January 30, 2023

Getting Started with Multi-Cloud Identity Management

The first post in a series on using Workspace One Access for identity management and single sign-on in a multi-cloud world.

One of the biggest challenges that I see as I look at the multi-cloud future is identity management.

How do you keep track of your users in the cloud? How do you ensure that you’ve delegated the proper rights and permissions in each cloud that you’re using?  Most importantly, how are you ensuring that those rights get removed when your users no longer need them?

SaaS and Cloud adoption bring identity and privilege management challenges with them. In the past, IT departments have solved these challenges by integrating applications into Active Directory.  But this isn’t something we can do securely, and at scale, in a SaaS and Multi-Cloud world.

Why Identity Management is Important for Multi-Cloud

There was a time when every on-premises application handled authentication on its own. Applications didn’t delegate to enterprise IT’s source of truth(usually Active Directory) and passwords were managed on a per-application basis.  Managing users and roles meant working directly with each application individually.

Organizations faced three management challenges:

  • Providing a Consistent User Experience
  • Managing Identity Sprawl
  • Ensuring Compliance

We face these same management challenges in our multi-cloud future, not just inside of the enterprise network, but at scale, extended to third-party service providers. Leveraging multiple clouds creates a user experience issue since each cloud handles authentication differently and provides its own login experience. Identity sprawl is another challenge resulting from each new SaaS and cloud service requiring another username, password, and user roles to provision, manage, and deprovision.  Additionally, compliance issues may arise as there is no way to enforce security or access policy requirements like MFA and no central security dashboard to provide visibility into user activity.

Solving Multi-Cloud Identity Management Challenges with VMware Workspace One

Workspace One Access serves an integral part of any organization’s modern endpoint management solution by allowing organizations to manage cloud and SaaS application identities and single sign-on.

Workspace One Access is only available as part of the Workspace One suite.  The suite also Includes:

  • Workspace One UEM for device management
  • Workspace One Assist for remote assistance
  • Workspace One Intelligence for data-driven Insights and automation of managed users and devices
  • VMware Horizon for virtual desktops and published applications
  • Managed mobile productivity applications

Workspace One Access is a comprehensive identity management solution that provides a single integration point to bring together traditional identity sources like Active Directory, on-premises or SaaS-based multi-factor authentication solutions, and cloud-based services using identity federation protocols like SAML and OAUTH.

By bringing all these together, you manage users in SaaS and cloud services the same way that you would manage them for on-premises applications.  You can put them into Active Directory groups, and Workspace One will handle entitlement to federated applications based on that group membership. A user who launches that application will be signed in through SSO after any security or compliance requirements, like multi-factor authentication or connecting from specific networks, are met. When that user changes roles or leaves the organization, you can disable their access by removing them from the Active Directory group or deactivating the user account. 

Our managed applications are then presented to any entitled users through Intelligent Hub, which acts as an application catalog that consolidates all the entitled applications into a single portal. 

We can also take advantage of the full Workspace One suite to enhance security and compliance around SaaS and multi-cloud.  Managed devices can have compliance policies attached through Workspace One UEM, and application access can be denied if devices are not meeting the requirements of those policies. Workspace One Intelligence can be used to aggregate data from multiple sources and create risk scores based on user behavior, and those risk scores can be used to control access to applications.

You’re probably asking what this means for a cloud admin or developer. These types of users typically have access to multiple developer-focused SaaS services and cloud management planes, which means they have multiple accounts to maintain, URLs to keep track of, and MFA tokens to manage. 

Our cloud admin and developer experience improves when we consolidate all our services in Workspace One.  They would log into Workspace One Intelligent Hub, where they would see their entitled apps and services. They would launch the cloud portal or service by clicking on a tile, where they would gain access to the service through single sign-on. We could block access or require additional authentication, such as entering a code from their MFA token, if they were accessing this service from an untrusted device or outside of the corporate network. 

And finally, IT gets ease of management. If my developer changes to a new project, their access rights can be changed easily by changing their group memberships in Active Directory. And if IT Security has any concerns about the user’s activity, they can easily see what services that user has been accessing from a single report.

Identity Management in a Multi-Cloud World

So now that I’ve talked about the benefits of using Workspace One Access for multi-cloud Identity Management, let’s talk about what comes next. Over the next couple of months, I will dive deeper into this topic and show how we can use Workspace One to provide Identity Management for different cloud providers.

I’ll be providing some how-to guides for the following clouds:

  • Oracle Cloud
  • Google Cloud
  • Amazon Web Services
  • VMware Cloud Services Portal

While it is not listed, I didn’t forget about Azure.  Azure and Office 365 both use Azure Active Directory, and my colleagues who cover Anywhere Workspace have put together some great content on using Workspace One Access with Azure AD on the Digital Workspaces Techzone Site, and I will be pointing out their Azure Active Directory content along with some Identity management fundamentals content in a future post.

Filter Tags

Operations and Management Security VMware Multi-Cloud Services Blog Overview Design

Sean Massey

Read More from the Author

Sean Massey is a Staff Multi-Cloud Architect on the VMware Multi-Cloud Strategy and Architecture team.