Cloud computing identity management presents unique challenges

The cloud is not necessarily known for its security friendliness, but when cloud-based apps such as Google Docs are used for corporate purposes, it presents particular IAM challenges.

Identity and access management (IAM) is already a tough task for many organisations. Ensuring that employees only have access to what they need is a complex challenge, and when employees leave, closing down all their accounts can prove equally difficult.

Identity management is very complex, difficult, time-consuming and expensive, so anything that can make it easier is to be welcomed.


Andy Kellett
senior analystOvum Ltd.

But when employees also have access to cloud-based services such as and Google Docs, the process of de-provisioning them swiftly is open to error and omission. Ex-employees may be blocked off from the corporate network, but they may still have Web access to some of those other services.

With its new Identity Manager 4 product, due for release over the next few weeks, Novell Inc. says it can solve that and many other problems associated with cloud computing identity management, allowing companies to synchronise identities across multiple environments in real time, and, importantly, automate the process of provisioning and de-provisioning.

The company is directing the product at sectors such as health care and financial services, where regulatory compliance is strict and where organisations may have to prove which user had access to information at any time.

Identity Manager 4 operates as a metadirectory with a series of connectors into various systems and applications, operating systems and databases. The connectors provide links to other directories, such as Microsoft's Active Directory, as well as to cloud services such as, and to Service Provisioning Markup Language (SPML), a common API within the cloud vendor infrastructure.

According to Mark Oldroyd, a senior technology specialist in identity and security at Waltham, Mass.-based Novell, the metadirectory sits at the hub and contains all the policy definitions, including rules about entitlement and role-based structures within the organisation.

It means that whenever a policy is changed, or an employee changes jobs, the changes can be automatically propagated throughout the organisation on all affected systems.

"Organisations can now manage physical, virtual and cloud applications, using the same security policies, provisioning rules and audit constraints for all their environments, inside and outside the firewall," Oldroyd said. "It means we can automate all provisioning and de-provisioning, and ongoing user management."

In addition, he said it will help companies manage software licensing, and avoid paying for more users than they need at any time. "You are improving security, controlling things like licensing and costs, and minimising the potential wastage of paying for extra accounts," he said.

Andy Kellett, a senior analyst for London-based Ovum Ltd., said: "Identity management is very complex, difficult, time-consuming and expensive, so anything that can make it easier is to be welcomed."

Kellett said that other companies were also trying to tackle the problem but that Novell's offering is well integrated because most of it has been written in-house as a coherent single architecture. He also praised the built-in workflow capabilities to help manage processes, and the extended reporting facilities of the advanced version of Identity Manager 4, which provides the organisation with detailed reporting of system usage by users. "The reporting features also allow companies to monitor what privileged users are doing, which is a big worry for many organisations," he said.

Although the system is targeted at medium to large enterprises, Kellett said it would most likely appeal to large organisations running a mixed environment.

Read more on Cloud security