The new United States Federal Chief Information Officer (CIO) Vivek Kundra is serious about embracing cloud computing as a vehicle for rationalizing government IT assets, costs, and budgets. Aneesh Chopra, the Federal CTO follows suite, and has gone on the record to say that the federal government should be exploring greater use of cloud computing where appropriate. Cloud-based and Cloud application providing government storefronts like Apps.gov are being stood up in support of this goal. As stated by Vivek Kundra the major challenge they face in making cloud computing a reality is around Security and Privacy.
With this and an influx of government customers approaching Layer 7 for advice to deal with their cloud computing security and privacy challenges, I have been reading any cloud computing literature I can get my hands on. Although there is some good information coming out of the Cloud Security Alliance, NIST, and from industry sources, there is still a lack of sufficient detail on the topic of security and privacy to allow government customers to move forward smartly with cloud computing.
The fundamental shift from traditional IT to Cloud based IT is that enterprises are moving away from a model where they control all aspects of application delivery to a model where a large portion of the governance associated with the applications deployment and run-time characteristics of a service is controlled by the cloud provider. This is a significant move for the government which traditionally kept its IT close and its data even closer. One of the biggest questions is "How do I do Identity and Access Control and Management in the cloud" and that is a very good question.
There are a number of challenges associated with cloud computing and identity, access control and management, none of which have simple solutions. Challenges in provisioning identities for the cloud, storing identities so that the cloud has access, and enforcing fine-grained or even course grained access control in the cloud are all issues that have been resolved in the enterprise but require a new way of thinking in addressing them in cloud computing.
In the coming weeks, I will write a series of blog posts to flush out the concept of identity and access management in cloud computing, beginning next week with a description of cloud computing integration patterns.