We're going to go on to section six and we're going to talk about the integration of third-part identity services. So managing user accounts with a cloud-based application and a directory solution, we have a couple of different examples that we're going to explore. It is possible to manage user access to cloud computing resources in house, but the architecture must take integration complexity and management costs into account. Most organizations find that these inconveniences outweigh the benefits. For many the same reasons including on-demand self-service, elasticity, broad network access, reduction in capital expenditures, and so on, companies adopt cloud computing services instead of in-house services. And they also leverage third-party cloud services to manage identity and access across the enterprise.

A practical example of the challenges faced by the security architect in this area can be illustrated by examining any of the cloud service directory providers that offer services to the enterprise. For example, Microsoft, Amazon, and Oracle. Now, the first thing we need is a basic working definition of what a directory service is and what it provides the capability to do. So we're going to look at three different examples of how this is done.

When it comes to cloud identity, users are created and managed in the Office 365 implementation and are stored in the Windows Azure Active Directory instance. Now, there is no connection to any other directory. And what this means is is that the cloud identity has no integration requirements and each user is created once in the cloud and the account exists only in the Windows Azure Active Directory.

A second example is the directory synchronization where users are created and managed in an on-premise identity provider's software and are synchronized to Windows Azure Active Directory where they can be used for login to Office 365. Now, this directory synchronization uses an existing on-premise directory and synchronizes it to the Windows Azure Active Directory instance. Synchronization, of course, means that the accounts are managed on-premise and properties cannot be edited through the Office 365 cloud interface.

A third form is federated identity. In addition to directory synchronization, login requests are handled by the on-premises identity provider. The federated identity is usually used to implement a single form of single sign-on. Now, the federation provides for a user to be signed in using the federated identity for the passwords check. Directory synchronization is also required as a prerequisite in order to populate the cloud-based directory.

Now the security token service providers that you see listed on this slide represent a great deal of the market for this kind of service. Because these represent vendors of products, vendors specifically will not be on the examination. But these represent the majority of those providing the service and it shows just how much interest there is in this particular service being offered in the cloud.

So let's take a look at the Amazon example. Looking at this, we have the Amazon Identity and Access Management service. The service supports Amazon, Facebook, and Google identity federation which allows these to grant temporary authorization to people using these services. All the server-side code is managed without long term credentials for the app. The service introduces a new AWS Security Token Service API that allows for temporary security credentials for customers who had been authenticated by amazon.com, Facebook, or Google. According to the AWS blog, the app can then be used to provide temporary security credentials to access AWS services such as Amazon Simple Storage service, or S3, DynamoDB Tables, or Amazon Simple Service Queues. This, of course, is simply one example of one vendor that offers this particular type of service.

Another example is a public service provided by the Australian government. Because of the nature of the island continent of Australia, it has a very widely dispersed population with a great deal of infrastructure on its coast, but not much through the center. This means that the government is out of direct touch with a great portion of its population on opposite sides of the island. So the Australian government has made investment into technology to make sure that the island's population is properly and continuously connected for both news and other kinds of programmatic information for the population. They're minimizing investment in new authentication infrastructure and maximizing ease of use by reducing the number of authentication credentials required to access these services for the population of their country.