Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Cloud

6/26/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Cloud-Based Identity Management Systems: What to Look For

Most of the big cloud players, including Google, Microsoft and AWS, all offer some form of identity and access management. There are plenty of other cloud-based, on-premises IAM systems as well. Here's what you need to look for.

On the Internet, famously, nobody knows that you're a dog. Fine, you're a dog. But whose dog are you? Are you authorized to use the doggy door? Eat from the food bowl? Sleep in the dog bed? Bark at intruders? Ultimately, are you a good dog?

With a real-life dog, you can check the ID tag on the pet collar. What about authorized people or applications to use enterprise applications and networks? Traditionally, that's the realm of server-based identity and access management (IAM) systems such as Microsoft's Active Directory or a Linux-based Lightweight Directory Access Protocol(LDAP) server.

In the cloud era, there are new cloud-native IAM packages that work more efficiently.

Before we dive into some of the choices, let's look at the features and functions of an IAM system. An IAM package -- on-premises systems such as Active Directory or LDAP server -- does more than say "access permitted" or "access denied."

(Source: iStock)
(Source: iStock)

There are ranges of protection and of access control, governing everything from permission to use a WiFi network to being able to use a single sign-on (SSO) package to gain access to cloud servers, to being granted (or denied) administrative privileges, to being granted (or denied) access to some data fields or functions within applications.

For example, take a human-resources database: Most workers might be given limited access, such as to look up contact information for other employees -- but only HR staff might be able to access payroll data. Even there, data access could be constrained on a need-to-know basis. An IAM system should be able to handle broad access -- like to the WiFi or to SSO -- as well as being able to reach deep into applications to govern fine-grained access controls.

From cloud to multicloud
A small company might be able to work fine with an IAM system that works across a single cloud service -- Amazon Web Services, for example.

However, an enterprise-grade IAM should be able to work across multiple network domains, including multiple clouds -- Google Cloud Platform, Microsoft Azure, AWS -- on-premises data center applications, and even hosted software-as-a-service, like Salesforce.

Being able to scale to multiple domains is where the concept of federation comes in. Federation can integrate and synchronize several IAM systems together across disparate networks, operating systems, and application platforms. Even simpler, however, are IAM platforms that run natively on multiple clouds and in the data center, so that there's only a single identity platform to install, manage, update and debug.

Hard-core Microsoft shops have one key advantage when it comes to IAM, in that on-premise Active Directory and Microsoft's online services are tightly integrated. That includes Microsoft's Identity Manager, Azure Multi-Factor Authentication, and Azure Active Directory. Federating on-premise and cloud-based IAM is probably easier than with any other cloud provider's platform.

So, if you're a Microsoft shop, you can stop reading.

It's not so easy elsewhere. AWS offers a strong Identity and Access Management system, included at no extra cost with AWS accounts. The AWS system includes federation functions using the Security Assertion Markup Language 2.0 (SAML) standard, as well as tools such as Amazon Cognito to provide IAM options for web and mobile users. For those using Active Directory on-site, but wanting to use AWS in the cloud, Amazon also offers a non-SAML integration tool, called Amazon Directory Service for Microsoft Active Directory.

The tools are there, but it's up to you -- or your consultants -- to do the heavy lifting and make sure that everything is working properly.


Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

IAM solutions for Google Cloud Platform are offered in two tiers: free and paid.

The Cloud Identity Free Edition provides basic identity and end-point security services. The paid version adds enterprise security, application management, and mobile device management.

Frankly, I find Google's implementation of IAM more limited than either AWS or Azure; it's more focused on devices and users, and less on fine-grained access controls than other IAM platforms. Federation with other IAM platforms is through a separate cloud product -- Google Firebase -- but it's really geared around federation with social media SSO platforms, like Twitter and Facebook, as well as mobile platforms like Android and iOS.

In other words: Google's IAM isn't out-of-the-box designed to be integrated with other cloud players or enterprise systems. You can do it, but it's a lot of work.

Another option for a complete IAM cloud solution is to choose a dedicated third-party provider. The benefit here is that you're not locked into a specific cloud vendor's solution. The drawbacks: You're locked into the IAM vendor's solution, and of course, there's going to be an extra cost. Don't dismiss the aftermarket out-of-hand, however; it's worth looking into the wide range of vendors in this space, from Auth0 to IAM Cloud to IBM to JumpCloud to Oracle Identity Management to Ping Identity.

You never know, they might have just the features -- and the doggy-door integrations -- that you're looking for.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41154
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.1...
CVE-2021-41155
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix...
CVE-2021-41152
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...
CVE-2021-41153
PUBLISHED: 2021-10-18
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...
CVE-2021-41156
PUBLISHED: 2021-10-18
anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft ...