Welcome to the fourth blog in this series on Cloud computing. In this edition, the issues surrounding how to secure access to the cloud and how to secure data stored in the cloud will be discussed
The starting point for information security in any organisation is ensuring those who should be able to can access the system and the data that the system holds. This procedure is referred to as Identity and Access Management (IAM). IAM is the security protocol that ensures the right individual can access the right resources at the right time for the right reasons.
Identity and Access Management (IAM)
Organisations use IAM for several reasons:
- To improve operational efficiency
- To ensure regulatory compliance
- To provide a mechanism to audit system access
IAM is formed of three distinct areas, authentication, authorisation, and auditing.
Authentication is used to verify the user or system attempting to gain access to the system. Once the entity, user or system, has been authenticated the IAM system will then move on to authorisation. Authorisation is used to determine the privileges of the user or system.
Authorisation should be seen as the phase of an IAM process that enforces the organisation’s access policies.
Auditing in its purest form is a review of a process. Within IAM auditing applies this principle to review of the authentication and authorisation process with the objective of determining the adequacy of the system IAM controls. Only through auditing can compliance with an organisation’s established security policies and procedures be verified.
An IAM audit will be looking for a clear separation of duties between user levels. The review will also be used for the detection of security breaches, for example an unexplained escalation of privileges for a user.
The audit will recommend changes to the IAM process for countermeasures to security threats.
To understand the role IAM plays in cloud security it is prudent to explain how IAM works in a traditional network.
IAM in a traditional network
In a traditional network, IAM is applied at the perimeter of the network and creates a static “trust boundary” that is controlled and monitored by the organisation’s IT department. The “trust boundary” covers the whole network, systems and applications.
Access to the network is via network security controls which can include one or more of the following: Virtual Private Network (VPN), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and multi-factor identification.
IAM is usually based on a collection of technology components, processes and standard practices. By default this generates several layers of technology, services and processes.
At the core of the deployment architecture is a directory service (Lightweight Directory Access Protocol(LDAP) or Active Directory (AD)) that acts as a repository for identity credentials, and user attributes of the organisation’s users.
The directory interacts with IAM technology components to support the standard IAM practice and processes within the organisation.
The IT department in the organisation will provide user management for the effective governance and management of identity life-cycles. For example setting up new user accounts, resetting passwords, granting access rights and deleting users as necessary.
Another of the IT department’s roles within IAM is authentication management. This involves activities for the effective governance and control of the process for determining that an entity is who or what it claims to be.
For effective governance and management of the process of governing and managing access rights an authorisation management policy is required. This is to determine the entitlements and rights that decide what resources an entity is permitted to access in accordance with the organisation’s policies.
Access management is the enforcement of policies for access control in response to a request from a user or service (entity) wanting access to an IT resource within the organisation.
Data management and provisioning
The fundamental propagation of identity and data for authorisation to IT resources via an automated or manual process.
Monitoring and auditing
To establish the effectiveness of IAM policies monitoring, auditing and reporting of compliance by users with regard to access to resources within the organisation is required on a regular basis. Should a security incident occur then an ad-hoc audit should be conducted.
IAM for the Cloud
When an organisation with a traditional network decides to migrate to the Cloud the first fundamental change occurs at the trust boundary level of IAM. There may be multiple boundaries, or perimeters, to be monitored. These “trust boundaries” become dynamic and beyond the control of the IT department in a Cloud computing environment.
In a Cloud environment the network, systems and application boundaries extend into the service provider’s domain.
This loss of control continues to challenge established trusted governance and control models deployed by organisations. This frequently extends to include the trusted source of information for employees and contractors.
Poor management of “trust boundaries” will significantly impede Cloud service adoption within an organisation.
When an organisation is planning to move to Cloud computing, it should prepare for essential user management functions such as:
- User account provisioning
- Ongoing user account management
- Timely de-provisioning of users when they no longer need access to cloud service
Organisations who have previously invested in identity and access management practices should seek to leverage their existing infrastructure and system architecture to gain an advantage.
Organisations lacking the infrastructure described above can use cloud-based solutions from several vendors that offer identity management services. Symplified (https://www.crunchbase.com/organization/symplified), Ping Identity (https://www.pingidentity.com) and TriCipher (https://www.crunchbase.com/organization/tricipher) are examples of such service providers.
Identity federation, or federation identity as it is sometimes called, is industry best practice for dealing with the heterogeneous dynamic of loosely coupled trust relationships. It allows end users to use the same set of credentials to access multiple resources. The process is typically based on a single credential store.
By generating a Single Sign-On (SSO) end users are able to access multiple resources by providing their details once.
Identity federation can help to mitigate risks but supporting SSO it is not necessary for the end user to remember Cloud-service-specific user authentication information (ID and password) per provider.
It is typically built on centralised identity management architecture leveraging industry standard protocols such as Security Assertion Markup Language (SAML), Web Services Federation (WS-Fed), Liberty Alliance.
In conclusion, it is evident when looking at the unique security issues that Cloud computing generates traditional approaches cannot simply be transferred to the Cloud environment. Whatever Cloud platform is used the Cloud is not just a replica of the conventional network but off-site, it has an aura of its own that must be observed.
As data security legislation becomes more prevalent it must be treated with the correct amount of due diligence. Therefore the transition to the Cloud should begin with data security and then widened to include IAM and the myriad of other considerations required for migration to Cloud computing.
Cloud security has many facets, so far only Identity and Access Management has been considered. In the next blog, there will be a further exploration of Cloud security.