In early December, I was invited to speak at the second annual UP 2011 Cloud Computing Conference. As more organizations turn to cloud computing, one of the pressing needs that must be addressed is the development of identity access management standards. In my presentation, I discussed the work that’s underway to develop standards and some of the issues each standards organization must resolve.

Identity access management is a key component of each of the three cloud service models—Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Both the client and cloud service provider need to know who has access to which cloud service. And, in large organizations, with multiple cloud models and multiple cloud services within each model, identity access management can become highly complex.

Identity access management in the cloud is only in its beginning stages, but the development of new standards is underway. Four major organizations are currently focused on this critical endeavor, including the following:

• OASIS: evaluating the application of current identity management standards within the cloud and identifying gaps.
• InCommon: coordinating the development of common definitions and guidelines for security, privacy and data interchange among identity and cloud providers.
• Trusted Cloud Initiative (TCI): focused on advancing the certification of secure and interoperable cloud identity standards
• Jericho Forum: developing a cloud architecture that uses identity management across all levels of the cloud (infrastructure, platform, software and process) in a design it calls collaboration-oriented architecture (COA).

Key issues these standards organizations must address in developing new cloud identity standards include the following:

• Provisioning: For user provisioning and de-provisioning within a cloud environment, SPML, the open standard developed by OASIS, has not received adequate traction due to its complexity. A new standard is required.
• Identity data synchronization: It’s important that any new standards provide direction on identity data synchronization between a cloud provider and the enterprise directory.
• Authentication and authorization: Authentication and authorization are key components of identity security in the cloud, and SAML and OpenID standards are widely used today for each. Both should be incorporated into the new standards.
• Access control: Both externalized and fine-grained access control should be considered to maximize the business value of cloud identity
• Regulatory mandates: Various regulations, including HIPAA/HITECH, SOX, FISMA, PCI/DSS, and FedRamp, must be considered and followed.

 By addressing these issues and working closely together, we’re confident these standards organizations will be able to develop clear and comprehensive standards for cloud identity, while eliminating duplication, increasing interoperability and enhancing security. The future of cloud identity depends on their success.