Ask a CIO what her top concerns are with cloud computing , and he's almost certainly going to list security as his #1 concern. Cloud Security is a very big issue. At least, it's a very big perceived issue. Though there are several aspects to Cloud security one key aspect is identity and access management. . In case of multiple clouds system administrators spend too much time to create cloud accounts for new users and may forget to terminate accounts for ex-users. User activity without oversight or authorization leads to risk of sensitive data loss and compliance violations. Systems with sensitive or regulated data may be vulnerable without additional layers of protection.
Federated Identity management is therefore becoming increasingly important as it allows companies to enforce access control policies across multiple applications in a consistent manner, which provides an overall reduced cost of implementation.
As enterprises shifted toward cloud-based services at the turn of the century and software-as-a-service (SaaS) applications became more prevalent, the domain-based identity and access management mechanisms began breaking. This shift created a new need for a secure connection to multiple applications outside of the enterprise perimeter and transformed the perception on identity management.
As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable identity management solutions becomes more vital. To address these new use cases, organisations planning to adopt cloud architecture must also create a roadmap to move to new ways handling identity and access with cloud.
A good starting point for building a cloud security architecture is the security architecture reference in TOGAF.
A TOGAF iteration should then be “Cloud Identity and Access”. The Enterprise Architecture team drives the programme and works collaboratively with both the business and the IT department.
For purpose of this blog we limit the scope to identity and access management issues of cloud security.
As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable identity management solutions becomes more vital. To address these new use cases, organisations planning to adopt cloud architecture must also create a roadmap to move to new ways handling identity and access with cloud.
A good starting point for building a cloud security architecture is the security architecture reference in TOGAF.
A TOGAF iteration should then be “Cloud Identity and Access”. The Enterprise Architecture team drives the programme and works collaboratively with both the business and the IT department.
For purpose of this blog we limit the scope to identity and access management issues of cloud security.
In the Preliminary Phase a cloud
security policy should be in place. A carefully crafted cloud security policy
document should answer these questions
- How well does
the cloud provider’s security policies and procedures align with the
organisation?
- For
applications in the cloud, who within the organisation is allowed to
modify settings on the cloud that affect performance?
- How
should administrative privileges to the cloud provider be managed?
- How user
consent must be taken care of for storing his data in cloud
- How interoperability of multiple identity providers can be managed?
- How to provide consistent experience across context?
- How user data should and access should be removed once the user is no longer a part of the organisation?
In Architecture Vision Phase define necessary security-related management sign-off milestones of this architecture development cycle. This must also include sign offs with cloud service providers and identity and access providers and determining trust boundaries
Determine and document applicable disaster recovery or business continuity plans/requirements
Any existing disaster recovery and business continuity plans must be understood and their relationship with the planned system defined and documented.Disaster recovery would involve replicating an entire site,
including the identity repositories, in addition to replacing
hardware or subcomponents.
Identify and document the anticipated physical/business/regulatory environment(s) in which the system(s) will be deployed. All regulations regarding storage of user information in cloud must be clearly understood
In Phase B:Business Architecture set up the businesses process for identity and access management
Identify roles and actors related to user and authorization management.
Determine access levels of users.
In Phase C: Data Architecture, Identity repositories, in particular may be an issue for cloud computing as it pushes information back into siloes, that IT may not have direct access to. It is also recommended to determine user data and privacy classification and to prioritise the risk criteria of what goes in the cloud and what stays on-premise.
During Phase E and F there is a need to focus on these key aspects of Identity and access management
Directory: Identify a central directory for linking user groups to SaaS.
Access: Integrate externalized access technology with your centralized directory.
User provisioning & de provisioning: The provisioning of new accounts and user profiles
Federation: A common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations
Audit: Track user access and actions
A sound architecture will enable re usability of identity and access services for all use cases in public, private and hybrid cloud models. Federation architecture is the first step to identity management to evolve for the cloud to
become a trusted computing platform. Organizations thus must have clear roadmap for it before embarking into cloud computing.
