Don’t Put All Your Eggs In One Cloud Identity Basket
I had the privilege of providing the keynote session at the inaugural Hybrid Cloud Identity Protection Conference (http://www.hipconf.com) in New York City last week, and it was gratifying to confer, converse, and otherwise hob-nob with my fellow hybrid cloud identity wizards. Many thanks to Mickey, Darren, Meytal, and the rest of team at Semperis (http://www.semperis.com) for hosting the event and inviting me to participate.
My talk was titled “Modernizing the Enterprise Identity Platform” and I discussed why Microsoft’s Active Directory has been so successful, and what we can learn from it (both pros and cons) to define a modern cloud-based enterprise identity platform. It was a bit of wish list, but also happens to be the outline that has guided us in the development of Cobalt, ViewDS’s cloud identity platform.
One of the core architectural features I described was the ability to run cooperating components of your cloud identity platform across multiple cloud environments, in your corporate data center running something like Microsoft’s Azure Stack, in a hosted or managed cloud environment running (for instance) OpenStack, as well as in the Amazon and Azure public cloud environments. The advantages to this approach are pretty clear: you avoid being locked-in to a particular cloud vendor for your identity services, you get better latency characteristics, and most importantly, you avoid having all your applications fail because one cloud environment suffers an outage.
Make no mistake, Amazon and Microsoft run very reliable IaaS services, but in practice it still only amounts to something like “three nines”, or roughly 8.5 hours of unscheduled downtime a year. It doesn’t seem like much, but that kind of outage can cause significant disruption to your business if it occurs at the wrong time. And wouldn’t you know it, the morning after my talk, Azure Active Directory became unavailable in the north central US region for about 90 minutes due to network reconfiguration making it impossible for other presenters to do their live demos. The outage nicely underscored my message that putting all your identity eggs in one cloud provider’s basket is not necessarily the best approach.