Another identity management option is to contract with an IaaS provider to host a copy of each Windows domain controller in the cloud. You would work with the IaaS provider to replicate the domain controllers to the identity provider’s datacenter. The replicated domain controllers are responsible for storing user accounts and authenticating users when they request applications and services hosted in the cloud.

One obvious issue is how do you deal with the security implications of copying a Windows domain controller to the Public Cloud. This can be dealt with by configuring the Windows domain controllers in the Public Cloud as read-only domain controllers (RODCs). No one outside of your domain controller administrators would have rights to change the user information in the RODCs. Applications and services that follow secure programming guidelines should not experience security problems accessing Windows domain controllers hosted in the Public Cloud. If they do, it would mean that you need to investigate application code and the security infrastructure that enables it.

Some of the questions you need to ask while investigating replicated identity providers included:

  • What procedures need to be in place to update the RODCs when user accounts need to be provisioned or deprovisioned?
  • How do the hosted RODCs communicate with the original Windows domain controllers through the corporate firewall?

The Microsoft Windows Azure Platform AppFabric Access Control Service is an example of a replicated enterprise identity provider based in the public cloud.

This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Reference Architecture for Private Cloud documentation is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this article, please include your name and any contact information you wish to share at the bottom of this page.


If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Previous Page

Return to Cloud Computing Security Architecture

Return to Reference Architecture for Private Cloud