Seite 88 - Cloud Migration Version 2012 english

88 
resulted in ID services in the Cloud, which can be enterprise‐compliant as 
soon as the in‐house LDAP, for instance, is used as the ID provider.
40
Whether an enterprise uses a centralised access control service (which 
outsources the authentication function or performs it itself) or its own 
Cloud‐based or in‐house authentication centre, it will require either one or 
the other in order to achieve single sign‐on capability and thus a high degree 
of service usability. If the user is authenticated one time per session only, 
access control must contain this information and furnish it when prompted 
by an application, without the user being prompted to log in again (either as 
a user token or suitable prompting interface, which the application itself will 
still need to implement). 
Federation 
Today, Cloud services come complete with their own authentication and 
authorisation systems. Secure access to services has become something that 
everyone expects of their Cloud providers. Yet apart from single sign‐on, the 
transparent use of an enterprise's own employee data still has a long way to 
go. The magic words in this case are “directory services federation”. 
As federation generally requires open access (at least for outgoing 
connections) to its directory, an enterprise needs to have a lot of trust in the 
Cloud provider. 
This access can, however, be limited to dedicated, special‐purpose 
connections by setting up a proper service for secure access control; this will 
generally reduce the chances of the user data being compromised. Only 
time will tell which will win in the end: convenient reuse of carefully 
managed enterprise data or 'safety first' at the expense of easier access for 
users of enterprise Cloud services. 
40
Cf. Microsoft Windows Azure Access Control Service:
us/library/hh446535.aspx