Let us continue our discussion in the “Steps to cloud security” series and focus on managing people and their identities in the cloud infrastructure. Let us explore Identity, Entitlement, Access Management and understand how it works, best practices and the roles these play in securing our infrastructure.
But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
We will be discussing step 3 – Manage people, roles and identity.
Let us begin with a definition of IAM by Gartner. They define IAM (Identity and Access Management) as “the security discipline that enables the right individuals to access the right resources at the right time”. And this definition is quite self-explanatory and it does not look a new thing either.
We have all been doing this for a long time in our traditional computing infrastructures as well. We are all familiar with Active Directory (Windows) and how it is used to manage our usernames and passwords at our work place. But how does it change when we move our infrastructure to the cloud?
To start with, one should have a clear understanding of the dynamics of cloud infrastructure and who all can possibly access the data. There could be employees of cloud service providers who can access your data and then of course, your own employees will have access to the data.
Therefore, when we talk about IAM in cloud, managing both parties (cloud service provider and the customer) are required to manage the IAM solution without compromising security. And this brings us back to the shared responsibility model that we have discussed so many times in my previous articles.
As we all know, in today’s world, there are hundreds of cloud service providers providing different type of services and if an organization wants to leverage the best use of cloud computing, it has to use the services of multiple CSPs and it is a common sight today that an organization has multiple cloud services subscribed from multiple CSPs. The real challenge, in this scenario is, how to manage identities for different services? Do you want to manage multiple identities for same user across multiple services? This is not at all feasible, especially if you have large number of cloud services. So, to address this challenge, we use “federation”. So, what is federation?
Federation is a tool used when we have to provision the same users or entities on hundreds of different providers. All the identities are stored at one place and it is called the " identity provider ". All other providers are called relying parties and they depend upon the identity provider to provider to verify identity and authenticate users. It is very much similar to Single Sign-on that we use in traditional computing. So, when you migrate your infrastructure to cloud, you can use your existing Active Directory as the Identity provider and create trust relationships with all the other cloud services and then use the same set of identities and credentials across your platform through standards-based technologies (we will discuss standards later in this article). I would like to add a note here: please make sure that you encrypt data when data is exchanged between identity provider and relying parties.
This all looks very complex in the beginning, but once designed and implemented properly, it could become a very strong security control.
I would recommend this to every organization. My personal experience is that organizations have been taking lot of measures in regard to IAM but lot of work is done in bits and pieces and patchwork. When you are migrating to the cloud, it gives you an excellent opportunity to update your IAM technologies and build new processes to do better identity management. Using Federation gives an excellent opportunity to centralise your identity management.
Okay, so now we understand how we can use federation for better IAM in cloud, let us understand the standards available for cloud. And to understand standards better, we need understand few terms first which play major role in IAM and are often confused with each other. Cloud Security Alliance in its security guidelines has defined them as follows:
Authentication: is a process of confirming an identity. When you login to a system (identifier) and password (an attribute we refer to as authentication factor).
Authorization: allowing an identity access to something (data or function)
Entitlement: It is mapping of identity (including roles, personas and attributes) to authorization. You maintain an entitlement matrix which maps user and what they are allowed to.
Now, let us understand what are standards available for IAM
SAML2.0: It is the most common standard used by cloud service providers. It supports both authentication and authorization. It uses XML to make assertions between identity provider and relying party.
OAuth: Another pouplar standard brought in by IETF and as the name suggest, it is used for authorization only. It is designed to work over HTTP. It is often used for delegating access controls / authorization between services
OpenID. This is used for federation authentication and is also based on HTTP.
There are two other standards as well – XACML and SCIM which can be used along with above standards for defining access policy and exchanging identity information respectively.
Now finally to summarize the federation and how it works, please see the image below from CSA security guidelines V4.0
To continue our discussion on IAM, we should understand that federation is not the ony way identity is managed in the cloud. Every CSP can have their own internal IAM system which can used in conjunction with customers internal active directory to create identity management system.
There are also several ways to manage identities and define trust between identity providers and relying parties like hub & spoke, free form etc (for details, please refer to CSA security guidelines v4.0)
Now, let us discuss Authentication. There are several methods to authenticate users, the simplest being username and password. But technically speaking this is only one-factor authentication, i.e., what you know. It is always advisable to use multi-factor authentication, where you should use - Biometrics, fingerprint or retina as an supplement to username and passwords. This is to provide extra level of security for use of identities. MFA can be used in several ways. For eg, if you are using local authentication, we can use hard token, soft tokens, bio metric or out of band access as the second factor.
Now, comes the most important bit and that is the entitlement process. This is where the decision is made: who is allowed to access and what they can access. We have the entitlement map which matches identity to authorization and any required attributes. So, we have a proper entitlement matrix which clearly defines how person X can access remote data Y and what time they can access.
Last bit of IAM which is very important to discuss here is privileged user management. And this is point where you can reduce lot of risk by managing privileged users. A privileged user is one who has more access power than a normal user and can bring whole infrastructure down if not managed properly. Their usage should be monitored and logged and their relevancy should be checked from time to time to remove un-used accounts.
Lastly, some of suggestions that I would like to give as best practices for IAM are:
Use multi-factor authentication
Auditing and logging as a part of identity management
Use Identity brokers when possible
Prefer using Attribute-based access control (ABAC) than role-based access control (RBAC). This will reduce authorization creep to some extent.
Finally, I would just like to say that the above post is just an introduction to how IAM should work in cloud infrastructure. IAM, in itself, is a very large topic and is continuously improving and innovating. So, there may be few point missing or some points may need more detailed discussion.