Two major identity management companies are forging ahead with products designed to satisfy what a cloud-computing consortium calls one of the trickiest problems preventing secure and automated connections between internal IT infrastructures and external service providers: identity and authentication.

Last week at The Burton Group's Catalyst Conference, Novell demonstrated a pre-release version of its Cloud Security Service, designed to synchronise login and authentication data between external clouds and internal systems without exposing internal security data.

At the same conference, CA demonstrated a product called Federation Manager, designed to provide single sign-on across several internal and external cloud or SaaS applications.

The problem the two are offering to solve is federated identity management-the need to connect and synchronise user data between external service providers and internal IT security measures.

Without external services managed by identity management specialists such as Novell, CA and others, use of cloud-computing services could get snarled in a web of manual updates and processes that are too much trouble to implement and present far too much potential for error, according to Rich Mogull, a former Gartner analyst who now runs the Securosis security consultancy.

"Managing user authentication internally is not that big a deal, and it's not a big problem services you log into over the web or FTP or whatever, because you're using a single user credential to sign in to something," Mogull says. "With SaaS and cloud environments you're extending your infrastructure, which essentially means you'd have to manually recreate all your users in that cloud and synchronise all the changes manually as well."

Both Microsoft and VMware have promised their own takes on identity management for cloud computing, but a host of third parties is also beginning to crowd the market.

Relative small fry such as Radiant Logic, for example, touts its RadiantOne Identity and Context Virtualization Platform as a two-part solution to identity management. Its Identity Correlation and Synchronization Server aggregates and synchronises identity data from end-user and cloud organisations, while its Virtual Directory Server provides authentication and access control.

Others, such as PingIdentity take a tighter focus, providing secure single sign-on to one or two SaaS applications at a time.

"People don't think of it that way, but SaaS is as much a cloud environment as other cloud services," Mogull says.

In addition to specific products, OASIS and other standards organisations have been working on security specifications such as the Security Assertion Markup Language (SAML), the Web Services Federation Language (WS-Federation), or earlier Liberty Identity Federation Framework (ID-FF).
Others, such as the Cloud Security Alliance (CSA) have also been working on the technology putting out white papers mapping out security best practices.

CSA calls the need for a robust and standardised federated-identity management structure, and services to take advantage of it "the key critical success factor to managing identities at cloud providers."

"The current state of granular application authorisation on the part of cloud providers is non-existent or proprietary," the CSA goes on to say. CSA also recommends that:

• End users require cloud providers provide stronger authentication between them and their customers than the cloud providers use internally;
• End users consider using third-party single-sign-on services to authenticate to the cloud;
• End users realize that the third parties to which they outsource some part of their identity management will become criticalinfrastructure providers, not just ways to link more conveniently with cloud services by federating identity and authentication mechanisms.

Most cloud or SaaS services have either proprietary identity mechanisms, or require customers to make the change both on an internal access list and on the cloud configuration list every time a new employee is hired, one is fired, or permissions are changed.

"There's a lot of effort involved in that if you're talking a couple of thousand users," Mogull says. "It's really easy to screw it up, and if it's not a standard way of doing it, there's no guarantee whatever you're doing will be compatible with what you'll do to manage identities in the future."

Forgetting to delete an email account or access to a particular application inevitably creates security and configuration headaches. Because cloud providers usually charge per user, an uncancelled account also keeps costs higher than they should be, for no benefit.

"If I were going to move something into the cloud, I would prefer to have a service I can sign on to that would synchronise all that identity data securely, consistently and non-manually. Otherwise, whether there are standards in place or not, you're going to be managing the software yourself," Mogull says. "Federated identity is the kind of thing end users should not be programming when they can avoid it."

Novell's approach is to hide internal security applications behind proxies, using "identity connectors" to provide a secure data transfer and authentication mechanism between internal networks and the cloud, adding user-access controls, reports and event tracking to give customers a clearer view and better control over who has access and to what.

The service will be available in 2010.

Extending identity controls such as its directory and security services is a logical extension for Novell, which also has the ability to scale its service to support a cloud computing environment, according to Jeff Kaplan managing director of consultancy Think Strategies.

CA's Federation Manager supports SAML, WS-Federation and other specifications to provide secure identity and authentication control between organisations, whether cloud-based or not, the company says. The product is part of CA's Secure Web Business Enablement suite, which is already available. It demonstrated federated-identity integrations with Salesforce, Google Apps, Cisco's WebEx and others at the Burton Group conference.