Authorization for a Multi-Cloud System

This is a project design I am currently working on to consume SPIFFE(Secure Production Identity Framework For Everyone) bootstrapped trust and identification to provide authorization in a dynamically scaling, heterogeneous system, inspired by Mr. Prabath Siriwardena from WSO2 and under the supervision of Prof. Gihan Dias from University of Moratuwa. An enterprise system running across multiple clouds, as in the hybrid cloud, is an obvious example that will be benefitted from this. The objective is to open doors for the SPIFFE standard based systems to co-exist with rest of the systems with minimal effort, without compromising on security aspects while having an authorization solution based on SPIFFE.
What is SPIFFE? In brief, it is a trust bootstrapping and identification framework, submitted as a standard and accepted by CNCF(Cloud Native Computing Foundation)[1]. As of now, this standard has two main implementations as SPIRE and Istio[2], a platform that supports service mesh archit…

Future of Identity and Access Management (IAM)

When a business needs a rapid growth or a new technology integrated, partnering and acquiring strategies are commonly put forward. WhatsApp been acquired by Facebook, Skype been acquired by Microsoft are such popular acquisitions done by the giants in the industry. According to the Wall Street Journal “2015 the biggest year ever for mergers and acquisitions” globally[1]. When this is considered from the aspects of enterprise identity management, it means the rapid merge of external users to current enterprise system. While this merge needs to happen rapidly in order to take the competitive advantage, privacy and security aspects cannot be ignored. Quocirca which is a primary research and analysis company also confirms that “many businesses now have more external users than internal ones. Many organisations are putting in place advanced identity and access management tools to facilitate the administration and security issues raised by this.”[2]. 

The impact of these merges and acquisitions are been predicted by the reputed analyst firm Gartner, as “By 2020, 60% of digital identities interacting with the enterprise will come from external identity providers through a competitive marketplace – up from less than 10% today.”[3]. Quocirca further discuss this topic with relation to BYOID concept, where the users may produce these identity via an external identity provider that enterprise would trust. These external identity providers might be using different protocols (legacy, proprietary, standard based) to deal with identities. Hence integrating these with existing systems is a challenge as sometimes full replacement of those legacy systems is often difficult or even impossible and this is dealing with a more sensitive part of enterprise security. As a solution for this foreseen rising requirement for enterprise in IAM arena, industry is investigating on several solutions. While some has been evaluating on the possibility of using an ESB itself for the purpose, a new concept has also been emerged as EIB which is specifically focusing on identity mediation.

Apart from enterprises growing with mergers and acquisition, if a new enterprise is concerned, most of the time, users had to register there, filling a lengthy form. But with the application of BYOID concept, it is opening doors to easily attract a whole user base of social identity providers. For example if a website is concerned which allows to login via Google or Facebook, it is having a possible user base as large as Google users+Facebook users when compared to a website that allows login for own registered users. In order achieve this kind of external identity provider integration, there needs to be a mechanism to securely confirm the user's’ identity and submit the decision in a mutually understandable way. For this there needs to be a transformation happening in between the two parties, which can be identified as the main functionality of an EIB.

With above facts it is evident that identity mediation is a requirement for enterprises in the coming up days, due to high rate of mergers, acquisitions happening and the possible competitive advantage of supporting login via the submission of a social identity. Also with the newly emerging technologies like IoT, many new protocols may be introduced to interact with identities and current protocols might get new version with several modifications. Time is critical factor for the enterprise when adapting new technologies and faster they move, more the benefits. Requirement that is given rise in this situation is an Identity Mediation mechanism that can do the transformation between identity protocols, similar to how ESBs transform messages between different transport protocols.

[1] - M. Farrell, "2015 Becomes the Biggest M&A Year Ever", WSJ, 2016. [Online]. Available: [Accessed: 24- Jan- 2016].

[2] -, "Identity, access management and the rise of bring your own identity |", 2013. [Online]. Available: [Accessed: 24- Jan- 2016].

[3] - D. Atkinson, "A Report From Inside the Gartner Identity and Access Management Summit", Top Identity & Access Management Software, Vendors, Products, Solutions, & Services, 2014. [Online]. Available: [Accessed: 24- Jan- 2016].


  1. Absulutely Brilliant!! It's one of the best blogs I have read on identity and access management. It was an absolute pleasure reading this article. Thanks ton mate for sharing this article with everyone.


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

How to convert WSDL to Java