CCSK Guide
23Mar/11Off

Identity & Access Management in the Cloud

Identity and access management is covered in Domain 12 of the Cloud Security Alliance (CSA) Guide to the CCSK examination. An organization's identity and access management (IAM) strategy may be a key factor during its move into the cloud.

There are four main IAM functions that are integral for operations management in the cloud:

  1. Identity provisioning/deprovisioning
  2. Authentication and federation
  3. Authorization and user profile management
  4. Compliance support

These four main functions are discussed in further detail below.

Identity Provisioning & Deprovisioning

What is it? Identity provisioning and deprovisioning can be thought of as the on-boarding and off-boarding processes for users in the cloud. These apply to various types of users accounts, for instance: end users, application administrator, IT administrator, supervisor, developer, etc. Cloud services often rely on a registry of users to support billing, authentication, authorization, federation and auditing processes.

Requirements

For SaaS (software as a service) models:

  • Multi-stage setup
  • Application setup workflow
  • Communications security

For PaaS (platform as a service) models:

  • Automated provisioning that supports an organization standard (e.g. SPML)
  • Provision accounts for end users
  • API support for provisioning users
  • Manual provisioning for SMBs

For IaaS (infrastructure as a service) models:

  • Automated provisioning that supports a standard (e.g. SPML)
  • Provisioning users with role-based privileges
  • API support for provisioning users

Challenges

  • Development of services and provisioning is not met with enough development of standards
  • SPML providers may not be available to individual consumers
  • Providing necessary provisioning capabilities to developers as APIs
  • Organizations must follow proprietary mechanisms for identity management within IaaS clouds

Authentication

What is it? Authentication refers to the validation or confirmation of a user's credentials. Whether the user is a person, another application or a service, all users should be required to authenticate. Authorization, or the granting of access to resources requested, is absolutely pointless unless a strong authentication method is in place.

Challenges

  • Password protection and secure communication
  • Impersonation
  • Brute force dictionary-based attacks
  • Password reset attacks
  • Phishing attacks
  • Defining and enforcing a password/credential policy
  • Developing user-centric authentication methods

Federation

What is it? Federated Identity Management enables organizations to authenticate the users of their cloud services. Federation of identity allows allied enterprises to authenticate, provide single or reduced sign-on,

and exchange identity attributes between the Service Provider (SP) and the Identity Provider (IdP). An SP refers to an internally deployed application or cloud service, while an IdP refers to the service consumer, or a party external to it.

Federation questions for vendors or service providers may include:

  • What federation standards do you support?
  • If you support federation standards like SAML, do you provide toolkit, documentation and support for integration with enterprise identity provider?
  • What processes and procedures do you have in place to protect digital certificates?
  • How does the provider manage session time outs? Is it policy-based?

Access Control & User Profile Management

What is it? Access control refers to the granting of access to specific resources. It depends on accurate user profile information, in order to make the appropriate decisions. Access control is more complicated in the cloud, since the data may be hosted somewhere other than where the cloud service needs them. It is then necessary to ensure trusted data sources and secure transmission mechanisms.

Challenges

  • Control access to cloud service features
  • Control access to each user's data in multi-tenant environments
  • Ensure that user profile information and access control policy are accurate
  • Provide notification of account creation/removal
  • Provide adequate audit logs
  • Provide solutions for determining liability

Compliance

What is it? Appropriate IAM strategies can enable compliance with internal and/or regulatory requirements. IAM strategies that are well-designed can bring together information about accounts, access grants and segregation of duty enforcement, thus meeting the requirements of an enterprise's audit and compliance reporting.

Future Directions

For SaaS (software as a service) models:

According to the CSA, SaaS models still have a long way to go in the development of their IAM strategies. However, we can anticipate the following changes:

For PaaS (platform as a service) models:

  • Increased vendor awareness of customers' identity management requirements
  • Increased support for federation and externalization of policy and user profile management
  • Ability to import user profile information from external sources

For IaaS (infrastructure as a service) models:

  • More sophisticated requirements for compute platform and user provisioning
  • Importing users and authorizations
  • Development of delegated administration
  • Partitioning of access models within IaaS environments

Summary

Domain 12 of the Cloud Security Alliance (CSA) Guide to the CCSK examination is Identity and Access Management (IAM). The article looks at the requirements and challenges of the four main IAM functions that are integral for operations management in the cloud: 1) identity provisioning/deprovisioning; 2) authentication and federation; 3) authorization and user profile management; and 4) compliance support. Finally, the article looks at future developments within the field of IAM, in terms of the SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service) models.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

  • Identity & Access Management (Domain 12)

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.

» «

Login

Sponsored Links

Tags

access control Amazon Amazon EC2 API audit authentication authorization best practices compliance contracts CSA data breach data breaches data security disaster recovery encryption EU google government IaaS IAM identity identity federation interoperability lock-in management Microsoft open source PaaS portability private cloud provider selection public cloud risk management risks SaaS security SOA standards threats trends vendors virtualization virtual machines vulnerabilities

Archives

Meta



Our mission: Provide reliable and accurate information to cloud security professionals seeking CCSK certification.



We expect individuals seeking the Certificate of Cloud Security Knowledge will find our information specifically targeted at their CCSK pursuit useful. Our test preparation software and forums give candidates a higher chance for success.

Thank you for visiting. Since you're new to the site:
  • Please review the user agreement.
  • Register for the site so you may use the testing services.



    • We hope you find this service useful, and good luck on the exam!