Enveloping the Cloud in Your IAM Cocoon
More and more organizations are adopting cloud computing due to economic pressures, increasingly mobile workforces which require data access from anywhere, and other well known reasons. As AMD recently pointed out in their global study on the matter, the primary concerns adopters have is around security, as they depicted in a handy infographic. Security for the cloud has been the major critique since its inception. Due to the many successful uses of this new computing paradigm, even the skeptics are starting to change their tune.
As Richard Walters pointed out in his recent article on The Data Chain, "Extending security policy enforcement, access control and auditing is the best route to enabling BYOD and SaaS." I completely agree that organizations need to extend existing IAM procedures and infrastructure to encompass new cloud services in order to secure them. I presented on this very idea over a year ago for one of our partners, Ping Identity. As I said then, an important prerequisite to being able to expand entitlement management and audit solutions to the cloud is the extension of the other key components of identity management, namely authentication, federation, and provisioning. The combined use of all aspects of Identity and Access Management (IAM) help address many of the security issues w/ cloud computing and mobile computing.
To see how this cocoon can be spun around the cloud, let me describe how existing IAM capabilities can be used within this new form of computing.
Organizations invariably store their employees and other user accounts in some sort of identity repository. This is often Active Directory (AD) but can also be some other type of LDAP directory, database, or, increasingly, Identity Management as a Service (IdMaaS) provider like Windows Azure Active Directory (WAAD) or Google Apps. Users identify themselves by authenticating w/ a credential that is compared with what's stored in that repository. This answers the first important question of who someone is. This confirms the user's identity, but only in their primary security domain. Cloud providers are practically never in this same realm as their consumer, however, so the user identities need to be propagated to the security domain in the cloud. To do this, Web SSO to the partner can be utilized to securely extend the identity data to the sky. It works in some uses cases to do this during SSO, but, other times, cloud consumers need to pre-provisioned the account w/ the provider.
By projecting identities into the cloud in these ways, organizations can reuse the answer to the initial question of who someone is when answering the more interesting one of what someone is allowed to do. To come up with this followon answer to the authorization question, as Walters and I previously explained, the centrally defined access control policies need to be enforced by the cloud service provider. Most SaaS vendors don't support this today, unfortunately. Instead they require administrators to login to a backend and configure access rules which will apply to their users. This suboptimal situation is changing, however. With the advent of SCIM, the JSON profile for XACML, and other emerging protocols, cloud adopters will soon have a standards-based way to define user accounts, groups, and authorization rules in one place and provision them to various cloud providers.
By extending all IAM capabilities to include cloud services, organizations achieve a number of important benefits:
- Types of credentials (passwords, hardware tokens, etc.) are decided by the consumer of the cloud service not the provider.
- Existing credentials are reused with each new cloud services.
- Rules about authentication, such as how often passwords should be changed, how complex they should be, how they are reset, etc. are all under control of the enterprise.
- User accounts created in the authoritative identity repository are automatically provisioned and deprovisioned in all cloud services as well as on-prem systems. * Entitlement management solutions can be used across all private, public and hybrid clouds.
- Audit logs can be captured and centrally correlated for forensic and regulatory reasons.
In my next post, I'll explain how Twobo is helping organizations turn these ideas into working systems. In the meantime, feel free to read about the IAM-related services we provide, post a comment here, or ping us on Twitter.