By Mandy Pang.
I just got back from MS Tech Ed in New Orleans. The hot topic was obvious: Microsoft’s new cloud platform, Windows Azure.
I attended multiple sessions (such as this one), and a central message was how easy Azure makes it for IT organizations to move their resources and applications to the cloud. One reason is the flexibility Azure provides to allow organizations to choose which applications to move to the cloud, versus which ones to keep on premise. You can design an approach that works best for you, or even make the transition in strategic increments.
Another key message was, if you settle on a hybrid cloud/premise solution, Azure allows you to keep your data access and authentication model simple. This is because Windows Azure Active Directory allows you to also move your Identity and Access Management (IAM) to the cloud, and manage access to both cloud and on-premise resources from just one Windows Azure AD. This enables single sign-on for cloud-hosted applications, as well as streamlines the users, groups, and roles IT must maintain.
Moving IAM to the cloud is a key feature of Windows Azure, and I can see why they wanted to emphasize this at TechEd, given a recognized reluctance among businesses to move sensitive data to the cloud. Strong authentication infrastructure and accurate authorization rules are clearly essential. Windows Azure AD counters the anxiety about cloud security with the comforting familiarity of IAM in AD. You do the same work you already do to manage access to on-premise resources: create Security Groups and apply Permissions.
However, this is where I am left with some questions. I get how authentication can be streamlined, with single sign-on authentication for all cloud-based and on-premise applications. But in terms of access control for data stored in these applications (the authorization piece), are we just moving our old overhead to the cloud?
We already know that container-based rules that rely on Security Groups can be difficult to maintain, especially when access control requirements grow very complex, and when there are many locations to protect. This manual process is famous for being error-prone and hard to troubleshoot. Plus, authorization rules created in AD will only apply to file servers. IT will still have to manage a separate set of permissions for all other applications, for example, in SharePoint.
The platform focus for moving data to the cloud, as well as the move to centralize the authentication infrastructure for cloud and premise-based systems, seems to suggest a logical next step: authorization management that is also platform-based (that is, data-level access controls that are cross-application and centrally managed). Is this what’s next?
Mandy Pang is the Product Manager for Rights Management and Data Protection at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security