Authentication and authorization key to identity management and security in the cloud. Security is one of the most challenging roadblocks to cloud adoption.
There are plenty of potential problems that can keep an imaginative mind awake at night (e.g. what if the public cloud provider does not overwrite the data blocks that held my deleted data, could someone read that data?) but before we go there we will focus on more pedestrian concerns: controlling who has access to our application and data. Identity management is the set of practices we implement to authenticate users as well as define and enforce access controls. Fortunately, virtually all the practices we developed for enterprise systems running on-premise are applicable to cloud-based applications. We just need to adapt them to work within a cloud framework.
This is not a trivial task, but it can be done.
Identity management encompasses authentication and authorization.
Authentication is the means we use to prove a user is the person or application it purports to be. Usernames, passwords, digital certificates and multi-factor devices are all used to authenticate users of cloud based services. Authentication rules define what we, or an application, can do once it is authenticated. Can the user save a file as an object to a storage bucket, update a database record, or shutdown an instance of a virtual machine running in the cloud?
These are all decisions that are made by the authentication mechanism used by your application or system. When you are thinking about identity management in the cloud you will want to consider what kinds of controls you will need and how you can leverage your existing authentication and authorization framework.
Let’s consider some use cases.
In a simple case, you run an application in the cloud using an IaaS provider. The application implements its authorization system so you do not need to integrate with an Active Directory or LDAP server.This kind of application is relatively self-contained and can run in the cloud similar to the way it ran on-premise without concern for integrating with a directory service.
In a more complex scenario, you may have an application that makes use of an internal Active Directory for authentication purposes. This is a good practice from a security and software development perspective: a person’s role in the organization is defined and maintained in one place and privileges can be associated with that role in a single place. The key here, from a cloud perspective, is leveraging this internal directory in your cloud applications. Federated identities, supported by some cloud providers, is a key technology for using existing access controls in cloud applications.
A third scenario expands on the previous use cases to include the use of multiple cloud providers.In the previous scenario we faced the issue of establishing federated identities between your on-premise IT environment and a single cloud provider; in this scenario we have to do the same with multiple cloud providers.
Dan SulivanDan Sullivan is an author, systems architect, and consultant with over 20 years of IT experience with engagements in systems architecture, enterprise security, advanced analytics and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail, gas and oil production, power generation, life sciences, and education. Dan has written 16 books and numerous articles and white papers about topics ranging from data warehousing, Cloud Computing and advanced analytics to security management, collaboration, and text mining.
See here for all of Dan's Tom's IT Pro articles.
(Shutterstock image credit: Cloud Security)
Check Out These IT Videos