There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy. – Hamlet, Hamlet to Horatio
At Las Vegas TechEd 2017, the topic of cloud computing was center stage. For the enterprise and the SAP landscape, there is a stream of new cloud products and services which have moved beyond the initial concepts of big data, Business to Business, and Relationship Management to Security and IT Governance. If there is one thing that I have encountered in my recent experiences with cloud technologies, is that a pure cloud model doesn’t make sense yet. My belief is that most organizations will require that vendors and consultants include a hybrid strategy when presenting a cloud solution.
I believe that there are a number of reasons for this that I believe factor into the decision to implement a hybrid architecture where the cloud is involved.
- Latency – Some applications still rely on fast network communications or guaranteed connectivity. Keeping those operations under local control gives the enterprise more control over these factors.
- Flexibility – When cloud environments are involved, the enterprise can lose significant levels of control. Everything from Operating System / patching control to access levels for users comes under the Cloud Vendor’s control. Not to say that there aren’t good reasons for this, but it can hurt the enterprise’s ability to meet changing needs.
- Compliance – As mentioned above it is not always easy to get specific access and information in a cloud environment, particularly from some hosted back end or middleware systems that are not directly managed by the enterprise, but are required for operations.
- There are still on-premise applications – The reality is that not all essential applications are cloud based yet and local tools work better with local applications, the Enterprise Directory, Support System, and systems that have not been or will not be migrated to comparable cloud platforms..
- Control – I have observed when there is a significant incident affecting performance or availability, senior management prefers to have their people hands on looking into the issue rather than simply contacting the service provider to have them look into the problem. This is not to say that the service provider is not interested or motivated to solve your issue, but they are triaging incoming incidents and must consider factors such as a higher level support plan, number of affected users, or continuing issues. This can all get in the way of your organization’s support needs as the cloud vendor works according to its SLAs.
So, all of this being said, my belief is that we should consider implementing applications in a hybrid configuration. In this blog we will discuss how this could be done with SAP Identity Management (SAP IDM).
In my mind, there are two methods that we should consider:
- Direct connection from the on-premise SAP IDM system to the cloud. SAP IDM 8.0 offers the standard SCIM connector for provisioning to cloud sources. This connector, offered as an SAP IDM 8.0 package, provides full support for provisioning to the cloud. There appears to be some decent documentation here for setting up the connector and the mapping between IDM and a typical SCIM connection. However the lack here would seem to be that the connection is not specific to a cloud based system, and is generic in nature. This means more work might need to be done when considering implementation best practices and that additional customization could be necessary. Additionally, there would need to be a separate task for updating the cloud authoritative source system (e.g., SAP HANA, Microsoft Azure, etc.) and would not be well aligned with having a true hybrid system.
- The other way to do this would be to create a connection between SAP IDM and the SAP Cloud Platform Identity Provisioning service. In this model we have a clear demarcation between the two environments which allows like systems to work with like systems. Any transformations that need to occur when moving the on-prem account information to the cloud would be handled by SAP Cloud Identity. Integration between the two environments would be accomplished by using SCIM as noted above or SAP Virtual Directory to create a virtualized LDAP representation of IDM’s Identity Store for consumption by Cloud Identity. For IDM 8.0 and later implementations, SCIM is the best practice methodology for most use cases. If there is a need to integrate an IDM 7.2 implementation before upgrades can occur, SCIM is not supported and VDS will be your only option.
As with all architectural considerations for IT in general and IT Security in particular, there are many factors to be considered regarding on-premise vs. cloud options for your organization. The adoption of a hybrid architecture where on-premise and cloud based systems mix, appears to be the best solution at present. Hybrid models can represent an intermediate step in pursuing an all cloud infrastructure, or a solid compromise between on premise and cloud based needs.
When considering Security and Identity Management solutions, this architecture helps to provide control, compliance, and compatibility with essential applications. How this will change over the next months and years will be anyone’s guess as new technologies and methodologies take hold in Information Technology and related security fields.
I would also like to thank the people who assisted in the research and editing of this document. You know who you are. =) Any errors remain my own.