PDF

swipe to navigate

Background: Cloud Computing and IAM

The term "cloud"

The term "cloud" is a metaphor for the Internet and originates with the cloud icons used to represent the telephone system and the Internet in early network architecture diagrams. The cloud is an abstraction of the underlying infrastructure of a network -- usually the Internet.

The idea is essentially one of ambiguity -- there are some services "out there," "in the cloud" which can be accessed over "some sort of network." The amorphous shape of a cloud makes it clear that there is ambiguity around the location of services and the connectivity to those services.

Cloud infrastructure is that of the typical data center, consisting of servers and network equipment. Services offered in a cloud can range from simple application web user interfaces to dynamically allocated virtual machines and databases. The key concept in cloud computing is to commoditize the infrastructure on which an application runs, so that network connectivity, computing capacity, operating systems and more are provisioned on demand, through a utility business model. noteThe term utility is used here in the sense of an electricity grid or telephone service provider.

Overview of cloud computing

SaaS, PaaS, IaaS

There are broadly three kinds of services offered by cloud vendors:

  1. Cloud application services or Software as a Service (SaaS) delivers application software over the Internet. This frees customers from having to provision hardware to host their own copies of these applications, from installing the applications and from maintaining them.

  2. Cloud platform services or Platform as a Service (PaaS) delivers application development and runtime platforms as a service. These may include programming languages, runtime abstractions, database services and more.

  3. Cloud infrastructure services or Infrastructure as a Service (IaaS) delivers more complex computing infrastructure, on demand. In this scenario, customers can provision not only individual virtual or physical machines, but also the network topology that connects them as needed.

Private, community, public and hybrid clouds

There are a variety of implementations of the cloud concept:

  1. A public cloud (or external cloud) is the most common. In this model, an cloud vendor offers solutions that are dynamically provisioned on a fine-grained, self-service basis, accessible over the Internet. Usually the services are billed using a fine-grained utility computing model.

  2. A community cloud might be established when several organizations have similar computing requirements and they wish to share infrastructure costs in order to realize some of the benefits of cloud computing. This approach may offer a higher level of privacy, security or policy compliance than a public cloud. An example of this approach is the Google "Gov Cloud".

  3. A private cloud typically refers to a set of servers that run virtual machines inside an organization's perimeter, where virtual servers can be activated and deactivated on demand. This allows organizations to get some of the benefits of cloud computing (i.e., rapid provisioning and deprovisioning) but without relying on a third party. This eliminates both benefits and risks associated with a public cloud.

  4. A hybrid cloud is an architecture that combines a private cloud with a public cloud. For example, an application might be configured to normally run on a private cloud, except in situations where there is short-lived high demand, in which case additional resources on a public cloud are also consumed. Alternately, some components of an application might run on a public cloud while others remain inside the corporate network perimeter.

Cloud vendors

Typically a cloud service provider (CSP) (or application service provider, cloud computing provider, or cloud vendor) delivers common business applications via a network. These applications are accessed either by other applications as web services or by users via their web browser. Application software and data reside on servers managed by the CSP. In other words, a CSP is a business that provides computing capacity, applications or data to customers over a network.

Examples of public cloud vendors

Following are some example CSPs, which illustrate the breadth of the cloud computing market:

Company PaaS offerings SaaS offerings
Microsoft Windows Azure Content Delivery Network and Azure AppFabric Exchange Online, Office Live, SharePoint Online
Salesforce.com Force.com Sales cloud, Service Cloud, Chatter
ADP n/a Payroll, HR, Time/attendance, procurement, many others.
Amazon Elastic Compute Cloud (EC2) Simple Pay, WebStore, etc.
Google App Engine, Gov Cloud Mail, Applications
Rackspace cloudservers, cloudfiles, cloudsites n/a
Hosting.com Cloud VPS, Cloud Enterprise, Cloud Dedicated, Cloud Private n/a

Overview of identity and access management

Identity administration vs. runtime access control

The term "identity and access management" is quite broad and can be used in reference to a wide variety of services. IAM may refer to services designed to manage the definition of users, including their identity attributes and security entitlements. Alternately, IAM can refer to services designed to intercept attempts by users to access applications or data and to implement runtime security, including authentication, authorization and audit.

In other words, there are administrative IAM services and runtime access control services. These two types of services typically interact through a directory -- managed by the former and consumed by the latter to make runtime decisions.

Identity administration services

Administrative IAM systems manage the login accounts, security entitlements, identity attributes and authentication factors assigned to users.

  1. Password management is the ability of an IAM system to manage user passwords on one or more systems or applications. Functionally, this includes password synchronization, self-service password reset or the management of other authentication factors such as security questions or PINs on smart cards and OTP tokens.

  2. User provisioning is the ability of an IAM system to create, modify and delete login accounts for users on systems and applications. This may be done as a consequence of a variety of business processes, including auto-provisioning and deactivation driven by a data feed from an authoritative system of record (SoR), delegated administration of users and entitlements by application owners, managers or other non-IT staff, self-service requests for security entitlements or profile updates, approvals workflow, periodic review of security entitlements and more.

  3. Role Based Access Control (RBAC) is a strategy for user provisioning where sets of entitlements are collected into roles and roles are assigned to users. This reduces the need to assign individual entitlements to users, which is advantageous since individual entitlements are often very technical and hard for business users to understand. Instead, roles with business-friendly names are assigned to users, either by request or using rules expressed in terms of identity attributes.

  4. Privileged access management (also known as privileged password management and privileged ID management) is used to secure the access of users to accounts that have elevated security rights, such as root on Unix, Administrator on Windows, etc. This is typically done by periodically changing the passwords of these accounts to random values, storing those password values in a secure vault, applying policy and workflow to control which user is allowed to connect to which account and injecting passwords from the vault into login sessions.

Access control services

Another class of IAM functions is intended to secure the access of users to applications and data at runtime. Access control systems authenticate users into applications and make real-time decisions about what a user can and cannot do:

  1. Web access management / web single signon (WebAM) authenticates users, tracks authentication state (normally using cookies) and eliminates the need for users to sign into each application separately. In some deployments, WebAM systems also enforce authorization rules, typically at the granularity of URLs. Users may still have login accounts and other data, such as preferences and ACLs, on each application they sign into.

  2. Federation allows users to authenticate in one domain and seamlessly access applications in another domain. For example, a user might sign into a corporate Active Directory and use a federation system to access a SaaS CRM application without having to manually sign into the SaaS application. Where federation is used, the application users sign into may not have a persistent records of users (i.e., no login IDs, preferences, etc.). Instead, applications can to trust the federation infrastructure to make assertions about who legitimate users are and what they can access.

  3. Claims based authentication and authorization systems are a form of federation, where assertions about the identity, authentication status and authorization of users may be made by multiple providers. For example, one system may make a claim about the user's name, another about the user's employer, another about the user's department, etc. The user's web browser may combine these claims when signing into an application, which then decides what access rights to grant the user based on the set of assertions the user's web browser can offer.

PDF

Comment via LinkedIn