Click here to close now.


Containers Expo Blog Authors: Liz McMillan, Derek Weeks, Mav Turner, Dana Gardner, Don MacVittie

Related Topics: @CloudExpo, Industrial IoT, Open Source Cloud, Containers Expo Blog, Agile Computing, Cloud Security

@CloudExpo: Article

Turning Identity-as-a-Service Inside Out

From the perspective of the user, the Cloud should empower us. IDaaS does the opposite.

Simple question with a surprisingly complex answer: who owns your identity? Our first instinct is to insist that we each own our own identities. After all, we are our identities, right?

Not so fast. There are myriad players who own a piece of your identity, from the credit bureaus to your bank to Facebook to your doctor to your employer. Every single one has some kind of identity management system that keeps track of information about you. In fact, this personally identifiable information (PII) is so powerful that when someone steals it, we call that crime identity theft - as though stealing your PII was the equivalent of stealing your very soul.

The reason PII has such power, of course, is because we give it power. Knowing a username and password gives you the power to access a system. Knowing your Social Security Number and birth date may give you the power to get bank account information from a call center rep. Add a bit more knowledge and you have the power to apply for a loan or a job or a security clearance. The old adage states that knowledge is power, but information only has power if we choose to empower it.

From the perspective of IT, managing user identities has long been in our wheelhouse. The Identity and Access Management (IAM) market matured years ago, and all enterprises have a broad set of robust IAM alternatives to choose from. But hey, it's almost 2013, right? Why buy some IAM product I have to install and maintain. Why don't I just get it in the Cloud?

The Problem with Identity-as-a-Service
No brainer, right? Sign up for Identity-as-a-Service (IDaaS), or perhaps call it Identity Management as a Service (IDMaaS) or IAM as a Service (IAMaaS) - the marketplace still hasn't settled on the term - and you can throw away your Active Directory or LDAP. If all your users want to do is access the Software-as-a-Service (SaaS) offerings you provide, then placing your user directory in the Cloud is an obvious choice. Even when you want to control access to on-premise applications, IDaaS might make sense. After all, your current IAM solution connects to the apps in question over the network as it is. What does it matter whether IAM is running in the Cloud or not? Just put your user directory in the Cloud, configure it to control access to all your apps, and call it a day.

The problem is, this "put all the users in a directory" approach to IAM is increasingly inadequate to cover the kinds of identity management scenarios that we're facing in our maddeningly complex, interconnected world. But this story isn't new, either; after all, federated identity standards and technologies have been around for a decade or more. With federated identity, two separate security domains (that is, different departments or organizations with their own IAM systems) can exchange identity information with each other securely. Think of one of the travel aggregators, like Orbitz or Travelocity. Log into the aggregator Web site and you can purchase tickets and hotel rooms and the like, without ever contacting the airline or hotel directly. Behind the scenes the aggregator and the service provider are exchanging secure tokens that contain a bit of your identity, along with the appropriate instructions.

Federated identity is an essential enabler of Cloud security as well, particularly when the enterprise isn't comfortable moving their IAM to the Cloud. In fact, federating on-premise identity to the Cloud is a central technique we discuss in our Cloud Computing for Architects course. But it's not the same as IDaaS, where an organization actually moves its user directory to the Cloud. And federated identity breaks down when there are too many participants in a complex interaction, like the types of interactions that are becoming increasingly common in the Cloud.

So far so good: IDaaS isn't right for every organization today, but it could easily belong somewhere on your Cloud roadmap. But even when you reach a level of maturity where you're comfortable moving your IAM to the Cloud, IDaaS still falls short, because it doesn't take into account how we as individuals would like to think about our identities. From the perspective of the user, IDaaS moves the control over our own identities even further away from the user - and that's not the way we consumers view the Cloud. From the perspective of the user, the Cloud should empower us. IDaaS does the opposite.

Identity as a Cloud Resource
The reason so many vendors fell into this trap with IDaaS is essentially the horseless carriage problem: we have IAM, we want to move to the Cloud, so let's put IAM in the Cloud - instead of rethinking the problem from the perspective of what the Cloud actually means. So, let's think about this problem in an entirely different way. Instead of beginning with the user directory at the heart of every IAM offering, let's begin with the user identity itself.

Essentially, we'd like to have some kind of avatar: a digital representation of our identity that the user controls for themselves. In other words, something like a digital wallet or key ring that manages PII on behalf of the user. Such technologies have been around for a few decades, of course; in fact, the whole idea of a digital wallet dates from the era in the 1990s. But such technologies didn't take off, for two reasons. First, big companies didn't like the idea of giving their customers control of their own identities. Second, we didn't have the Cloud.

Let's put off the discussion of control for a moment, because putting the Cloud piece into the puzzle will help us deal with the control issue. We need to consider the Cloud, however, because it changes everything. What the Cloud brings to the table is not just the ability to treat identity management as a service. It also enables us to treat identities themselves as Cloud resources.

As we discussed in an earlier ZapFlash, there are many different types of Cloud resources, including servers, storage, networks, queues, etc. Furthermore, the list isn't fixed. As Cloud Computing matures, we expect and encourage new types of resources. What makes them Cloud resources is that the user is able to dynamically provision and deprovision them with minimal management effort or service provider interaction.

So, let's take the notion of a user identity - or to be more precise, the user's avatar - and consider it to be a Cloud resource. The user, that is, we can provision such avatars as we see fit. And because they're in the Cloud, they're location independent. Facebook could use our avatar. Assign it privileges or other properties. Or our bank. Or our employer. But we control it.

Furthermore, we can choose how we control our Avatar. We may wish to log into its Web interface, but that's only one option. We could also use a hardware device like a flash drive or a USB dongle. We could add biometrics to the device, say via a fingerprint reader. Or we could install software on our computers that would enable us to control the avatar.

Treating identities as Cloud resources can also provide privacy boundaries. For example, I might instruct my avatar to provide my Social Security Number to my bank and the IRS, but not to Facebook. And of course, one of the primary benefits of this approach is that I can maintain my personal information in a single place. If I move, I notify my avatar, and everyone I've authorized to see my address automatically gets the update.

The ZapThink Take
In fact, treating identity as a provisionable Cloud resource - an avatar in the Cloud - makes so much sense that you might wonder why nobody has already made a billion dollars on this idea. The answer, of course, is control. Remember all the hullabaloo when Microsoft tried to position Passport as a general purpose identity store? Customers rebelled and Microsoft ended up in court - several times, in fact. Fundamentally, nobody wanted Microsoft to be in control of our identities.

Today we're going through a similar situation with Facebook, Twitter, and the like. Why bother creating yet another login with yet another password to forget, when we can simply log into that new site with our Facebook ID? Yes, we all go along, until we eventually realize we really don't want to give Facebook so much control over our online identity.

The Cloud, at least in theory, shifts this control to the user. The user should be responsible for provisioning Cloud resources. Yes, there needs to be software behind the scenes that makes provisionable avatars work and keeps them secure, but if they are truly Cloud resources, the Cloud service providers won't control them. Their customers will.

Image source: Sundaram Ramaswamy

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@ThingsExpo Stories
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Summit, Charles Kendrick, CTO and Chief Architect at Isomorphic Software, demonstrated examples of com...
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningful and actionable insights. In his session at @ThingsExpo, Paul Turner, Chief Marketing Officer at...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and technology requirements that will drive the Internet of Things from hype to reality.
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessions, I wanted to share some of my observations on emerging trends. As cyber security serves as a fou...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now all corporate assets – people, objects, and spaces – can share information about themselves and thei...
The cloud. Like a comic book superhero, there seems to be no problem it can’t fix or cost it can’t slash. Yet making the transition is not always easy and production environments are still largely on premise. Taking some practical and sensible steps to reduce risk can also help provide a basis for a successful cloud transition. A plethora of surveys from the likes of IDG and Gartner show that more than 70 percent of enterprises have deployed at least one or more cloud application or workload. Yet a closer inspection at the data reveals less than half of these cloud projects involve production...
Continuous processes around the development and deployment of applications are both impacted by -- and a benefit to -- the Internet of Things trend. To help better understand the relationship between DevOps and a plethora of new end-devices and data please welcome Gary Gruver, consultant, author and a former IT executive who has led many large-scale IT transformation projects, and John Jeremiah, Technology Evangelist at Hewlett Packard Enterprise (HPE), on Twitter at @j_jeremiah. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true change and transformation possible.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" in this scenario: microservice A (releases daily) depends on a couple of additions to backend B (re...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound effect on the world, and what should we expect to see over the next couple of years.
Container technology is shaping the future of DevOps and it’s also changing the way organizations think about application development. With the rise of mobile applications in the enterprise, businesses are abandoning year-long development cycles and embracing technologies that enable rapid development and continuous deployment of apps. In his session at DevOps Summit, Kurt Collins, Developer Evangelist at, examined how Docker has evolved into a highly effective tool for application delivery by allowing increasingly popular Mobile Backend-as-a-Service (mBaaS) platforms to quickly crea...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, wil...
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNub’s Data Stream Network.
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user experience, both offline and online. The focus of this talk was on IBM Cloudant, Apache CouchDB, and ...