At last month's GlueCon conference my buddy Nishant Kaushik (he's lead strategist for identity management at Oracle) delivered a very well-received presentation entitled "Federated Provisioning and the Cloud." He's posted the slides online, but -- more importantly -- he's written a series of blog posts explaining the session and going into much more detail.
Start at Part 1 where Nishant explains the rationale for the talk as well as displays the slides.
He begins by telling us why provisioning is still needed in the cloud: "…for many enterprises, moving to the cloud is all about taking existing applications that they have and moving them to the cloud without re-architecting or re-engineering them, so that they can start getting incremental benefits from the cloud movement. This means that there are going to be a ton of services in the cloud that have their own little identity silos that will need to be managed; in other words, provisioned."
But it isn't the same old provisioning, as he goes on to note: "…in order to leverage the cloud for these services, the user provisioning of these services has to mimic the dynamic, highly automated nature of the cloud. It has to be built on standards, be light-touch and loosely coupled, and it has to just work." Kaushik then posits two different type of "federated" provisioning:
1) Advance provisioning -- like classic "on-boarding" provisioning in that the provisioning is done before the user knows it.
2) Just-in-time provisioning -- unlike "on-boarding," this is do-it-yourself provisioning, accomplished when the user first accesses the application or service. It can be role-based, attribute-based or hinge on a number of different triggers, which determine if that particular user can gain access to that service.
In Part 2 Nishant takes a closer look at the first option, advance provisioning. He concludes that this can be problematic in the cloud world because of the integration work needed and the predefined business relationships (at an IT level) it requires. He notes that "a lot of the appeal in using and delivering cloud-based services is the ability to enable short-lived and limited-use business relationships."
So Part 3 elaborates on the just-in-time type of federated provisioning and the problems that might be encountered. Of course, he can solve these problems (else, why bring them up?) and does so in Part 4. Well, he doesn't answer all the questions, noting that "there are major life-cycle management issues still to be discussed and explored. How does one handle de-provisioning in a JIT Provisioning environment? How can SPs that want to know about profile updates find out outside of the user interaction? And how do all those workflow and policy based controls that are present in provisioning systems today fit into all of this?"
Still, it's a tour de force of provisioning and where it needs to go in our coming cloud-based universe. Highly recommended reading.
Upcoming events: Kaushik will be exploring this some more at next month's Catalyst conference, July 26-30 in San Diego.