@CloudExpo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo

@CloudExpo: Blog Feed Post

Single Sign-On for the Cloud

The New Cloud Stack

Jon Stokes from Ars Technica has an interesting interview today with Ping Li of Accel Partners - excerpt: (JS = Jon Stokes, PL = Ping Li)

JS: When you say "the new cloud stack," give me some perspective on how you've seen the evolution of the stack in the past two years.

PL: The evolution of the stack starts with the mainframe, and everyone is always trying to recreate the mainframe by taking advantage of new technologies. So client-server was taking advantage of processing technology. Web services enabled applications to be networked more efficiently. A lot of cloud innovation has been at the data layer—a lot of the interesting things have been with data processing but also with data storage and data transaction. So there's all the movement between, say, the NoSQL crowd and the new cloud-type Oracle databases. So there's been a lot of innovation in that area of the stack.

But even going up the stack, you can see people wanting to recreate the functionalities of a mainframe but in a new world. So, security: what does "cloud security" mean? A lot of interesting companies are doing stuff around single sign-on. You have 15 cloud apps, so how do you manage that in the enterprise—who gets access to what and when? We've seen cloud logging companies—these are all different services that were part of the traditional stack that are now being decomponentized and rebuilt in a cloud framework.


He hits a key question: "You have 15 cloud apps, so how do you manage that in the enterprise—who gets access to what and when?". The problem is that the different cloud apps have different authentication models, which in turn differ from the models used by older enterprise systems. So the Single-Sign On problem for the Cloud is all about alleviating the problem whereby an organization has their internal own identity silos and infrastructure such as SiteMinder and Active Directory / Kerberos, but they wish to connect to Cloud APIs. Local identity tokens such as Kerberos and SiteMinder smsession tokens are no good for fine-grained authentication to Cloud APIs which use OAuth and OpenID. What is needed is a kind of "Identity Router" which understands that "to connect to this Cloud API, we need OAuth, but in this local domain we have a SiteMinder smsession token".

The broker here is providing the "Identity Router" functionality. The dynamic mapping of identity tokens allows for messages to traverse domains, just like a network router allows packets to traverse different networks. The key value of the broker is the breadth of identity infrastructure which it supports. It is no good to support only OAuth and OpenID if you don't support older technologies such as Kerberos and SiteMinder.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

CloudEXPO Stories
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addressed the challenges of scaling document repositories to this level; architectural approaches for coordinating data; search and storage technologies, Solr, and Amazon storage and database technologies; the breadth of use cases that modern content systems need to support; how to support user applications that require subsecond response times.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be used to abstract from the infrastructure.