAM) integration requirements, and customers face increased identity administrative burdens, reduced user convenience, and reduced audit and compliance insight.” In fact, as Kreizman points out, the majority of SaaS apps do not provide ways to leverage established enterprise IAM tools to manage identity and access for cloud applications.

The Logon Challenge without a Federated Identity

For most enterprises, the cloud only deepens an existing challenge: how to secure a complex heterogeneous environment with multiple identity sources and applications. As you can see, dealing with n (identity sources) and p (applications) leads to c (chaos):

The answer is to federate identities, creating a central identity hub to give your SaaS applications a single point of access for authentication and authorization.

You Need an Identity Hub—but Where Should it be Hosted?

No matter what the model, everyone agrees: a centralized identity hub is essential for federated identity. The difference is in where it’s hosted. If you’re starting from scratch with a greenfield deployment, it makes sense for identity to be hosted in the cloud—basically, you’re securing your SaaS applications using another cloud-based service that’s contracted out to a third-party vendor. If you’re a smaller organization looking to authenticate against your Active Directory employee base, then federating locally using ADFS (Active Directory Federation Service) might be the best choice—after all, it’s built right in to the system, so it’s cheap and designed to work with your AD.

If you’re like most larger enterprises, however, you already have a complex infrastructure with identities spread across many heterogeneous sources—multiple AD domains and forests, other directories, databases, web services—along with a multitude of legacy applications that rely on those sources. For you, a move to cloud-based identity would be extremely disruptive—imagine cutting down the forest to make room for some seedlings; there’s all sorts of potential there, but meanwhile, you’re getting sunburned—while the use of ADFS would cover only one of the multitude of identity repositories you grapple with every day.

A Federated Identity Service For the Cloud—Not In the Cloud

What you need is a way to federate all your identities, delivering a single access point for all your applications, whether they’re in the enterprise, on the web, or in the cloud. Such an on-premise identity service allows you to authenticate as close to the authoritative sources as possible—and keeps your identity more secure, since identities don’t have to travel across the firewall every time you synchronize user accounts.

With RadiantOne virtualization, you don’t have to uproot your existing infrastructure. RadiantOne delivers a complete, federated identity service that allows your identity to evolve easily with changing requirements, whether that means adding new data sources or applications, expanding your user populations after a merger or acquisition, or extending your identity securely to take advantage of the cloud.