Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Cloud

6/26/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Cloud-Based Identity Management Systems: What to Look For

Most of the big cloud players, including Google, Microsoft and AWS, all offer some form of identity and access management. There are plenty of other cloud-based, on-premises IAM systems as well. Here's what you need to look for.

On the Internet, famously, nobody knows that you're a dog. Fine, you're a dog. But whose dog are you? Are you authorized to use the doggy door? Eat from the food bowl? Sleep in the dog bed? Bark at intruders? Ultimately, are you a good dog?

With a real-life dog, you can check the ID tag on the pet collar. What about authorized people or applications to use enterprise applications and networks? Traditionally, that's the realm of server-based identity and access management (IAM) systems such as Microsoft's Active Directory or a Linux-based Lightweight Directory Access Protocol(LDAP) server.

In the cloud era, there are new cloud-native IAM packages that work more efficiently.

Before we dive into some of the choices, let's look at the features and functions of an IAM system. An IAM package -- on-premises systems such as Active Directory or LDAP server -- does more than say "access permitted" or "access denied."

There are ranges of protection and of access control, governing everything from permission to use a WiFi network to being able to use a single sign-on (SSO) package to gain access to cloud servers, to being granted (or denied) administrative privileges, to being granted (or denied) access to some data fields or functions within applications.

For example, take a human-resources database: Most workers might be given limited access, such as to look up contact information for other employees -- but only HR staff might be able to access payroll data. Even there, data access could be constrained on a need-to-know basis. An IAM system should be able to handle broad access -- like to the WiFi or to SSO -- as well as being able to reach deep into applications to govern fine-grained access controls.

From cloud to multicloud
A small company might be able to work fine with an IAM system that works across a single cloud service -- Amazon Web Services, for example.

However, an enterprise-grade IAM should be able to work across multiple network domains, including multiple clouds -- Google Cloud Platform, Microsoft Azure, AWS -- on-premises data center applications, and even hosted software-as-a-service, like Salesforce.

Being able to scale to multiple domains is where the concept of federation comes in. Federation can integrate and synchronize several IAM systems together across disparate networks, operating systems, and application platforms. Even simpler, however, are IAM platforms that run natively on multiple clouds and in the data center, so that there's only a single identity platform to install, manage, update and debug.

Hard-core Microsoft shops have one key advantage when it comes to IAM, in that on-premise Active Directory and Microsoft's online services are tightly integrated. That includes Microsoft's Identity Manager, Azure Multi-Factor Authentication, and Azure Active Directory. Federating on-premise and cloud-based IAM is probably easier than with any other cloud provider's platform.

So, if you're a Microsoft shop, you can stop reading.

It's not so easy elsewhere. AWS offers a strong Identity and Access Management system, included at no extra cost with AWS accounts. The AWS system includes federation functions using the Security Assertion Markup Language 2.0 (SAML) standard, as well as tools such as Amazon Cognito to provide IAM options for web and mobile users. For those using Active Directory on-site, but wanting to use AWS in the cloud, Amazon also offers a non-SAML integration tool, called Amazon Directory Service for Microsoft Active Directory.

The tools are there, but it's up to you -- or your consultants -- to do the heavy lifting and make sure that everything is working properly.


Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

IAM solutions for Google Cloud Platform are offered in two tiers: free and paid.

The Cloud Identity Free Edition provides basic identity and end-point security services. The paid version adds enterprise security, application management, and mobile device management.

Frankly, I find Google's implementation of IAM more limited than either AWS or Azure; it's more focused on devices and users, and less on fine-grained access controls than other IAM platforms. Federation with other IAM platforms is through a separate cloud product -- Google Firebase -- but it's really geared around federation with social media SSO platforms, like Twitter and Facebook, as well as mobile platforms like Android and iOS.

In other words: Google's IAM isn't out-of-the-box designed to be integrated with other cloud players or enterprise systems. You can do it, but it's a lot of work.

Another option for a complete IAM cloud solution is to choose a dedicated third-party provider. The benefit here is that you're not locked into a specific cloud vendor's solution. The drawbacks: You're locked into the IAM vendor's solution, and of course, there's going to be an extra cost. Don't dismiss the aftermarket out-of-hand, however; it's worth looking into the wide range of vendors in this space, from Auth0 to IAM Cloud to IBM to JumpCloud to Oracle Identity Management to Ping Identity.

You never know, they might have just the features -- and the doggy-door integrations -- that you're looking for.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.