Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

10/25/2013
05:11 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Identity Management In The Cloud

Managing and securing user identities in the cloud is getting complicated.

As companies add more cloud services to their IT environments, the process of managing identities is getting more complex.

When companies use cloud services -- services they don't control themselves -- they still must develop sound policies around role-based access. They still must grant rights to users who need information to get work done. And they must be able to automatically take away those privileges when people leave a company or change roles. On top of it all, companies using cloud services are also bound by any compliance rules that govern their identity and access management (IAM) initiatives.

With the collection of cloud services now holding sensitive data, organizations have to contend with a smorgasbord of new login systems and proprietary connector APIs that often don't work well with internal IAM systems. "I bet that not many IT professionals thought they would look nostalgically at large, complex, on-premises deployments, but now many do," says Julian Lovelock, VP of product marketing for identity assurance at smart card manufacturer HID Global.

Managing cloud IAM means "using a complex set of one-off procedures," says Nishant Kaushik, chief architect for cloud IAM provider Identropy. This approach may lead to "chaos and an inability to audit any of the systems."

But sound identity management and governance is core to nearly all IT security functions. That's why security experts are advocating that companies improve how they manage identities in environments that mix cloud services and enterprise networks. "In this new world, you have to stitch the identities together," says Todd McKinnon, CEO of cloud IAM provider Okta.

Building Policies

Ask any enterprise IT administrator if his or her organization has a process for managing new software deployments, and the answer is invariably yes. You'll also likely get all hands raised if you ask about password management and user account management controls, says Greg Brown, VP and CTO of cloud and data center solutions for McAfee. But there aren't nearly as many raised hands when you ask how many have a procedure for someone to buy infrastructure-as-a-service, or for on-boarding users in a new software-as-a-service (SaaS) application, he says.

Two of the most fundamental policies of IT are which software can be used and how the credentials to use them should be administered, says Brown. These policies govern which applications, devices and people have access to which pools of sensitive information. Companies have these policies largely in place for on-premises systems, but they often do not know which users are leveraging SaaS -- and whether they're compliant with corporate and regulatory policies.

The need for security and compliance is driving some companies to find better ways to bridge enterprise IAM and cloud provider applications, often by provisioning user identity through cloud-capable, federated single sign-on (SSO). "In a bridge, the enterprise maintains control of its own identities and its own authentication," says Allan Foster, VP of technology and standards for ForgeRock, an open platform provider of IAM systems. "And since the service transaction is initiated by the enterprise, it can maintain auditing as to who accessed the service and when, although not about what was done."

same as caption

Many companies are achieving this bridge through Active Directory (AD) and Lightweight Directory Access Protocol connections, setting policies that can be enforced through group membership based on the users. Enterprises have been pressuring cloud providers to embrace standards including SAML, OAuth and OpenID for easier exchange of authentication information between the cloud provider and the enterprise.

An employee using a federated single sign-on system is given one set of credentials to access multiple cloud accounts. This user is only authorized to use those cloud accounts permitted by the group he or she belongs to. For example, if a user is in the sales group in Active Directory, he or she would be given secure access to Salesforce.com as well as the enterprise's in-house sales applications. This approach aids the rapid rollout of new cloud services to large groups of users. Even more importantly, using AD to aggregate identities in cloud environments speeds up the deprovisioning of cloud applications to employees when they leave the company or change roles.

"Enforcing the use of federated SSO -- and not using passwords with cloud apps -- means that users can only log in to cloud apps if they have an account in AD," says Patrick Harding, CTO of cloud IAM company Ping Identity. "Terminated users are usually immediately disabled in AD by IT and will not be able to access any cloud apps."

This type of single sign-on provides more control over the cloud sign-in process, but it's only at the first stage of maturity for efficiently getting people onto the system. This initial operational focus mirrors the maturation that happened with on-premises IAM years ago, says Kaushik. "Once the cloud operational things are solved, people realize they have governance problems and compliance problems," Kaushik says. "It isn't simply about being able to create accounts. It's also how to create an account, when to create an account and how to deprovision an account."

As companies get accustomed to cloud single sign-on, they often find that cloud identity services lack fine-tuning for authorizing and monitoring a user's access to cloud resources.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20538
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
CVE-2021-20559
PUBLISHED: 2021-05-10
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
CVE-2021-20577
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...
CVE-2021-29501
PUBLISHED: 2021-05-10
Ticketer is a command based ticket system cog (plugin) for the red discord bot. A vulnerability allowing discord users to expose sensitive information has been found in the Ticketer cog. Please upgrade to version 1.0.1 as soon as possible. As a workaround users may unload the ticketer cog to disable...
CVE-2020-13529
PUBLISHED: 2021-05-10
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.