Provided a business is satisfied with its data center IT security, the best way to address cloud security is to focus on the incremental risks that public clouds create. Are there things that worked in the data center that won’t work in the cloud and things the cloud adds that could create new risks? The answer to both questions is “Yes.”
Cloud security strategies in recent years have centered on identity and access management (IAM) tools. This approach and these tools represent a notable shift in how IT teams control user access.
In traditional networking, users were often grouped into subnetworks whose addresses identified the organizations in which they worked. Cloud applications, combined with the expanded use of mobile devices, tend to break this static model of user identification. A user accessing an application through a web front end probably looks much like any other user, which means that identity cannot be inferred from the user’s address.
A more complicated cloud security problem arises with the applications themselves. The cloud has a natural ability to support quick recovery from failure and to scale under load. This encourages developers to break applications into components to take advantage of these features. The sharing of components among applications, though, can create a kind of back door through which users might gain access to information they’re not entitled to see or change.
Cloud computing reveals what should have been obvious years ago: The identity of users and their rights to access applications and resources must be explicit. If not, an organization will not meet the requirements of cloud, mobility or even the internet of things.
This is where IAM tools come into play. IAM is a successor to the single sign-on strategies that have emerged over the last several decades to simplify ID and password processes and to reduce practices like writing down passwords or using the same one for everything.
IAM tools identify who’s who
All IAM tools have two pieces — one that associates users with identities and another that associates identities with access rights. The principle is that a real person, when identified, acquires a number of attributes or capabilities that then directly or indirectly determine what they’re allowed to do or see. The identities and policies are almost always stored in a repository, the security of which is tightly controlled to ensure that no one acquires rights they’re not entitled to.
Identity processes can be tied to traditional ID and password protocols, linked to a dongle or permission tool, or run through biometrics. ID and password strategies are often deprecated because users don’t choose rational combinations, protect them or change them regularly, but a centralized IAM process can reduce such misuse. This sort of system also makes it easy to force regular changes in passwords.
The dongle approach, using something like a USB stick, is most useful when access rights are associated with a role rather than an identity. Since a dongle can be lost or stolen, this strategy is used primarily in combination with other identity-specification mechanisms. Biometrics — meaning fingerprints, facial recognition or retinal scan — are the most reliable and are gaining acceptance as the best overall solution.
As for the access control part of IAM, that too can be managed in a number of ways.
First, an organization can provide users with tokens that allow access to applications and information based on identity. Since the token typically needs to be tested and validated by an application, it may be necessary to make changes to the application’s software.
A second approach is to hold applications in a secure zone of the network, with each application having its own security enclave. Users are admitted to an enclave based on identity. A system accomplishes this by altering firewall rules.
A third way is to add identity tokens to messages. These can be tested by firewall devices or applications at the boundary. This secures hosting zones in the cloud or the data center.
The latter two of these three approaches are preferred for the cloud because having individual cloud components test tokens can introduce performance issues.
Knowing your roles
The most modern models for IAM employ virtualization concepts to add flexibility. With these models, a real person is assigned a virtual property of identity. That property can directly translate into a set of policies or tokens that convey the right to access applications and information. Collaterally, the identity property can assign the user to one or more roles, and these roles are then the basis for conveying access rights.
The value of the role-intermediary approach is that, in most cases access, rights relate to a person’s job rather than who they are. Assigning access rights to a role makes it easier to maintain control of those rights as people move around through different job functions via transfer, promotion, etc.
It’s obvious that much of the progress in IAM has been focused on simplifying the mechanism for identification and control. IAM tools, however, cannot work if not properly maintained, meaning that all workers must have a reliable identity verification process and that all verified identities need to be linked correctly to access policies. Experience shows that problems with access security tend to arise because complex systems encourage practices that bypass security when they bypass complexity.
Role-intermediated IAM strategies are best for the cloud and, in particular, if they can be implemented in a PaaS cloud framework or by using cloud-provider web services that extend access control to all of the cloud elements. The IAM benefits of PaaS clouds such as Microsoft’s Azure accounts for the faster integration of PaaS into hybrid enterprise IT strategies, but IAM tools from Amazon and Google now facilitate IAM control of all the major public clouds. Major software vendors, including IBM, Microsoft and Oracle, and specialty vendors, such as Courion, RSA and SailPoint, offer IAM subsystems that can be used in the cloud and the data center alike.
The cloud is only one of several IT trends complicating identity and access management, and there is no question that delaying IAM adoption will eventually hurt or even cripple a company’s ability to protect its information and comply with regulatory guidelines on information security and privacy. The model for IAM is clear, and it’s time for companies to step up and modernize their view of application and information security.