Identity Management Doesn't Make The Cloud Complex. It Makes it Real.
What does it take to wake me from my blogging slumber? I guess it takes someone bashing Identity Management as a security technology that is deployed just for the sake of it.
In an article today on InfoWorld entitled 'Killing the cloud with complexity', David Linthicum classifies Identity Management as a "trendy", "newer" and "more expensive" security model in cloud deployments for which "there really is no requirement". In his view, it just adds to the complexity of the deployment, helping to kill it. Makes your head spins, no? I wonder if he would be comfortable sharing medical reports with his doctor via Dropbox if all that was needed was just a URL for the file and you didn't need to log in (authentication). Does he regard Amazon adding User Management to AWS as a "me-too" or "cosmetic" feature to satisfy those difficult enterprise types? How exactly does he expect companies to 'Make Mashups Secure' without access controls and identity management? Or does he forget that he explicitly called out Identity Management as 1 of the 5 security strategies needed to protect mashups, and that the other 4 (Policy level security, Data-access level security, Service-access level security, Screen-access level security) are all predicated on some element of identity management (I mean, he talked about "user ID and password gatekeeping", of all things). I guess now I really want to know what he means by "Address and plan for cloud security upfront -- aggressively" in his article '3 best practices for your cloud computing first-timers'.
Maybe it is as Dave Kearns points out in his response to David's article. Maybe we need to keep beating the drum and reiterating the message that Identity is Core to making cloud technologies viable and reliable options for users (consumer or enterprise). Maybe it's not enough that the Cloud Security Alliance has explicitly called out Identity Management as a key pillar in its Security Guidance for Critical Areas of Focus in Cloud Computing. I mean, the fact that Identity Management is foundational to Cloud Security is so well accepted that the widely adopted phrase "Identity is the new Perimeter" has even been elevated to conference tag line. That must make it true!
I find it difficult to reconcile what David wrote with what he has written in the past about cloud security. Maybe it's just a misstatement, and he really meant something else. But when someone widely regarded as a "luminary" dismisses the need for identity management, that's worrying. Because it affects how enterprise plan for an evaluate cloud solutions. Maybe David would like to come to the Cloud Identity Summit or Gartner Catalyst to understand our perspective and, if he wants to, debate the topic on a panel. Then we can flesh out where the disconnect is.
[Cross-posted from Talking Identity]