Welcome!

@CloudExpo Authors: Liz McMillan, Karthick Viswanathan, Jason Bloomberg, Pat Romanski, Yeshim Deniz

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, SDN Journal

@CloudExpo: Blog Feed Post

A High-Level IDaaS Metric: If and When Moving ID in the Cloud

Before moving any IdM to the Cloud, organizations should balance costs and risks

Building metrics to decide how and whether moving to IDaaS means considering what variables and strategy have to be taken into account when organizations subscribe identity as a service contracts. Before moving any IdM to the Cloud, organizations should balance costs and risks. Accordingly, metrics adopted should be enough flexible to be applied from both a company that is developing an IdM system and a company that already has a IAM in operation but is considering to move the ID to the Cloud. The metric introduced below is included into a coming IDaaS Best Practices helping companies to understand, evaluate and then decide if and how moving ID to the Cloud.

IDaaS: Measure Maturity

  1. IDaaS metric definition starts from on-premise IdM/IAM acquisition and implementation costs. Take into consideration the following parameters:
  2. COSTS – IdM/IAM costs are mainly based upon Infrastructure, Personnel, Administration (Access, Help desk, Education/Courses, ..), Attestation and Compliance (including personnel certification and upgrading), Business Agility expenditures;
  3. RISKS – Risks are based upon expenditures to cover by order:
    -Implementation risks (the risk that a proposed investment in technology may diverge from the original or expected requirements);
    -Impact risks (the risk that the business or technology needs of the organization may not be met by the investment in the IAM solution, resulting in lower overall total benefits);
    -System protection (perimeter defence, audit and surveillance).

The risk/confidence the company is dealing with depends mainly upon the combination of:

  • IAM maturity, in terms of implementation, maintenance and evolution capacity;
  • SOA maturity, to really understand policies by applied processes (privileges by user role, accreditations, de-accreditations, …) and dynamically acting into the organization;
  • Adherence to the criteria that measure service provider(s) compliance with the identity ecosystem framework.

http://cloudbestpractices.files.wordpress.com/2013/07/idaas-maturity2.png

Figure 1 – IDaaS Maturity Framework to IDaaS Best Practices

Accordingly, the metric should be based upon the organization maturity grade. The gauge proposed is made the simplest possible, designed to be flexible: if necessary, this metric can be enriched and applied to more complex systems (more parameters by maturity levels, more maturity levels according to the company’s policy). The metric measures what is the confidence/risk when organizations moves to IDaaS by adopting the following models:

1. ID On-premise – ID is outsourced but infrastructure is kept inside the company. In this case ID personnel manage tools and infrastructure but expertise is coming from the outsourcer;
2. ID Provider Hosted – A private Cloud for IDaaS is managed. Personnel managing the private Cloud (tools) are shared with the service Provider. In this case administration, tools and infrastructure are in the private Cloud and ID management is shared;

http://cloudbestpractices.files.wordpress.com/2013/07/flux-idaas-schema2.png

Figure 2 – IDaaS properties and possible path to the Cloud

3. ID Hybrid – IDaaS is in the Cloud although sensitive information is yet managed internally. ID Hybrid means subscribing private, community and/or public Cloud services. Tools and infrastructure are shared through the Cloud. ID administration is managed in the Cloud.
4. ID in the Cloud – The ID is in the Cloud. Only personnel managing contract and service conditions (all aspects: policy, framework, SLA …) are kept internally.

These aspects are important on one hand considering what risk (and countermeasures) may be taken when moving the ID to the Cloud and on the other hand which takings could be expected in terms of cost savings. Companies have to balance the real business value of the risks based upon on-premise ID maturity and the eventual cost reduction, model by model. In the following picture, an example shows how 3 companies having 3 different levels of maturity for IdM, SOA and Ecosystem adherence, meet 3 scenarios in term of Cost/Saving and Confidence/Risk when decide to move to IDaaS.

http://cloudbestpractices.files.wordpress.com/2013/07/cost-risk-graph2.png

Figure 3 – IDaaS: 3 cases of companies having different level of maturity and risk

Company A – Company A manages advanced projects to implement and maintain high levels of maturity for IdM and SOA. Still, attention is paid to the Cloud identity ecosystem: the Company applies specific criteria to assess services provisioning in the Cloud. By applying IDaaS Best Practices based on Maturity levels, Company A might moderate the risks if decides to move ID in the Cloud. Criteria to adopt Cloud services are enough stable to manage on-demand and full provisioning IDaaS. Cost saving is another aspect should be taken into consideration. By externalizing IDaaS, the expected savings might be impressive (about 70% of CapEx invested) and, in this case, moving to the Cloud can be balanced with a path that further moderates the risk.

Company B – Company B has an intermediate maturity and work in progress projects through the IdM and SOA implementation. The ecosystem interface knowledge also is increasing although it is not yet disciplined. Confidence to move ID to the Cloud is low with respect the Company A and the risk is growing with the above IDaaS models. Considering the CapEx to implement internal IAM and BPM procedures, IDaaS cost saving is lower (about 30% of CapEx invested) then Company A. Company B should mitigate the risk by moving to the appropriate IDaaS model. The right path to subscribe IDaaS should be starting from the most proper IDaaS model to progressively increase levels of maturity.

Company C – Company C has a different challenge to get, with respect Company A and B. Company C is not organized to set defined levels of maturity for IdM and SOA. Still, there is not enough interest or experience to classify proper requirements and accountability mechanisms typical of an identity Cloud ecosystem structure. Identity and SOA cultures exist but they are jeopardized. In this case without CapEx to cover, it seems highly attractive saving soon by moving to IDaaS. However, cost saving only is not the best way, generally speaking, to move to the Cloud, neither to subscribe IDaaS contracts. The risk to move ID in the Cloud is really high. The Company C should ask for:

  • how IDs are provisioned, authenticated and managed (IdM, IAM);
  • who retains control over ID policies and assets (SOA);
  • how are stringent peer to peer security standards (ID ecosystem);
  • how and where are employed data encryption and tokenization (ID ecosystem);
  • how and where are employed federated identity policies (for example: check if they are regularly backed by strong and protected authentication practices) (SOA);
  • what about availability, identity data protection and trust on third parties (ID ecosystem);
  • how is employed transparency into cloud operations to ensure multi-tenancy and data isolation (IdM and ID ecosystem).

Could Company C provide the above answers before movingthe ID to the Cloud? This essential information should be an asset for any company that decide to migrate to the Cloud. Prerequisites above are only a part of the full requirements subscribers should assert before acquiring Cloud ID services. No Company can improvise to move to IDaaS: consequently, possible choices for Company C may be the following:

  • Starting from the low risk ID on-premise model;
  • Moving in any case ID to the Cloud being aware of the risk by trying to balance IDaaS cost saving (OpEx) benefit and Cloud environments introducing transient chains of custody for sensitive enterprise data and applications.

Defining the Metric
The metric that should best describe the above scenarios is based on the products of exponential functions depending upon parameters setting the organization maturity levels. In practice, the general mathematical relationship is the following:

http://cloudbestpractices.files.wordpress.com/2013/07/risk-formula2.png

Here is the meaning of variables and indexes:
R is the Risk/Confidence value defining the range maturity forward the IDaaS model above described;
Pcis the percentage of completion of each maturity range;
V is the variable corresponding to the magnitudes chosen to measure the maturity of the specified range. To calculate the level of IDM, SOA and Ecosystem maturity, 2 variables have been chosen: the project cost (Cm is the current cost and CM the estimated budget cost) and the project time completion (Tm is the current project time and TM the estimated project completion time);
N is the number of maturity ranges considered (IdM, SOA, Ecosystem …).
Constraints: the exponential function is a pragmatic risk estimation based upon the concept of density of probability. To compute the risk/confidence there is no average technique included: the max of the series of the calculated risks has been preferred with respect to the statistical averages models. Looking at the above metric, it requires the following constraint: 3 maturity ranges should be at least considered to estimate the best IDaaS model. They are: IdM, SOA and Ecosystem Framework. Further, the above metric is extensible and it is enough flexible to consider more ranges of maturity and, inside each one, more variables to be added to projects costs and times. Finally, R (risk/confidence) is computed as the max value among maturity series’ risks. In practice, consider the following test rates:

IdM Maturity: Percent of completion 30%, Cm = 25.000,00 $, CM = 75.000,00 $, Tm = 6 months and TM = 24 months
SOA Maturity: Percent of completion 40%, Cm = 55.000,00 $, CM = 90.000,00 $, Tm = 8 months and TM = 24 months
Ecosystem Framework Maturity: Percent of completion 15%, Cm = 10.000,00 $, CM = 30.000,00 $, Tm = 2 months and TM = 6 months

Risk/confidence outcomes based upon the above values are the following and the max value is:

http://cloudbestpractices.files.wordpress.com/2013/07/risk-formula-outcome2.png

Could the company accept the risk of 98% in moving to the Cloud with the ID system? What is the main pain looking at the maturity ranges and the risk rates? What is the appropriate IDaaS model could moderate the risk and reduce the costs? The solution in the figure below might be a measured solution to get confidence and awareness before subscribing an IDaaS contract.

http://cloudbestpractices.files.wordpress.com/2013/07/ballot-cost-risk-graph2.png

Figure 4 – Snapshot based upon the above maturity rates and risk/confidence values

Conclusion
Companies could apply a systematic approach by adopting the gauge above exploited. The metric can help in deciding whether balancing risks and OpEx advantages is appropriate in subscribing an IDaaS contract forward security and business benefits.  Looking at the cost saving for Company C, the above cutbacks could be modest (about 20% or less with respect the actual CapEx) although the ROI would be faster. It depends upon the IDaaS strategy the Company decides to implement.

References

  1. N. Piscopo – Applying MaaS to DaaS (Database as a Service) Contracts. An introduction to the Practice http://cloudbestpractices.net/profiles/blogs/applying-maas-to-daas-database-as-a-service-contracts-an
  2. N. Piscopo – Best Practices for Moving to the Cloud using Data Models in the DaaS Life Cycle
  3. N. McEvoy – IDaaS Identity-as-a-Service best practices http://CanadaCloud.biz
  4. E. Baize et al. – Identity & Data Protection in the Cloud
  5. F. Villavicencio – Advantages of a Hybrid Co-Sourced IDaaS Model
  6. Identity in the Cloud Outsourcing Profile Version 1.0 – OASIS Committee Note Draft 01 /
    Public Review Draft 01
  7. N. Piscopo, N. McEvoyIDaaS – Introduction to the Identity in the Cloud
  8. WG-CloudIDSec IDaaS (Identity as a Service) www.cloud-identiy.info

Disclaimer – This document is provided AS-IS for your informational purposes only. In no event the contains of “A high-level IDaaS metric: if and when moving ID in the Cloud” will be liable to any party for direct, indirect, special, incidental, economical (including lost business profits, business interruption, loss or damage of data, and the like) or consequential damages, without limitations, arising out of the use or inability to use this documentation, regardless of the form of action, whether in contract, tort (including negligence), breach of warranty, or otherwise, even if an advise of the possibility of such damages there exists. Specifically, it is disclaimed any warranties, including, but not limited to, the express or implied warranties of merchantability, fitness for a particular purpose and non-infringement, regarding this document use or performance. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies/offices.

Read the original blog entry...

More Stories By Cloud Best Practices Network

The Cloud Best Practices Network is an expert community of leading Cloud pioneers. Follow our best practice blogs at http://CloudBestPractices.net

@CloudExpo Stories
yperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let’s say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it....
SYS-CON Events announced today that Pulzze Systems will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems Inc, provides the software product "The Interactor" that uniquely simplifies building IoT, Web and Smart Enterprise Solutions. It is a Silicon Valley startup funded by US government agencies, NSF and DHS to bring innovative solutions to market.
With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate...
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, d...
Businesses and business units of all sizes can benefit from cloud computing, but many don't want the cost, performance and security concerns of public cloud nor the complexity of building their own private clouds. Today, some cloud vendors are using artificial intelligence (AI) to simplify cloud deployment and management. In his session at 20th Cloud Expo, Ajay Gulati, Co-founder and CEO of ZeroStack, discussed how AI can simplify cloud operations. He covered the following topics: why cloud mana...
As more and more companies are making the shift from on-premises to public cloud, the standard approach to DevOps is evolving. From encryption, compliance and regulations like GDPR, security in the cloud has become a hot topic. Many DevOps-focused companies have hired dedicated staff to fulfill these requirements, often creating further siloes, complexity and cost. This session aims to highlight existing DevOps cultural approaches, tooling and how security can be wrapped in every facet of the bu...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Translating agile methodology into real-world best practices within the modern software factory has driven widespread DevOps adoption, yet much work remains to expand workflows and tooling across the enterprise. As models evolve from pockets of experimentation into wholescale organizational reinvention, practitioners find themselves challenged to incorporate the culture and architecture necessary to support DevOps at scale.
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, will address this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of t...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics ...
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...