Any solution that claims security, but moves identities and credentials off premise is a security risk.
Why aren’t customers deploying federation for access to cloud services that support federation?
- Federation is complicated and we don’t have the expertise (or want to get the expertise) to manage it.
- We want “one throat to choke” if there’s a problem. “I don’t want to call the cloud provider to have him tell me it is Microsoft’s ADFS and call Microsoft to have them tell me it is the cloud provider or some other piece of my infrastructure.”
- Password synchronization is something we already do and are comfortable with. (A variation of #1)
I think Garret’s blog post gives a good overview of why #3 above is an issue. I’ll say it can be especially concerning if it is your Active Directory password that is being synced to multiple cloud properties.
Another bid of good advice:
An enterprise needs to retain the “keys to the kingdom” by (1) Retaining the identities (2) Conducting the authentication (3) Federating the identity and (4) Logging the Access for secure cloud usage.
Couldn’t agree more about giving away the keys to the kingdom! And I know many companies are behind here – especially when it comes to logging & auditing.