Replicated Identity Providers

Replicated Identity Providers

Another identity management option is to contract with an IaaS provider to host a copy of each Windows domain controller in the cloud. You would work with the IaaS provider to replicate the domain controllers to the identity provider’s datacenter. The replicated domain controllers are responsible for storing user accounts and authenticating users when they request applications and services hosted in the cloud.

One obvious issue is how do you deal with the security implications of copying a Windows domain controller to the Public Cloud. This can be dealt with by configuring the Windows domain controllors in the Public Cloud as read-only domain controllers (RODCs). No one outside of your domain controller administrators would have rights to change the user information in the RODCs. Applications and services that follow secure programming guidelines should not experience security problems accessing Windows domain controllers hosted in the Public Cloud. If they do, it would mean that you need to investigate application code and the security infrastructure that enables it.

Some of the questions you need to ask while investigating replicated identity providers included:

  • What procedures need to be in place to update the RODCs when user accounts need to be provisioned or deprovisioned?
  • How do the hosted RODCs communicate with the original Windows domain controllers through the corporate firewall?

The Microsoft Windows Azure Platform AppFabric Access Control Service is an example of a replicated enterprise identity provider based in the public cloud.

This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Reference Architecture for Private Cloud documentation is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this article, please include your name and any contact information you wish to share at the bottom of this page.


If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Previous Page

Return to Cloud Computing Security Architecture

Return to Reference Architecture for Private Cloud

Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Page 1 of 1 (3 items)