I was at Microsoft in May for meetings on what the company calls its Cloud OS, the holistic combination of , System Center 2012, and Windows Azure. Central to the core of this service—or any modern and complex hybrid computing service—is an integrated identity system. But unlike the world of domains and Kerberos, cloud identity protocols and standards are still far from settled.
This is often highlighted (or instigated) by analysts specializing in identity. Last summer at the Cloud Identity Summit, Kuppinger Cole analyst Craig Burton declared, "SAML is dead." Security Assertion Markup Language (SAML) is a widely adopted identity standard, and it's the cornerstone of claims-based authentication. I wasn't able to attend that conference in Colorado, but I think I heard the reaction from my office in Texas. A few months later, Gartner analyst Ian Glazer started a thoughtful discussion with his "Killing IAM In Order to Save It" post, positing that some drastic changes must be made to move identity and access management (IAM) into the modern age.
The latest instance involved the eXtended Access Control Markup Language (XACML), an OASIS standard for authorization. If you aren't familiar with XACML, don't be too hard on yourself; it hasn’t been as widely adopted as its authors had hoped. Forrester analyst Andras Csere, in the role of Monty Python’s John Cleese in the group's famous Parrot Shop sketch, declared that the XACML parrot is dead. Csere’s death proclamation immediately triggered a number of rebuttals that XACML wasn’t dead—it was merely resting. (It’s worth noting that most of these responses were made by XACML committee members.)
I’m not going to enter the debate over XACML’s veracity as the predominant authorization protocol, or whether SAML has seen better days. My point is that, like so many aspects of cloud computing, the core identity protocols that are critical to the success of all other aspects of this computing transformation are still very much evolving. Outside the enterprise, it's an alphabet soup of cloud identity standards and common practices. These standards are each in various degrees of ratification, and versions, and adoption. Kerberos is solid, but from a previous generation, XACML is perhaps looking a bit lost, SCIM is growing healthily, and OAuth 2.0 and its little brother OpenID Connect are booming in popularity. And old-fashioned directory synchronization and the CSV text file aren’t going away any time soon.
If cloud computing services ever hope to earn the same trustworthy status as on-premises applications, the identity community must settle on an adoptable set of standards for all aspects of IAM that work equally well on premises and in the cloud. And all these standards must work to get rid of as many passwords as possible. It's exciting but exhausting to keep track of all this; in upcoming columns, I’m going to attempt to make sense of it from an IT pro’s perspective. The reality is, however, that the IT pro simply wants products that use standards to interoperate with one another and users as simply and securely as possible.
As IT pros, you yourself must help encourage your vendors to adopt these standards; you're the ones with the checkbooks that they pay attention to. And the end users? Well, they really don't care about identity management. They just want to get to their stuff—without having to remember all these stupid userids and passwords.