IBM Extends Cloud Identity-as-a-Service to Hybrid Cloud Environments

The new identity-as-a-service (IDaaS) platform aims to make it easier for organizations to connect identities both on-premises and in the cloud.

IBM Connect

IBM today announced the addition of new services to its identity management portfolio with an expansion of the IBM Cloud Identity platform to include the new Cloud Identity Connect software-as-a-service (SaaS) offering.

IBM's Cloud Identity portfolio also includes the Cloud Identity Service and MaaS360 Universal Endpoint Manager (UEM) offerings.

The Cloud Identity technologies have different roots, explained Ravi Srinivasan, vice president of Strategy and Offering Management at IBM. In 2014, IBM acquired cloud security services provider Lighthouse and used that as the basis for the Cloud Identity Service, which is a full identity and access management (IAM) technology that is hosted and managed by IBM. The Cloud Identity Service is different from the new Cloud Identity Connect offering.

"The Cloud Identity Connect platform is a new, born-in-the-cloud, microservices-based technology that is for customers that want a SaaS experience," Srinivasan said.

As part of the identity-as-a-service (IDaaS) launch, Srinivasan said IBM is aiming to infuse identity everywhere, including on-premises, cloud and mobile deployments. Maas360 is IBM's mobile and endpoint management technology and is now being enhanced with the cloud IDaaS capability, providing identity services for mobile users.

IBM is taking a federated approach with its Cloud Identity portfolio, with policies set up and managed in the cloud and the on-premises identity components acting as enforcement points for applications behind an enterprise firewall.

The new IBM Cloud Identity Connect IDaaS is built on IBM Cloud, though it is not using components from the open-source OpenStack platform. IBM is one of the leading supporters of OpenStack, which comprises multiple cloud infrastructure projects, including the Keystone identity store.

"[Cloud Identity Connect] is built on IBM Cloud, but it is leveraging cloud-platform agnostic and other IBM homegrown technologies to deliver the identity and access management capabilities available in the platform," Jason Keenaghan, director of Offering Management at IBM Security, told eWEEK. "Separately, IBM, as a part of its contributions to OpenStack, has also contributed code to Keystone; however, that is separate and distinct from the Cloud Identity Connect offering."

Among the many use cases for IDaaS is enabling single sign-on (SSO) capabilities for web and cloud applications. Keenaghan explained that Cloud Identity Connect delivers SSO capabilities through the implementation of two key protocols: SAML 2.0 and OpenID Connect. As the underlying IAM microservices of Cloud Identity Connect are exposed to developers, the OAuth token-based authentication system will be used by the consumers of those APIs as the de facto security mechanism, he added.

In addition to SSO, cloud identity typically plays a role in enabling access to cloud applications. Organizations looking to connect enterprise access to cloud applications will often turn to Cloud Access Broker (CASB) technologies to provide secure access. Keenaghan said Cloud Identity Connect is not intended to replace CASB technologies, but rather to complement their capabilities.  

"Once a client discovers cloud app usage via a SaaS or CASB tool—such as IBM Cloud App Analytics—they can leverage Cloud Identity Connect to bring these apps into the control and management of the rest of the IT organization," he said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.