The first and arguably most important component of your cloud identity system is the identity and attribute store. It forms the heart of any identity system, whether it be a cloud-based or on-premises application. So what should you look for in a cloud identity store? Here are 13 questions we think you should be asking:
1. What sort of data model does it support?
The data model defines the kinds of information you can store in the directory, the ways the data items can relate to each other, and the operations your applications can perform on them. It is the most critical aspect of the identity system. A simple identity data model might include only the notion of user. A sophisticated data model includes things like organizations, departments, roles, user types (such as customer, employee, or contractor) and various possible relationships between them. Many identity service providers a very simple model with little ability to customize it. An unchangeable, simplistic data model will require you to add parallel data structures to you application to support the data and features your cloud based application will require as it matures .
2. Does the cloud identity store have a flexible and extensible schema?
Related to the data model itself is the extensibility of the data model through a schema. Some systems, even though they have a sophisticated data model, don’t allow for any extensibility. If your application’s identity needs change over time, you don’t want the identity system’s lack of extensibility to hold you back.
3. What types of data does it support?
Beyond just supporting an extensible schema, the cloud directory needs to natively support different types of data. In addition to basic strings and numbers, the directory should support constraints on the data to ensure that the data being stored is consistent with what the application expects. It is much more efficient to ensure that the data stored is correct than it is for every application to check the data before it tries to process it.
4. Is it easily searched?
A frequently overlooked capability of cloud directories is the ability to search for identity information easily. The directory is not just a store for authentication; it is essentially a catalog of the users, applications, and devices that use it. Providing a way for people to easily and reliably find this information is really important.
5. Is the cloud identity system multi-tenanted?
Many cloud service providers require a multi-tenant identity system that allows for the creation of tenants that serve as containers for their identity information. The identity system must keep tenants isolated from each other, and provide each with separate administration and configuration. It is extremely difficult and error-prone to graft a multi-tenant model on an identity system designed for a single tenant.
6. What sort of APIs does it expose?
The SCIM (System for Cross-domain Identity Management) API is a relatively new standard for identity systems and is gaining traction for simple provisioning of users. OData (Open Data Protocol) is a comprehensive data access API suitable for almost any kind of data, including identity data. It has a rich relationship model and is completely extensible. Standard APIs such as SCIM and OData have extensive support libraries for different application platforms. Beyond that, most cloud directory services expose a custom, HTTP/S-based API of some sort.
7. Does it support replication and geo-redundancy?
Cloud applications usually have a 24-by-7 global access requirement that most on-premises don’t have. To support this, the cloud identity system must also be globally available, 24-by-7. The identity system must have built-in redundancy of components, as well as data replication to place identity data near where it is used.
8. How is access to directory data controlled?
It’s not enough to rely on web applications to determine who has access to what in the directory. Regulatory requirements, security and privacy policies, and user consent all require authorization policies that must be enforced regardless of the application. The directory has to provide its own layer of authorization policy over and above the policies implemented by the applications.
9. How is sensitive data secured on the cloud identity system?
Access to sensitive identity data (usually things like personally identifiable information, account numbers, and other personal details) needs extra layers of security. It’s no good authorization policies control access through the applications and attackers simply steal the directory data out from underneath the application. Sensitive directory data needs to be encrypted on disk as well.
10. Does it support publish/subscribe APIs?
Even though the directory is the most critical component of any identity system, it traditionally plays a completely passive role in the overall application architecture. Applications treat it as a database, and unless an application asks for information, the directory does nothing. Cloud identities are highly dynamic with new users signing-up, tenants coming and going, users creating new access control policies, enterprise administrators associating users with roles, and so on. Rather than relying on applications to somehow discover what has changed, a cloud directory needs to provide an easy way for applications to learn about changes in the directory that they are interested in, and this is what a publish/subscribe API provides.
11. Does it support human, organization, application, and device identities?
Cloud identity is not just about users; any entity that can access digital resources needs an identity, including applications, devices, and organizations. Further, the directory needs to be able to represent the relationships amongst these entities so that applications can apply the appropriate policies to resource access.
12. How well does it scale up to the number of identities you need to support?
Another characteristic of cloud identity systems is the large number of identities they have to support. 100K identities in an on-premises systems like Active Directory is a big number. Cloud identity systems frequently deal with tens or even hundreds of millions of entries. The directory has to be designed to accommodate these sorts of numbers while still providing fast authentication and lookup times.
13. How does it handle scale out for performance, redundancy, and geo-location?
Cloud identity systems need to scale out (and in!) to satisfy changing performance requirements. The directory has to support spinning up additional instances so that they can serve more authentication and authorization requests, and so that they can place service instances near the clients making the requests.