There's a thunderbolt of change coming in cloud-based identity management, with new possibilities for single sign-on (SSO) and provisioning through cloud-based services.Symantec and VMware are separately working on their own approaches to cloud-based SSO and identity management, Symantec with its "Project Ozone" and VMware with "Project Horizon."CASE STUDY: Pharmaceutical firm retires Microsoft environment for cloud servicesWhile discussed at VMworld recently, Project Horizon still seems to be exactly that, on the horizon. There's a little more light being shed on Symantec's Project Ozone, which now has officially been given the product name "O3."Expected to debut next year, O3 will be a way that information technology managers can exert policy-based access control for employees whether they have mobile devices or traditional computers. The O3 service will grant the managers access to any authorized cloud-based service or network, while this access record is maintained for audit and compliance purposes. O3 will be the central point for provisioning and de-provisioning of user access privileges based on a wide means of authentication varying from simple password to stronger means, such as two-factor tokens.With cloud-based SSO, Symantec will be following where others, in their own approaches, have gone before, including Hitachi, Symplified, Okta, IBM Tivoli, Courion and Ping Identity. It's still a nascent market, ripe with the expectation that IT managers will need cloud-based provisioning of users in a world of cloud-based applications."It's targeted as a security service," says Rob Koeten, senior technical director for O3, which he calls a "security layer" to encompass employee mobile devices or PCs. Essentially, O3 calls for funneling traffic through a proxy-like service and gateway associated with identity. For enterprise use, O3 could exert granular control over exactly how a sales employee could use the Salesforce software as a service, for example, says Koeten. When it debuts next year, which is Symantec's goal, O3 will support the top 200 cloud-based services, he says.Like Symantec, VMware has long been eyeing cloud-based identity management. With its Project Horizon ballyhooed for more than a year, VMware is nurturing its aspirations without tipping its hand too much. (Coincidentally, Symantec CEO Enrique Salem alluded to O3 during his keynote at this February's RSA Conference, on the same day RSA president Art Coviello was touting Project Horizon, in which he said RSA is working with VMware on compliance-based security for cloud-based services.)Project Horizon is still largely a vision statement made in 2010 with no specific delivery date. But VMware CEO Paul Maritz highlighted the ongoing development in his recent VMworld keynote address, saying Project Horizon is "a set of technologies" that will offer "the ability to associate information to people, not devices." Using cloud-based identity management, it will be possible to control user access to applications, including where they may be downloaded, such as to Android devices, something VMware demoed at the show."One of its services is authentication and directory federation" that's aimed at the SaaS-based environment, Maritz said about Project Horizon in a press briefing, noting VMware gained some foundational SSO and access management technology through its acquisition last year of TriCipher.Today, it's mainly the smaller industry players, such as Okta, Ping Identity and Symplified, that are showing that enterprise customers will adopt new modes of cloud-based single sign-on for the cloud-based services they use.Amag Pharmaceuticals, for example, which is using the Okta service for identity management, relies on it as the linchpin for provisioning and de-provisioning of a wide variety of SaaS applications."All the conduits sit at Okta," said Nathan McBride, executive director for IT at the Lexington, Mass.-based company. "The user authenticates to Okta." At the same time, McBride says he doesn't worry about lock-in since it would be easy to simply switch from one cloud-based SSO service to another, if need be. "If we left Okta tomorrow, I'd just cancel my service," he says.Read more about wide area network in Network World's Wide Area Network section.