85
The second system does not require any roles for authorisation
management, but rather the coupling of the system's users with the
permissions schema.
IAM products can, based on LDAP, cope with such system integration
requirements and offer consolidated, clearly structured storage of the
relevant information. The enterprise‐specific definition of such a scheme
would necessitate a technical integration project in this case. Whilst one
could also go into the individual needs of the enterprise's IT, it can be
assumed from Cloud services, with their high claim to standardisation, that
the systems destined for integration should align themselves to an IDaaS (at
any rate, an IdM‐aaS provided with a Private Cloud approach which would
offer a few more options).
Passwords and certificates
The aforementioned core schema also makes it possible to store passwords
and user certificates.
While storage of a password is essential for functions discussed below, the
need for certificate storage will depend on the requirements of the
surrounding systems. If your enterprise uses email signatures and email
encryption, you cannot do without a PKI (Public Key Infrastructure). The
private keys for asymmetric encryption algorithms could make up part of
the user data in the LDAP in that case.
As far as further mediations on IAM in Cloud services go, we can fortunately
suffice with password storage in conjunction with the centralised
management of identities.
Secure authentication
The reason that this aspect of IAM is so important in Cloud services is that
more open access (especially for Public Cloud services) calls for a more
secure method of data protection.
'
Authentication' means nothing more and nothing less than checking
whether a given username actually belongs to the person who just entered
this username in the computer (in the application's user interface). The
means of choice for performing this check has always been the password,
which is assumed to be known to the above person only.