Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Cloud

End of Bibblio RCM includes -->
6/26/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick

Cloud-Based Identity Management Systems: What to Look For

Most of the big cloud players, including Google, Microsoft and AWS, all offer some form of identity and access management. There are plenty of other cloud-based, on-premises IAM systems as well. Here's what you need to look for.

On the Internet, famously, nobody knows that you're a dog. Fine, you're a dog. But whose dog are you? Are you authorized to use the doggy door? Eat from the food bowl? Sleep in the dog bed? Bark at intruders? Ultimately, are you a good dog?

With a real-life dog, you can check the ID tag on the pet collar. What about authorized people or applications to use enterprise applications and networks? Traditionally, that's the realm of server-based identity and access management (IAM) systems such as Microsoft's Active Directory or a Linux-based Lightweight Directory Access Protocol(LDAP) server.

In the cloud era, there are new cloud-native IAM packages that work more efficiently.

Before we dive into some of the choices, let's look at the features and functions of an IAM system. An IAM package -- on-premises systems such as Active Directory or LDAP server -- does more than say "access permitted" or "access denied."

(Source: iStock)
(Source: iStock)

There are ranges of protection and of access control, governing everything from permission to use a WiFi network to being able to use a single sign-on (SSO) package to gain access to cloud servers, to being granted (or denied) administrative privileges, to being granted (or denied) access to some data fields or functions within applications.

For example, take a human-resources database: Most workers might be given limited access, such as to look up contact information for other employees -- but only HR staff might be able to access payroll data. Even there, data access could be constrained on a need-to-know basis. An IAM system should be able to handle broad access -- like to the WiFi or to SSO -- as well as being able to reach deep into applications to govern fine-grained access controls.

From cloud to multicloud
A small company might be able to work fine with an IAM system that works across a single cloud service -- Amazon Web Services, for example.

However, an enterprise-grade IAM should be able to work across multiple network domains, including multiple clouds -- Google Cloud Platform, Microsoft Azure, AWS -- on-premises data center applications, and even hosted software-as-a-service, like Salesforce.

Being able to scale to multiple domains is where the concept of federation comes in. Federation can integrate and synchronize several IAM systems together across disparate networks, operating systems, and application platforms. Even simpler, however, are IAM platforms that run natively on multiple clouds and in the data center, so that there's only a single identity platform to install, manage, update and debug.

Hard-core Microsoft shops have one key advantage when it comes to IAM, in that on-premise Active Directory and Microsoft's online services are tightly integrated. That includes Microsoft's Identity Manager, Azure Multi-Factor Authentication, and Azure Active Directory. Federating on-premise and cloud-based IAM is probably easier than with any other cloud provider's platform.

So, if you're a Microsoft shop, you can stop reading.

It's not so easy elsewhere. AWS offers a strong Identity and Access Management system, included at no extra cost with AWS accounts. The AWS system includes federation functions using the Security Assertion Markup Language 2.0 (SAML) standard, as well as tools such as Amazon Cognito to provide IAM options for web and mobile users. For those using Active Directory on-site, but wanting to use AWS in the cloud, Amazon also offers a non-SAML integration tool, called Amazon Directory Service for Microsoft Active Directory.

The tools are there, but it's up to you -- or your consultants -- to do the heavy lifting and make sure that everything is working properly.


Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

IAM solutions for Google Cloud Platform are offered in two tiers: free and paid.

The Cloud Identity Free Edition provides basic identity and end-point security services. The paid version adds enterprise security, application management, and mobile device management.

Frankly, I find Google's implementation of IAM more limited than either AWS or Azure; it's more focused on devices and users, and less on fine-grained access controls than other IAM platforms. Federation with other IAM platforms is through a separate cloud product -- Google Firebase -- but it's really geared around federation with social media SSO platforms, like Twitter and Facebook, as well as mobile platforms like Android and iOS.

In other words: Google's IAM isn't out-of-the-box designed to be integrated with other cloud players or enterprise systems. You can do it, but it's a lot of work.

Another option for a complete IAM cloud solution is to choose a dedicated third-party provider. The benefit here is that you're not locked into a specific cloud vendor's solution. The drawbacks: You're locked into the IAM vendor's solution, and of course, there's going to be an extra cost. Don't dismiss the aftermarket out-of-hand, however; it's worth looking into the wide range of vendors in this space, from Auth0 to IAM Cloud to IBM to JumpCloud to Oracle Identity Management to Ping Identity.

You never know, they might have just the features -- and the doggy-door integrations -- that you're looking for.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31856
PUBLISHED: 2022-07-05
Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.
CVE-2022-32310
PUBLISHED: 2022-07-05
An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php.
CVE-2022-32311
PUBLISHED: 2022-07-05
Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php.
CVE-2022-32413
PUBLISHED: 2022-07-05
An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-34972
PUBLISHED: 2022-07-05
So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.