Blog post

Talkin’ ’bout AWS and Identity

By Mark Diodati | March 02, 2017 | 0 Comments

OpenID ConnectOAuthIAMFederationCloudAuthentication

Amazon Web Services is an amazing platform. It makes impossible computing challenges, well, possible. It is one of only two “up and right quadrant” providers in Gartner’s IaaS Magic Quadrant—and is farthest up by a country mile. Amazon broke out AWS’ revenue for the first time last year and it was a whopping $6B. This year, revenue is expected to double.

AWS’ growth can be attributed to two factors. First, organizations are accelerating the migration of workloads to the cloud. AWS is experiencing the most success in riding the migration tsunami. Second, AWS has introduced services at a blistering pace. The current number of AWS services is over 90. And the number of services have grown over 400% since 2012.

AWS’ rapid service expansion has resulted in technical debt, with regard to identity management. Instead of leveraging its core IAM for new services, it added additional user types, along with new authentication and access methods, to bring these services to market more quickly. This type of expansion is analogous to building additional rooms onto a house, and then installing individual heating and plumbing systems for each room. The proliferation of user types, access methods and authentication methods is a major challenge, because it poses too much complexity to deal with.

This illustration hints at the complexity within the AWS identity environment. There are eight different user types, each with different identity directories. Some of the identity directories aren’t available to AWS. And for the most part, these user types have different authentication, credentialing and management processes.

AWS User Types
AWS User Types

Why care about IaaS identity management? Identity is becoming more important as more workloads migrate to IaaS. IaaS platforms are becoming the “go to” platform for attack, because they are loaded with services, data, applications—and privileged users. If you can’t get comfortable with the identity capabilities of the platform, how can you protect sensitive data and prevent denial of service attacks? And how can you confidently stand before your auditors, the compliance group—and the executive team?

A few days ago, we published new research on the intersection of AWS and identity (subscription required). At 48 pages, it covers a lot of ground—from Active Directory virtualization to OpenID Connect, to the latest exciting services like AWS Organizations and Cloud Directory. So far, the feedback from our clients and industry folks has been encouraging.

If you read the research, I’d be grateful for your feedback. Do you agree with the analysis? What type of AWS identity challenges is your organization experiencing?

Relevant Research

Implementing an Identity Strategy for Amazon Web Services

Comments are closed