printer friendly version

Identity and access management in the cloud

Security need not be the downfall of cloud computing.

At a time when companies are looking for ways to cut costs, cloud computing looks like an attractive alternative, one which you would think most cash-strapped IT departments would take a long look at. But a recent survey of mostly IT professionals conducted by Novell finds a strong mistrust for cloud computing in the workplace, while at the same time, a surprisingly wide acceptance for personal use.

The survey was conducted using members of Novell’s Cool Solutions Community; 453 people responded, of which 81% identified themselves as IT professionals. The respondents were from a variety of geographic locations including the US, India, China, Australia, Canada, South Africa and western Europe. The company sizes varied from 25 or less to more than 5000, with 44,6% working for companies with more than 1000 employees.

When asked to list the top five things they feared or mistrusted about cloud computing in the workplace, security came in on top, with 34,6% listing it as their top choice. This is not surprising as many other surveys have indicated the same mistrust and confusion among end-users of the cloud. So, what is the truth – is cloud more secure than the enterprise or is it totally insecure. The answer is probably somewhere in the middle.

This paper is an in-depth look at the identity and access management issues in the cloud. It goes into the different aspects of managing identities such as provisioning, federation, compliance as well newly emerging models of having identities in the cloud. It looks at these issues from the enterprise perspective and lists what enterprises need to ask cloud providers before they move to the cloud.

This research will also serve as the foundation for the Trusted Cloud Initiative.

A challenge

Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several cloud computing services without a good identity and access management strategy, in the long run extending an organisation’s identity services into the cloud is a necessary prerequisite for strategic use of on-demand computing services. Supporting today’s aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organisation’s readiness to conduct cloud-based identity and access management (IAM), as well as understanding the capabilities of the organisation’s cloud computing providers.

We will discuss the following major IAM functions that are essential for successful and effective management of identities in the cloud:

* Identity provisioning/deprovisioning.

* Authentication and federation.

* Authorisation and user profile management.

* Support for compliance.

Compliance: For customers who rely on cloud services, it is important to understand how identity management can enable compliance with internal or regulatory requirements. Well designed identity management can ensure that information about accounts, access grants, and segregation of duty enforcement at cloud providers, can all be pulled together to satisfy an enterprise’s audit and compliance reporting requirements.

For each of these IAM functions, we will discuss the challenges, solutions, and future outlook; and present a provider check list and set of questions to help you get ready for cloud adoption.

Identity provisioning

One of the major challenges for organisations adopting cloud computing services is the secure and timely management of on-boarding (provisioning) and off-boarding (deprovisioning) of users in the cloud. Further, enterprises that have invested in user management processes within an enterprise will seek to extend those processes to cloud services.

Identity provisioning practice within an organisation deals with the provisioning and de-provisioning of various types of user accounts (eg, end-user, application administrator, IT administrator, supervisor, developer, billing administrator) to cloud services. It is very common for cloud services to rely on a registry of users, each representing either an individual or an organisation, maintained by the cloud service provider (CSP) to support billing, authentication, authorisation, federation, and auditing processes.

Solutions and recommendations

While user provisioning remains a major challenge and barrier for cloud service adoption, the capabilities offered by CSPs are not currently sufficient to meet enterprise requirements. To avoid one-off custom solutions that exacerbate management complexity, customers should avoid proprietary solutions such as creating custom connectors unique to CSPs.

Customers should leverage standard connectors provided by CSPs to the extent practical, preferably built on SPML schema. Since SPML has been recognised as the industry standard specification for user access provisioning for multiple types of applications, any custom solution should leverage SPML so that it can be repurposed to suit a standard CSP supported solution. Cloud customers should modify or extend their authoritative repository of identity data to encompass applications and processes in the cloud.

In SPI cases where CSPs do not support provisioning management using SPML, customers should request their CSPs to offer SPML-based provisioning web services.

Future outlook

With the rapid adoption of cloud services, customers must find ways to automate the provisioning and deprovisioning of users using industry standard specifications such as SPML and web APIs. The cloud environment offers an opportunity to move away from custom connectors and proprietary APIs and towards standards such as SPML and web APIs. SPML gateways can automate user provisioning and eliminate laborious manual processes that may involve custom scripts to setup user accounts with cloud services.

Authentication

When organisations utilise cloud services, authenticating users in a trustworthy and manageable manner is a vital requirement. Organisations must address authentication-related challenges such as credential management, strong authentication, delegated authentication, and managing trust across all types of cloud services.

Authentication is the process of validating or confirming that access credentials provided by a user (for instance, a user ID and password) are valid. A user in this case could be a person, another application, or a service; all should be required to authenticate.

Many enterprise applications require that users authenticate before allowing access. Authorisation, the process of granting access to requested resources, is pointless without suitable authentication. When organisations begin to utilise applications in the cloud, authenticating users in a trustworthy and manageable manner becomes an additional challenge. Organisations must address authentication-related challenges such as credential management, strong authentication, delegated authentication, and trust across all types of cloud delivery models (SPI).

Solutions and recommendations

Both the cloud provider and the enterprises must consider the challenges associated with credential management, and strong authentication; and implement cost-effective solutions that reduce the risk appropriately.

‘Strong authentication’ typically refers to multifactor authentication or authentication protected by cryptographic means. Strong authentication methods such as Kerberos, and token or smartcard systems are common within enterprise networks, and the enterprise should consider leveraging this technology for use in the IaaS cloud, especially for privileged access management or shell access using Secure Shell (SSH).

In order to enable strong authentication (regardless of technology), cloud applications should support the capability to delegate authentication to the enterprise that is consuming the services. In that case, the enterprise can enforce strong authentication using existing infrastructure and authenticate with open standards such as SAML with the cloud provider/application.

Cloud providers should externalise authentications and consider supporting various strong authentication options such as one time passwords, biometrics, digital certificates, and Kerberos. This will provide a pluggable authentication architecture and enable enterprises to leverage their existing infrastructure.

Federation

In the cloud computing environment, Federated Identity Management plays a vital role in enabling organisations to authenticate their users of cloud services using the organisation’s chosen identity provider (IdP). In that context, exchanging identity attributes between the service provider (SP) and the IdP securely is also a requirement. Organisations considering federated identity management in the cloud should understand the various challenges and possible solutions to address those challenges with respect to identity lifecycle management, available authentication methods to protect confidentiality, and integrity, while supporting non-repudiation.

In the cloud-computing environment, federation of identity plays a key role in enabling allied enterprises to authenticate, provide single or reduced sign-on, and exchange identity attributes between the Service Provider (SP) and the Identity Provider (IdP). Organisations considering federated identity management in the cloud should understand the various challenges and possible solutions to address those challenges with respect to identity lifecycle management, authentication methods, token formats, and non-repudiation. Non-repudiation is a major potential benefit of federation, as it provides a mechanism to trust or verify that the identity assertions came from the trusted IdP rather than an impostor.

In discussing federation, we consider two primary roles:

1. Service Provider (SP): An internally deployed application or cloud service.

2. Identity Provider (IdP): An authoritative source of identity data for users provides the primary authentication of the user. The Identity Provider can be the service consumer itself, or external to it.

Single sign-on

As organisations start to use various cloud services, they expand the importance of providing SSO to various applications not just within their enterprise, but also to applications in clouds the organisation hosts or subscribes to.

Individual Consumers: The choices for users accessing public cloud applications include supplying a user name and password from a provider such as Yahoo or Google; or a more sophisticated authentication using OpenID, Microsoft Live ID, or another service that offers delegated authentication without providing the actual password to the cloud application itself.

The OpenID protocol is a popular user-centric SSO protocol.

If user-centric solutions are not appropriate (for instance, for an enterprise), then local authentication (with appropriate identity validation) or use of a trusted third-party service will be required to establish reliable identity information for users, and is essential for supporting access control.

Enterprises have the following two federated SSO options:

1. Federated Public SSO: Based on standards such as SAML or WS-Federation, enterprises can provide SSO to various cloud applications that support federation.

2. Federated Private SSO: Organisations using a private cloud can leverage their existing SSO architecture over a VPN tunnel or secured private connection to provide SSO to applications in the cloud.

Enterprises looking for a cloud provider should verify that the provider supports at least one of the prominent standards (SAML or WS-Federation). SAML is emerging as a widely supported federation standard and is supported by major SaaS and PaaS CSPs. Support for multiple standards will enable greater flexibility.

Access control and user profile management

The requirements for user profiles and access control policy vary, depending on whether the user is acting on their own behalf (such as a consumer) or as a member of an organisation (such as an employer, university, hospital, or other enterprise). The access control requirements in SPI environments include establishing trusted user profile and policy information, using it to control access within the cloud service, and doing this in an auditable way.

A user profile is a set of user attributes used by a cloud service to customise the service and possibly restrict access to portions of the service. Access control is the granting of access to particular resources, and the auditable enforcement of that policy. Access control depends on accurate user profile information in order to make appropriate policy decisions.

The requirements for user profiles and access control policy vary depending on whether the user is acting on their own behalf or as a member of an organisation such as an employer, university, hospital, or other agency. When a user acts on their own behalf they are the sole source of profile information about themselves, and policy is set by the cloud provider. When a user acts on behalf of an organisation, however, that organisation may be the authoritative source for some of the user’s profile attributes, as well as an access control policy which applies to the user. This section on access control uses the term ‘consumer user’ for someone acting on their own behalf and ‘corporate user’ for someone acting on behalf of an organisation, such as their employer.

In a cloud computing environment, therefore, user profile and access control management are more challenging because the information for these functions may come from different sources; using different processes, naming conventions, and technology; and may need to be transmitted securely between organisations over a hostile Internet. The sections below further describe access control and user profile requirements for each category of cloud computing.

Cloud challenges

Access control and user profile management are more challenging with cloud services because the information sources may be hosted somewhere other than the cloud service that needs them. Customers need to identify trusted sources for this information and secure mechanisms for transmitting the information from the trusted source to the cloud service. It is also important to periodically reconcile the information between the cloud service and the source.

Customers need to confirm that cloud providers can support their needs for adequate access control of cloud resources by checking to ensure that the cloud will:

1. Control access to the cloud service’s features based on policy specified by the customer, as well as the level of service purchased by either the individual user or the organisation to which the user belongs.

2. Control access to each user’s data to protect it from other cloud service customers in multi-tenant environments. Adequately control access to both regular user functions and privileged administrative functions. Allow collection of user profile information, and possibly access control policy, from a remote service chosen by the customer.

3. Keep user profile information and access control policy accurate.

4. Provide optional notification of account creation/removal and access grants to the customer, to prevent cloud employees from setting up rogue accounts or otherwise modifying access entitlements.

5. Provide adequate audit logs of activity within each customer’s environment, including identity management and access activity, as well as use of any resource for which quotas are enforced.

6. Provide solutions for determining liability for various problems which may occur.

In short, customer requirements for a cloud environment are similar to internal services, but there are several important differences. First, customers will want cloud services to solve the above requirements in a way that provides adequate protection in shared, multi-tenant environments. Second, the solutions must accommodate user profile and policy information from remote sources and a need for periodic reconciliation against those remote sources. Third, cloud services need to acknowledge that the right identity management solution(s) for a service depend on whether a user is acting on their own behalf or on behalf of some organisation, and whether single sign-on is a requirement.

This article has been shortened. The full version is downloadable at: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf

CA Southern Africa’s MD, Security Business Unit, Ugan Naidoo, comments on cloud security and hypervisor hardening

Ugan Naidoo

Organisations today must adopt a three pronged approach to security when dealing with the cloud.

The first is to be capable of extending existing security infrastructure, which in turn enables the provision and de-provision of users for cloud applications like Salesforce.com or Google Apps. This is important, as generally organisations are focused on de-provisioning users to internal applications. However, the bigger risk is cloud applications like Salesforce.com, where users can still access client records from anywhere, anytime.

The second is to be able to provide security for cloud applications and here we are talking about putting the right controls in place to be able to approve what cloud system administrators and hypervisor administrators can do with virtual servers and consequently with the data that resides on these servers.

Additionally, it is important that appropriate monitoring takes place, as well as the deployment of the correct strength of authentication, as the data is not visible to everyone who has an Internet connection.

Thirdly, companies consuming security services from the cloud must ensure that the service being consumed does not compromise the internal security controls of the organisation. An example is where a cloud password reset service may inherently introduce risks that were previously not prevalent.

The bottom line is that organisations must carefully consider how they are using the cloud and the security implications thereof.

Share this article:

Further reading: