Manage Learn to apply best practices and optimize your operations.

Four ideas to better secure identity management in the cloud

As corporations store increasingly large amounts of mission critical data in the clouds, identity management needs to be more secure. Here are four ideas that could help.

It's mid-2011 and we see an increasing focus on moving things from our corporate locations to big bins of cloud capacity in the sky. We see botnets being taken down by the FBI and we see new social networks on the horizon. What do all of these events have in common? It is the need for accurate and secure identity management.

As these recent trends continue, what do IT departments need to be looking for in their identity software and from their identity vendors? Here are four ideas about what's new and what's to come in identity management.

1. Identity will be federated even more so than it is now. Key to the future is taking your identity with you: making sure it works not only for your network's internal services, but also for extranets and cloud-based applications. As the cloud steals workloads and jobs from on-premises servers, having a portable sense of who you are becomes increasingly important.

How do you synchronize an Active Directory identity with an Office 365 identity? How do you synchronize your HR identity with your organization's social media presences? How do you ensure that your customers' identities in your e-commerce systems are portable to your online forums, your customer support system, your billing, and your marketing or promotion fulfillment systems? Synchronization and federation will be the key subjects in the coming years

2. Smart cards and other "possessive tokens" will spread. In more advanced companies, there already are requirements for users to log on to Windows with a smart card. This will spread. Identity should be more than a username and a password on an enterprise desktop: it should be something that's carried with you, that's serviced by something on someone's person and not just two bits of information someone else gives you.

Workstations and even your standard-issue enterprise client computers are so powerful now that even complex passwords and pass phrases can be cracked in reasonable amounts of time, and it still doesn't help that many users refuse to give up their easy-to-remember passwords. Requiring tokens or physical objects adds a layer of obstruction to ne'er-do-wells that attempt to gain access to your system, and have the added benefit of being able to store claims information that can be federated to other systems as well. A future in picking yourself up by removing your smart card and moving yourself to a different environment by plugging it in again is not far off.

3. Two-factor authentication will be mandatory in many more situations. In Europe, for instance, almost all banks require both a password and a hardware token for logging into online banking portals. In the US, such two-factor authentication, another great proof of identity, is generally limited to big businesses and individuals with high net worth and private banking access. Two-factor authentication for consumers in any other context is almost unheard of.

This will change, because as smartphones become ubiquitous and mobile applications can function as hardware tokens, the cost to implement two-factor authentication will drop precipitously. Imagine your users logging into Windows with a username, their password or PIN, and a one-time passcode sent to their mobile phone via SMS straight from your datacenter. That's loads more secure.

4. Information control, and anonymity control, will become paramount. This is a broader point, but one that deserves being made. Witness the uproar around Google deleting accounts from its new Google+ service that weren't set up using people's real names. When your identity becomes easily portable, it also becomes easy to track: and most people develop a deep and lasting resistance to companies piecing together their movements and whereabouts without their knowledge or consent.

Identity platforms and identity management services need to develop frameworks for giving users, and in some cases their administrators, control over the information about a user that is both presented and retained by other networks and services. The Internet should remain a place where people can choose to remain anonymous. Likewise for corporate users who should not be forced to choose between easily federated identities and the protection and comfort of anonymity for basic services.

In short, through tools like Active Directory Federation Services, Federated Identity Manager 2010, and some of the deeper security tools in Windows Server 2008 R2 (like authentication mechanism assurance and Certificate Services), identities over the coming few years will break free of their corporate silos now. Your users will use one identity for their corporate desktop, your company's associated cloud services, and perhaps even their leisure services. No more split personalities: users become whole in the new era of identity.

You can follow on Twitter @WindowsTT.

Jonathan Hassell
is president of The Sun Valley Group Inc. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at

Dig Deeper on Microsoft identity and access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.