Best Practices to Secure the Cloud with Identity Management Arrow to Content

August 13, 2012 | 1 Comment

Authored by: Dan Dagnall, Director of Pre-Sales Engineering at Fischer International Identity

 

What is the “cloud identity?”   The “cloud identity” begins at the birth of the user’s “digital identity” and includes the attributes to define “who you are.”  “Cloud Identity” is not a new term to those in the industry, but one that has definitely taken hold as the way to define “you” in the cloud.  Much focus has been on how to “enable” a secure authentication event (through mechanisms like ADFS or Shibboleth), which is a key component of securing the transaction between Identity Providers (“IdP”) and Service Providers (“SP”). However, too little focus has been placed on the fundamental component required to “ensure” the integrity of the transaction; and by “integrity,” I mean that the person is right, the attributes are right, and the values are right  The integrity of a “cloud identity” transaction can only be secured by sound identity management practices, with a razor-sharp focus on attribute management and policy enforcement.

 

Competent attribute management is the foundation of securing the “cloud identity.”  It is the attribute and its corresponding value that ultimately determine the digital identity of an individual (or entity).  When you consider the level of accuracy required (if your true goal is the validity of the transaction) in a cloud-centric world, you will concede the importance of properly representing the user in the cloud.  When you consider attributes within this context, it becomes clear why identity management (IdM\) is the epicenter for securing the cloud identity.

 

Attribute management is much more than “just a middleware component;” it is identity management at a fundamental level.  This fundamental level must not be overlooked as our industry begins discussing the large scale initiatives to create a common “ecosystem” through which cloud identities will travel.

 

There are a few key components of the IdM stack that provide for the integrity I’m describing; automation and policy management/enforcement.

 

Best Practice #1: Automation

Sound identity management practices must include automation, which includes event detection and downstream provisioning (i.e. the system automatically detects when a user, along with data associated to the user, is added/modified within the system of record, followed by automatically provisioning the user and the required attributes to downstream systems). Detection of changes to key attributes specific to the user’s identity [ideally, in real time] ensures the validity of the attribute value, i.e. making sure the value is correct and placed in the proper location and that placement was/is authorized.

 

Manual modification of users (on downstream target systems) including manual entry of attribute/value pairs is not a secure approach unless identity management has authorized these actions and the user performing them.  Manual approaches can undermine data integrity and leave the user (whose identity and sensitive information will be floating around the cloud) at a major disadvantage and lead to improper representation of their identity in the cloud, not to mention the inherent risk for the user and the organization as a whole.  This represents a scary reality for some, unless of course IdM has been properly deployed to ensure that malicious events are either immediately detected or thwarted before-hand.

 

Automated event detection eliminates the need for manual interactions with the user’s attribute set, which as I’ve discussed is the single-most important aspect of securing one’s identity in the cloud.  Automated event detection when coupled with attribute management enables the proper enforcement of organizational policies put in place to protect the user.

 

Best Practice #2: Policy Management & Enforcement

Once automation is introduced, securing the remaining aspects of the cloud identity shifts to policy management and enforcement.  Policy management is the layer of IdM which defines who is authorized and what level of access will be granted to downstream target systems.  Whether bound by regulation (which is most often the case) or the requirement to comply with a set of standards and/or practices to participate in global federations (i.e. attribute management processes that meet a certain criteria), policy definition is the key to successfully securing the cloud identity.

 

Securing this layer cannot be accomplished by allowing unchecked “human” decisions to overrule the policy because it can have a direct effect on how that user is represented in the cloud.  As a user, I’d sleep much better knowing that automated policy enforcement is managing my cloud identity, and abiding by organizational or regulatory guidelines like CSA and others to keep my identity safe and properly represented in the cloud.

 

In conclusion, someone with direct access to my data (because there is no automation), who can manipulate my attribute values without authorization (because there is no policy definition and enforcement), could compromise the representation of my “cloud identity” and call into question the integrity of the entire transaction.

So before you consider cloud-based transactions, specifically those where identity data is required, it is in your best interest to solidify your IdM practices and introduce the components I’ve outlined.  Only then can you truly secure the cloud for your users and your organization.

Related CSA Resources Arrow to Content

Comments:

  1. Mikko Jakonen
    08.14.12

    Interesting article, one of the first one(s) to touch the base.

    I believe that referred cloud identity is representation of user with a certain role attached to managed identity, not a single sided entity which has an attribute set within. It allows managed multipresentation of identities depending on the role and attached agreement for utilizing information resources.

    The whole model current technologies provide should be turned upside down and shaked well, as they lack the actual support for cyberspace managed authorizations. I dont understand what is the identity transaction here is referred? If it means the possible transaction what is implemented while, for example provisioning happens, sure – integrity of information is everything.

    What comes to the attribute management, that is totally different story.
    Basically attribute management is non-existent and it is available everywhere within the cloud. What I mean by this is that each service in different identity domains may require own set of attributes managed. But, here is the catch – it
    should not be a management discipline to handle such array of attributes in variety of managed identity domains. Instead, the focus should be on interaction and data transformation between identity domains, or – variety of service agreements made between organizations. This, hoewever should happen in background. This is the reason it is not discipline for management but it is crucial part of the whole phenomenon.

    Securing cloud identities require a vast amount of other capabilities. I believe one crucial component is accredition of managed identities through a agreement mutually made between presented identity owner, or – say subscriber here to make this more interested. This basically means that both sides of the equation, subscriber and service provider (the organization whom delivers or provides the information resource, like yourcompany co.) should maintain the trust between each other and each side can be credited on.

    About the best practices – I sincerly believe that there exists best practices for current technologies to be managed efficiently. However, they lack a lots of cynberspace demanded capabilities.

    Automation CAN be included in, but it might not be necessity with all information resources. Most important thing is to be able to efficiently provide the data, even the information resource requirement evolve.

    Automated event detection is very tricky, and ofter requires tailoring on the far end(point), which in turn lowers the efficiency part of the cloud based solutions. Remember, cloud based solutions should deliver a multitenant capability,
    with lower costs than on premises solution.

Leave a Comment




Page Dividing Line