Background: Cloud Computing and IAM
The term "cloud"
The term "cloud" is a metaphor for the Internet and originates with the cloud icons used to represent the telephone system and the Internet in early network architecture diagrams. The cloud is an abstraction of the underlying infrastructure of a network -- usually the Internet.
The idea is essentially one of ambiguity -- there are some services "out there," "in the cloud" which can be accessed over "some sort of network." The amorphous shape of a cloud makes it clear that there is ambiguity around the location of services and the connectivity to those services.
Cloud infrastructure is that of the typical data center, consisting of servers and network equipment. Services offered in a cloud can range from simple application web user interfaces to dynamically allocated virtual machines and databases. The key concept in cloud computing is to commoditize the infrastructure on which an application runs, so that network connectivity, computing capacity, operating systems and more are provisioned on demand, through a utility business model. The term utility is used here in the sense of an electricity grid or telephone service provider.
Overview of cloud computing
SaaS, PaaS, IaaS
There are broadly three kinds of services offered by cloud vendors:
- Cloud application services or Software as a Service (SaaS)
delivers application software over the Internet. This frees customers
from having to provision hardware to host their own copies of these
applications, from installing the applications and from maintaining
- Cloud platform services or Platform as a Service (PaaS)
delivers application development and runtime platforms as a service.
These may include programming languages, runtime abstractions,
database services and more.
- Cloud infrastructure services or Infrastructure as a Service (IaaS) delivers more complex computing infrastructure, on demand. In this scenario, customers can provision not only individual virtual or physical machines, but also the network topology that connects them as needed.
Private, community, public and hybrid clouds
There are a variety of implementations of the cloud concept:
- A public cloud (or external cloud) is the most common.
In this model, an cloud vendor offers solutions that are dynamically
provisioned on a fine-grained, self-service basis, accessible over
the Internet. Usually the services are billed using a fine-grained
utility computing model.
- A community cloud might be established when several
organizations have similar computing requirements and they wish to
share infrastructure costs in order to realize some of the benefits of
cloud computing. This approach may offer a higher level of privacy,
security or policy compliance than a public cloud. An example of
this approach is the Google "Gov Cloud".
- A private cloud typically refers to a set of servers that
run virtual machines inside an organization's perimeter, where
virtual servers can be activated and deactivated on demand.
This allows organizations to get some of the benefits of cloud
computing (i.e., rapid provisioning and deprovisioning) but without
relying on a third party. This eliminates both
benefits and risks associated with a public cloud.
- A hybrid cloud is an architecture that combines a private cloud with a public cloud. For example, an application might be configured to normally run on a private cloud, except in situations where there is short-lived high demand, in which case additional resources on a public cloud are also consumed. Alternately, some components of an application might run on a public cloud while others remain inside the corporate network perimeter.
Typically a cloud service provider (CSP) (or application service provider, cloud computing provider, or cloud vendor) delivers common business applications via a network. These applications are accessed either by other applications as web services or by users via their web browser. Application software and data reside on servers managed by the CSP. In other words, a CSP is a business that provides computing capacity, applications or data to customers over a network.
Examples of public cloud vendors
Following are some example CSPs, which illustrate the breadth of the cloud computing market:
|Company||PaaS offerings||SaaS offerings|
|Microsoft||Windows Azure Content Delivery Network and Azure AppFabric||Exchange Online, Office Live, SharePoint Online|
|Salesforce.com||Force.com||Sales cloud, Service Cloud, Chatter|
|ADP||n/a||Payroll, HR, Time/attendance, procurement, many others.|
|Amazon||Elastic Compute Cloud (EC2)||Simple Pay, WebStore, etc.|
|App Engine, Gov Cloud||Mail, Applications|
|Rackspace||cloudservers, cloudfiles, cloudsites||n/a|
|Hosting.com||Cloud VPS, Cloud Enterprise, Cloud Dedicated, Cloud Private||n/a|
Overview of identity and access management
Identity administration vs. runtime access control
The term "identity and access management" is quite broad and can be used in reference to a wide variety of services. IAM may refer to services designed to manage the definition of users, including their identity attributes and security entitlements. Alternately, IAM can refer to services designed to intercept attempts by users to access applications or data and to implement runtime security, including authentication, authorization and audit.
In other words, there are administrative IAM services and runtime access control services. These two types of services typically interact through a directory -- managed by the former and consumed by the latter to make runtime decisions.
Identity administration services
Administrative IAM systems manage the login accounts, security entitlements, identity attributes and authentication factors assigned to users.
- Password management is the ability of an IAM system
to manage user passwords on one or more systems or applications.
Functionally, this includes password synchronization,
self-service password reset or the management of other
authentication factors such as security questions or PINs on
smart cards and OTP tokens.
- User provisioning is the ability of an IAM system
to create, modify and delete login accounts for users on
systems and applications. This may be done as a consequence of
a variety of business processes, including auto-provisioning
and deactivation driven by a data feed from an authoritative
system of record (SoR), delegated administration of users and
entitlements by application owners, managers or other non-IT
staff, self-service requests for security entitlements or
profile updates, approvals workflow, periodic review of security
entitlements and more.
- Role Based Access Control (RBAC) is a strategy for user
provisioning where sets of entitlements are collected into roles
and roles are assigned to users. This reduces the need to
assign individual entitlements to users, which is advantageous
since individual entitlements are often very technical and
hard for business users to understand. Instead, roles with
business-friendly names are assigned to users, either by request
or using rules expressed in terms of identity attributes.
- Privileged access management (also known as privileged password management and privileged ID management) is used to secure the access of users to accounts that have elevated security rights, such as root on Unix, Administrator on Windows, etc. This is typically done by periodically changing the passwords of these accounts to random values, storing those password values in a secure vault, applying policy and workflow to control which user is allowed to connect to which account and injecting passwords from the vault into login sessions.
Access control services
Another class of IAM functions is intended to secure the access of users to applications and data at runtime. Access control systems authenticate users into applications and make real-time decisions about what a user can and cannot do:
- Web access management / web single signon (WebAM)
authenticates users, tracks authentication state (normally using
cookies) and eliminates the need for users to sign into each
application separately. In some deployments, WebAM systems
also enforce authorization rules, typically at the granularity
of URLs. Users may still have login accounts and other
data, such as preferences and ACLs, on each application they
Federation allows users
to authenticate in one domain and seamlessly access applications
in another domain. For example, a user might sign into a
corporate Active Directory and use a federation system to access
a SaaS CRM application without having to manually sign into the
SaaS application. Where federation is used, the application
users sign into may not have a persistent records of users
(i.e., no login IDs, preferences, etc.). Instead, applications
can to trust the federation infrastructure to make assertions
about who legitimate users are and what they can access.
- Claims based authentication and authorization systems are a form of federation, where assertions about the identity, authentication status and authorization of users may be made by multiple providers. For example, one system may make a claim about the user's name, another about the user's employer, another about the user's department, etc. The user's web browser may combine these claims when signing into an application, which then decides what access rights to grant the user based on the set of assertions the user's web browser can offer.