Thursday, February 11, 2010

Identity and Access Management in Cloud Computing: Part 2

Cloud Computing Implementation Options and Challenges

Like any traditional IT project, a project leveraging cloud computing must first look to its requirements. Most IT projects have some requirement for identity whether it be that all accesses to the cloud or just administrative accesses require Authentication and Authorization. This second blog post in the series titled "Identity and Access Management in Cloud Computing" is focused on the implementation challenges of Identity and Access Control Architectures as they relate to cloud computing.

Identities for cloud computing can be broken down into the following categories:

  • Enterprise - Enterprise Users, and applications that will access cloud applications
  • Internet - Customers, Partners, and Unanticipated Users that will access cloud applications
  • Cloud - Cloud applications that will access cloud, enterprise, and partner applications

Whether we are talking about cloud usage, or cloud administration, identities can be binned into one of these three categories. The following paragraphs focus on the options and challenges in implementing an identity and access control architecture for cloud computing.

Identity Management - Identities may be associated with human resources hiring and firing, new or changing partner and contractor relationships, or new servers or applications being setup. Processes may include identity creation and role/group addition, credential issuance, audit and compliance, and on-going management and eventual deletion. Most companies leverage products which govern the creation of identities within their enterprise in accordance with their particular compliance regulations.

There are two approaches to identity management in cloud computing:

  • Leverage existing enterprise identity management system for cloud identities
  • Utilize a new cloud based identity management system and process for cloud identities
Identity Management in the cloud through either an integral cloud provided identity system or a cloud deployed identity management system fails in a number of ways. Below are the issues that come to mind:

User Experience

  • Separate systems increases user frustration

  • Users having more than a single credential can be problematic

  • Users have to deal with two separate processes for identity creation

  • Users may potentially become confused with enterprise vs. cloud issues and or policies

Manageability

  • Administration of identities requires double the amount of administration

  • User attributes are not automatically populated in cloud-based systems

Compliance and Risk

  • Cloud-based systems must adhere to regulatory requirements for identity provisioning

  • Cloud-based systems can easily be overlooked when changes are made to enterprise User's identities and privileges

  • Cloud-based systems may be susceptible to internet breach

Cost

  • Double the amount of work required to administer users
  • Purchasing and fielding identity products to the cloud may be costly
  • Separate Audit and Compliance may requires significant investments

Therefore, we must look to our existing enterprise identity management capabilities for managing identities for cloud usage, and administration.

Authentication Services - Principals are authenticated based on the principal making a claim regarding its identity, and then providing proof that the claim is true. For example, in computer systems, the username claims the principal's identity while the password which is a shared secret between the user and the system with which they are authenticating is the proof.

Authentication Services are responsible for authenticating principal's based on the principal making a claim regarding its identity, and validating that the claim is true. An Authentication Service provides a single logical component of a IT architecture where authentication may be accomplished. LDAP is a typical Authentication Service in that it provides a single point where users can be validated against their claims, whether their claim be in the form of a password, a certificate, or a stronger form of credential.

Identities and claims are managed and stored within the enterprise today and investments have already been made in this area. Authentication in the cloud requires user identities and claims to be available to the cloud applications. There are four approaches to this that will be discussed:

New cloud based solution
  • Many of the same issues encountered in moving identity management to the cloud are encountered with this approach.
  • Possible breach and release of identities to the internet
  • Administrative burden in managing two systems
Connectivity to the enterprise
  • For security reasons LDAP, and enterprise identity repositories are not accessible from the internet and thus would not be available to the cloud applications.
  • If they were available, latency of authentication queries may be a significant issue.
Identity replication from enterprise to cloud
  • All enterprise users information stored in the cloud poses a security and privacy problem should the cloud based identity repository be breached from the internet.
Federation of enterprise identity system
  • This approach carries the most opportunity for success as identity repositories can remain within the protected interior of enterprise. An externally available Secure Token Service (STS) could allow authentication and issuance of a federated authentication token to be utilized for authenticating to the cloud.

Federation of enterprise identity systems will be described in a future blog posting. This is the basis for allowing Identity Management Systems and Authentication Services to remain within the enterprise.

Authorization Services - Authorization is the means for ensuring that only properly authorized principals are able to access resources within a system. A Principal can either be a human, machine, or an application. In order to carry out authorization, the first step is to authenticate the principal, the second step is to obtain information about the principal and resource to which the principal is interacting and the final step is to allow or deny access to the principal based on the applicable policies for that resource.

An Authorization Service is responsible for evaluating an authorization query, collecting necessary information about the principal and the resource, potentially from an Attribute Service and/or identity directory, and evaluating a policy to determine if access should be granted or denied. There are three approaches where an authorization policy may be enforced in cloud computing.

Enterprise Authorization - The Cloud application asks the enterprise to make an authorization decision to grant or deny access.

  • Policies are created, managed, and stored within the enterprise
  • Authorization Services must be available to the internet which raises potential security issues of man in the middle and denial of service impacting cloud application usage
  • Latency may be an issue as cloud resources depend on network calls to enterprise for access

Stand Alone Cloud Authorization - Usage of cloud provided or custom authorization services to grant or deny access

  • Policies are created, managed, and stored in the cloud
  • Requires separate administration of cloud-based system
  • Course-grained capabilities of cloud-provided solutions may not suffice
  • Compliance and regulatory requirements may not be met by cloud provided systems

Cloud Authorization with Enterprise Governance- The cloud makes an authorization decision but policies are governed by the enterprise

  • Policies are created, managed, and stored in the enterprise but cached in the cloud
  • Allows policies to be created and managed in accordance with enterprise processes
  • Allows faster response times as authorization services are available local to the cloud applications

For these reasons, the most robust mechanism for cloud authorization is to deploy an authorization service in the cloud which can retrieve authorization policies from the enterprise. This will be a topic of a future blog posting. Specifically, standards will be discussed which make it possible for cloud-based authorization services to retrieve polices from the enterprise in a secure fashion.

Conclusions

Organizations must extend their existing Identity and Access Management Strategies into the Cloud. New solutions for the cloud simply will not scale rather the cloud must be seen as part of the "extended" enterprise, whereas existing privacy concerns, compliance issues, and processes and controls are dealt with within the cloud using strategies and solutions already built and utilized within the enterprise. In future blog postings, I plan to discuss ways that the enterprise can extend its existing solutions for Authentication and Authorization Services to the cloud.