Seeding the Clouds of Federation
Before we leave the topic of cloud applications that allow data to be shared among different systems, we should look at ways in which user information—user identity—can be shared in the same way. The concept is called identity federation, and it's one of the big ideas that cloud computing is bringing to reality a bit more quickly than might happen if clouds didn't exist. In simple terms, identity federation is a single authenticated user identity that is accepted as valid across a wide variety of systems. While the concept of having a particular type of user identification exist in two organizations might be easy to picture conceptually, the implementation has been fraught with heated arguments in the standards committees. Because the company that owns a customer's directory has a huge advantage in owning the rest of the organization's network infrastructure, vendors tend to want to feature their own solution to the exclusion of all others. With Sun Microsystems pushing LDAP, Novell pushing eDirectory, and Microsoft pushing Active Directory, the battle is a three-way slugfest among some of the biggest IT providers on the planet. Each bases identity management on a directory structure that vaguely resembles the work done in the X.500 standards committee but is tweaked to the individual company's benefit.
We'd like to point out that one of the huge roadblocks to federation has been the issue of government regulations. The medical industry's HIPAA rule set has certainly affected consumers by requiring a large number of new forms to sign acknowledging that their medical providers are compliant with HIPAA regulations and that they'll make every effort to protect your personal medical information. What hasn't been said is that HIPAA, Sarbanes-Oxley, and other federal legislation doesn't specify technology, only overall effects. The government doesn't say you must use AES256 encryption, but instead alludes to "secure communication pathways." This fact is creating a new era in the way medical providers share information and communicate with patients. A typical hospital doesn't own its laboratory, but rather provides space to a contractor to provide med tech services. When HIPAA first went into effect, many hospitals reverted to paper records to avoid having to answer privacy questions they really didn't know how to answer. However, as the scare faded and clearer thinking prevailed, medical providers realized that setting up a clearly defined procedure and risk management could provide just as much privacy as paper, perhaps even more. The Japanese have even gone as far as providing an even easier way for patients to identify themselves, so that they can start from a strong position of trust. Fujitsu Limited has produced a whole series of kiosks that scan the blood vessels in the palm, allowing for positive identification but without the resistance faced by other biometric identification systems. The Japanese figured out that if you start your information chain from a strong position of trust, much more can be done with less risk.
Let's clear the air a bit and say that each of the players in the debate about federation does seem to have the common goal of being able to interoperate. Each of the vendors agrees that creating a facility that would allow you to create special-purpose users on your system is a good thing only if it doesn't also expose your internal infrastructure to attack. That's it—we're all talking about literally how to implement that simple Venn diagram showing an overlap in authority between two organizations. The fight is really about how you determine trust so that you can more comfortably manage the risk for each transaction.
Suppose that Mary, an employee of Whapapalooza Widget Works, needs to place an order with Fergenschmeir Sprocket Works for 100 dozen size 20 sprockets. She and dozens of other defense contractors do this often enough that the folks at Fergenschmeir have been screaming for three more order-entry people. However, the enlightened IT staff at Whapapalooza and Fergenschmeir have discovered that their two internal IT infrastructures have an agreed-to standard for " federation." Each IT group has created a special user group that has privileges only in specific areas. Each has also assigned a group manager so that personnel changes in one company won't affect the other. InfoWorld magazine did a huge article on just this kind of thing way back in October 2005. The scenario mapped out a merger between two companies and followed the changes to a single employee. In this early comparative review, federation was only a buzzword, but the authors had long conversations with the vendors on just how federation would be implemented. Identity management, security event management, and federation all seem to be intertwined and no longer really exist as stand-alone subjects. All of these are being woven into the base operating system regardless of whether it was designed to be a monolithic system or virtualized. Considering the massive changes made to Windows Server 2008, the borders have certainly blurred.
However, the fight isn't over yet, and right now there just isn't a standard for federation in the world of identity management. However, there is a silver lining, and it's in the cloud. All Whapapalooza and Fergenschmeir really wanted to do was automate the ordering process so that neither company would have to encumber additional personnel to handle intercompany orders. A common area in which to place and acknowledge orders might be set up in any of the cloud services available. In Amazon it might be a virtual DMZ server, or maybe a shared storage area on Amazon S3 for named pipes, or a Python application in the Google App Engine. Like a Swiss Army knife, there are lots of ways to use the tools at hand.
Let's step back a few years and look at the early days of credit card validation. Although it was not the first, Verifone was founded on the idea of small simple devices that could read the magnetic stripe on the back of the credit card, call a credit bureau to validation the transaction, and then get back some acknowledgment by IC Verify for the transaction. This simple idea was applied to network applications in a simple DOS application that looked for files in a specific directory with a specific file extension. Upon finding those files, it would do something very similar to what Verifone did, but this time with a regular old computer modem. What made this different was how the system would keep the modem link up as long as it kept finding files in that directory. So, in many highuse cases these systems didn't drop the line all day. Credit card clearing houses now exist all over the world, but the concept is still the same. You've acknowledged a level of trust with the clearinghouse that in turn has a level of trust with the banks or credit card companies. Each in turn passes data along in a particular manner, but can't do anything beyond what is agreed on—thus dramatically limiting the potential for mischief. Key to this trust relationship is a third-party validation service called a Certificate Authority. In any typical browser today there exists a list of hosts that are considered trustworthy, and each of those servers takes part in a validation dance that utilizes dual-key encryption technology.
As a historical sidebar, modern encryption systems all spring from work originally done at MIT by mathematicians Ron Rivest, Adi Shamir, and Leonard Adleman ( RSA Corporation was named for their initials), who were the first to create a commercially viable encryption system that utilized one encryption key to "lock" the transaction and a completely separate encryption key to "unlock" it. This dual-key encryption became the basis for almost all secure Internet communications today. More important for this discussion is how this same mechanism can be used to authenticate information. The "private key" is used to create a numerical representation of the message. To validate this message, the recipient retrieves the "public key" from a trusted Certificate Authority (all a Certificate Authority does is hold onto public keys for servers). The original work that led to this advance was done in Honolulu, Hawaii, by Wesley Peterson, PhD, in 1964. His paper on the mathematical representation of data for error correction became the basis for all modern data transmission error checking and all modern encryption. Today, Peterson is acknowledged as the father of the cyclical redundancy check used in every data transmission.
Is federation happening now? You bet! Just look at how Amazon's massive Internet sales site can place orders with hundreds of companies all over the world. The sophistication of the federated identity varies widely from organization to organization, but the goal is the same: Provide more services between companies but not at the added expense of human resources. After all, the biggest cost in just about any organization is warm bodies.
Clouds Flight Path for Chapter 5
- Will government regulations prevent you from using the cloud? We all know that government regulations play a huge part in how various organizations do business, and clouds have to learn to play along. We've looked at some of the issues you might stumble across as you think about moving into the cloud. Considering that we've had some friends retrieve their files and discover that they came from Italy, it really pays to do your homework and make sure you buy the right options. While the big boys are all offering regulatory options, you must ask for them, and they might very well need to be part of your service-level agreement.
- To use clouds internally, you really need to examine the size of your Internet pipe. It doesn't pay to move your internal computing facilities into the cloud if your Internet pipe is tiny. It's all about balance, and about looking at every piece in the puzzle. Remember that some applications are very timing-sensitive and don't lend themselves nicely to being shoved into a cloud. Here is where taking it all for a test drive really makes sense. Don't take the word of the salesperson; test it yourself and make sure it's worth risking your reputation on the move.
- There are different types of load balancing, and a good load balancer can also provide auto provisioning. We looked at some big Web surges and how various organizations handle them. Load balancing is a way of life as your audience grows. We mentioned some key factors you should consider, and we discussed why load balancing is making even more sense today, especially because it can actually help you strike a balance between in-house infrastructure and the cloud.
- You can use a cloud as a DMZ between partners, just as good fences make good neighbors. Setting up some neutral ground makes a whole lot of sense and limits risk for everyone involved. We're only human, and there is always potential for mistakes. It's said that good fences make good neighbors, and that's certainly the case with business partners using the cloud as neutral territory for exchanging information.
- The seeds of federation are finally sprouting. That no man's land might very well finally give federation a chance to bear fruit. Will this be the beginning of the business world coming to some sort of agreement on just how to handle foreign trust relationships, and will clouds become the Switzerland of the computing world?
About the authors:
Brian J. S. Chee is a senior contributing editor at InfoWorld magazine. Chee currently does research for University of Hawaii School of Ocean and Earth Sciences and Technology and has a unique insight into networking trends and the emergence of new technology.
Curtis Franklin Jr. is a senior writer at NetWitness and been an information technology writer for more than 25 years.
Printed with permission from CRC Press. Copyright 2010. Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center by Brian J. S. Chee and Curtis Franklin Jr. For more information about this title and other similar books, please visit http://www.crcpress.com/.