Confronting the Challenge of User and Access Management In the Cloud

cloud access management struggle

Addressing the Challenges of Authentication and Account Management For Cloud-Based Applications Is Easier Said Than Done

As the cloud continues to expand within the commercial world and cloud services such as Google Apps, GoToMeeting, and Office 365 being widely deployed, working with cloud applications have user and access management consequences that need to be addressed.

Controlling who has access to specific applications and the corresponding data is even more complicated with cloud applications than with a typical office intranet. Providers of cloud solutions give little priority to developing better management of user accounts and access rights in their applications; they are more occupied with developing new, business-oriented features.

Consequently, user and access management in cloud applications entails a number of challenges such as:

1. Single Authentication

Active Directory is the central link in the chain for user access to applications and systems. The traditional LAN-based applications often have specific integration, such as LDAP, with the central user account directory. Working with cloud applications means more authentication sources. In addition to the corporate Active Directory network log-in, users also need to remember their credentials for each cloud application utilized.

There are only a few possibilities for synchronizing user accounts between both authentication sources, (like AD Federation Services from Microsoft and the SAML standard). In this manner, end-users can log in transparently to the cloud applications. However, Federation is not a replacement for provisioning and basic user account management. Maintaining roles within a cloud application and linking accounts to central authentication remains an important task with which access to specific data is regulated.

A single-sign-on (SSO) solution for the cloud would help in this situation. Vendors that offer SSO for cloud base the credentials on those that already exist in Active Directory. This allows the user to log in to all of their cloud applications with just their AD credentials.

2. Manual Actions

Providers who do not support Federation, such as many providers of e-learning environments and HR systems, frequently offer a web-browser that managers can use to control access to the cloud application directly. However, there is no automatic provisioning and this necessitates a sequence of manual operations. This process is time consuming and error prone. Also, when it’s possible to import a basic CSV file into the cloud application, it still requires manual intervention by the application manager. This can result in a lot of unnecessary work.

For example, consider the procedure required when an employee leaves the organization. This procedure often occurs in phases: first the user log-in is removed, then the account is removed, data transferred to a different user, and, finally, an email notification is sent to the manager. All these phases require a separate manual operation for user management in the cloud application. In this case, an automated account management solution would assist in the process. A solution such as this would synchronize user accounts via the HR system, so that any changes made in HR, such as disabling a user would automatically be synchronized to all connected accounts in all applications.

3. Naming and Password Conventions

Conventions governing naming standards and passwords are often inconsistent between network and cloud applications. In the network, a user ID might be based on the log-in name, and in the cloud it might be the email address. This complicates exchanging user account details between the environments, and, in many cases, differences also apply to password conventions.

When extremely complex passwords are required in the corporate network, cloud applications might not be able to handle this type of password. The possibility also exists that the cloud application requires a different duration for password expiration than within the corporate network. Synchronizing passwords between the network and cloud applications can be exceedingly difficult.  In this case, automated solutions can be helpful as they can enforce a standard naming convention across all applications while allowing for uniqueness when more than one employee has the same name.

An enterprise SSO solution can mitigate the password complexity issues by “remembering” the user’s password and providing it automatically each time the user logs into the application. Further, an SSO application can also routinely reset the password in the background, or prompt the user to do so, when expiration occurs.

4. Organizational Structure

The reporting hierarchy structure within an organization is often utilized to assign authorizations to employees based on their role or position, commonly referred to as role-based access control (RBAC). Within the corporate network, this structure is contained in an HR system or within Active Directory.

Cloud applications normally cannot translate this organizational structure, and the web-based provisioning functionality they offer does not offer a robust method for incorporating this level of detail. Naturally, it is possible to transfer the entire organizational structure to the cloud application, but this requires an enormous volume of management activity when something in the hierarchy changes.

RBAC in an automated account management solution can assist with this issue. It allows access to various components of the cloud applications to be based on the end user’s organizational role. In this way access will be controlled on the basis of the department or title in the HR system.

5. Bulk actions

Performing bulk actions in cloud applications is occasionally rejected by the application. Consider, for example, schools that want to create a thousand user accounts for students in a cloud application, such as an e-learning system. Some cloud applications that impose restrictions on the number of actions that can be carried out in one pass or require that no management activities are undertaken during working hours to prevent overloads on their network.

A robust provisioning application can adhere to the processing rules imposed by cloud applications by breaking up the number of requests to be processed in one connection and/or limiting the execution to specific time-frames.


Working with cloud applications generally means that organizations no longer have user and access management in their own hands, and that the rules and service level agreements of the cloud applications apply. User and access management are of secondary importance to business requirements. If it is requisite for an organization to have control of user and access management, there are third-party developers that provide software solutions to ease the transition to cloud-based applications.

Image: iStockphoto

About The Author

Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign-on and access management, serving more than five million user accounts worldwide.