Analytics

10/25/2013
05:11 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Identity Management In The Cloud

Managing and securing user identities in the cloud is getting complicated.

As companies add more cloud services to their IT environments, the process of managing identities is getting more complex.

When companies use cloud services -- services they don't control themselves -- they still must develop sound policies around role-based access. They still must grant rights to users who need information to get work done. And they must be able to automatically take away those privileges when people leave a company or change roles. On top of it all, companies using cloud services are also bound by any compliance rules that govern their identity and access management (IAM) initiatives.

With the collection of cloud services now holding sensitive data, organizations have to contend with a smorgasbord of new login systems and proprietary connector APIs that often don't work well with internal IAM systems. "I bet that not many IT professionals thought they would look nostalgically at large, complex, on-premises deployments, but now many do," says Julian Lovelock, VP of product marketing for identity assurance at smart card manufacturer HID Global.

Managing cloud IAM means "using a complex set of one-off procedures," says Nishant Kaushik, chief architect for cloud IAM provider Identropy. This approach may lead to "chaos and an inability to audit any of the systems."

But sound identity management and governance is core to nearly all IT security functions. That's why security experts are advocating that companies improve how they manage identities in environments that mix cloud services and enterprise networks. "In this new world, you have to stitch the identities together," says Todd McKinnon, CEO of cloud IAM provider Okta.

Building Policies

Ask any enterprise IT administrator if his or her organization has a process for managing new software deployments, and the answer is invariably yes. You'll also likely get all hands raised if you ask about password management and user account management controls, says Greg Brown, VP and CTO of cloud and data center solutions for McAfee. But there aren't nearly as many raised hands when you ask how many have a procedure for someone to buy infrastructure-as-a-service, or for on-boarding users in a new software-as-a-service (SaaS) application, he says.

Two of the most fundamental policies of IT are which software can be used and how the credentials to use them should be administered, says Brown. These policies govern which applications, devices and people have access to which pools of sensitive information. Companies have these policies largely in place for on-premises systems, but they often do not know which users are leveraging SaaS -- and whether they're compliant with corporate and regulatory policies.

The need for security and compliance is driving some companies to find better ways to bridge enterprise IAM and cloud provider applications, often by provisioning user identity through cloud-capable, federated single sign-on (SSO). "In a bridge, the enterprise maintains control of its own identities and its own authentication," says Allan Foster, VP of technology and standards for ForgeRock, an open platform provider of IAM systems. "And since the service transaction is initiated by the enterprise, it can maintain auditing as to who accessed the service and when, although not about what was done."

same as caption

Many companies are achieving this bridge through Active Directory (AD) and Lightweight Directory Access Protocol connections, setting policies that can be enforced through group membership based on the users. Enterprises have been pressuring cloud providers to embrace standards including SAML, OAuth and OpenID for easier exchange of authentication information between the cloud provider and the enterprise.

An employee using a federated single sign-on system is given one set of credentials to access multiple cloud accounts. This user is only authorized to use those cloud accounts permitted by the group he or she belongs to. For example, if a user is in the sales group in Active Directory, he or she would be given secure access to Salesforce.com as well as the enterprise's in-house sales applications. This approach aids the rapid rollout of new cloud services to large groups of users. Even more importantly, using AD to aggregate identities in cloud environments speeds up the deprovisioning of cloud applications to employees when they leave the company or change roles.

"Enforcing the use of federated SSO -- and not using passwords with cloud apps -- means that users can only log in to cloud apps if they have an account in AD," says Patrick Harding, CTO of cloud IAM company Ping Identity. "Terminated users are usually immediately disabled in AD by IT and will not be able to access any cloud apps."

This type of single sign-on provides more control over the cloud sign-in process, but it's only at the first stage of maturity for efficiently getting people onto the system. This initial operational focus mirrors the maturation that happened with on-premises IAM years ago, says Kaushik. "Once the cloud operational things are solved, people realize they have governance problems and compliance problems," Kaushik says. "It isn't simply about being able to create accounts. It's also how to create an account, when to create an account and how to deprovision an account."

As companies get accustomed to cloud single sign-on, they often find that cloud identity services lack fine-tuning for authorizing and monitoring a user's access to cloud resources.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.