How is the cloud different?• Depends on service scope/intent

– Concur (auth only) versus Box (collaboration/storage)

• Existing Identity Management compromises persist– Limited independent leverage

• Consumer-centric– Enterprise administrative controls can lag behind

Identity In the Cloud?• Goal:

– Campus-hosted system of record for entitled/active services– End-user self-provisioning for all services

• Requires:– Vendor-provided user-management APIs– Disabling cloud-based identity management tools

• Password change, account name change, etc.

– Institution/cloud reconciliation– Automated de-provisioning of cloud accounts

• Results in:– Institution is not dependent on cloud providers to know which

services affiliates are provisioned for– Attestation capability

How Can You Help?• Spread the message:

– Federated authentication• Institutions should manage credentials – not cloud providers• Continue to push vendors in this direction

– Account Name does not equal Email Address• All our users have multiple institutional email addresses

– We need role-based security• User-centric controls are insufficient for a managed service

Biggest Challenges• Identity Management compromises in favor of

end-user features– Vendor maturity– Revoking campus credentials may not revoke access

• Identity clean up for consumer-centric services• Affinities

– No elegant solution for groups

• Define the horizon