Replicated Identity Providers

Another identity management option is to contract with an IaaS provider to host a copy of each Windows domain controller in the cloud. You would work with the IaaS provider to replicate the domain controllers to the identity provider’s datacenter. The replicated domain controllers are responsible for storing user accounts and authenticating users when they request applications and services hosted in the cloud.

One obvious issue is how do you deal with the security implications of copying a Windows domain controller to the Public Cloud. This can be dealt with by configuring the Windows domain controllors in the Public Cloud as read-only domain controllers (RODCs). No one outside of your domain controller administrators would have rights to change the user information in the RODCs. Applications and services that follow secure programming guidelines should not experience security problems accessing Windows domain controllers hosted in the Public Cloud. If they do, it would mean that you need to investigate application code and the security infrastructure that enables it.

Some of the questions you need to ask while investigating replicated identity providers included:

What procedures need to be in place to update the RODCs when user accounts need to be provisioned or deprovisioned?
How do the hosted RODCs communicate with the original Windows domain controllers through the corporate firewall?

The Microsoft Windows Azure Platform AppFabric Access Control Service is an example of a replicated enterprise identity provider based in the public cloud.

Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Reference Architecture for Private Cloud documentation is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this article, please include your name and any contact information you wish to share at the bottom of this page.

REFERENCES:

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Previous Page

Return to Cloud Computing Security Architecture

Return to Reference Architecture for Private Cloud

Wiki - Revision Comment List(Revision Comment)

| |

Comments

Thomas W Shinder - MSFT

16 Sep 2011 4:28 PM

Thomas W Shinder - MSFT edited Revision 3. Comment: community and links
- Edit
Thomas W Shinder - MSFT

26 Jul 2011 11:19 AM

Thomas W Shinder - MSFT edited Revision 1. Comment: edit
- Edit
Thomas W Shinder - MSFT

26 Jul 2011 11:08 AM

Thomas W Shinder - MSFT edited Original. Comment: first edit complete.
- Edit

Wikis - Comment List

Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.

Posted by Thomas W Shinder - MSFT

on 26 Jul 2011 11:08 AM

Thomas W Shinder - MSFT edited Original. Comment: first edit complete.
Edit
Posted by Thomas W Shinder - MSFT

on 26 Jul 2011 11:19 AM

Thomas W Shinder - MSFT edited Revision 1. Comment: edit
Edit
Posted by Thomas W Shinder - MSFT

on 16 Sep 2011 4:28 PM

Thomas W Shinder - MSFT edited Revision 3. Comment: community and links
Edit

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Replicated Identity Providers