In August 2011, the Cloud Security Alliance (CSA) outlined the 10 primary disciplines that researchers felt should define the nascent Security-as-a-Service (SecaaS) paradigm. The categories included everything from data encryption and intrusion protection to email security and disaster recovery. This month, the professional organization rolled out its first of 10 accompanying implementation guides with a primer on identity and access management (IAM) in virtual environments.
"The cloud presents organizations with a whole new set of challenges when it comes to assuring proper identity controls and access to privileged resources," Ping Identity CTO Patrick Harding explained. "The SecaaS implementation guidance being led by the CSA will go a long way to providing critical definitions across the industry and we are proud to be a sponsor of this research."
Scope and audience
While the CSA report offers wisdom and guidance that could be of use to everyone from end users to IT architects, authors structured their recommendations with a distinct set of intended audiences in mind. Naturally, it is IT engineers that have the most to gain as the document addresses design, implementation and integration tips at length. However, executive decision makers also receive helpful hints as to what they should be looking for in an effective IAM offering, and compliance teams are provided with perspective on how these components fit into the overall enterprise security framework.
The report begins in earnest with a high-level discussion and definition of the factors involved in cloud-based IAM assessment and implementation – many of which carry over from on-premise environments. Readers were reminded that the principle of least privilege, or only affording employees access to the information needed to complete their specific job functions, must continue to guide all decisions and that multi-factor authentication will be as important as ever as organizations venture deeper into cloud computing initiatives.
Additionally, companies were advised to get their auditing and reporting policies and capabilities in line from the start. Considering the speed and frequency with which cloud applications can be continuously added to a company's portfolio, weak fundamentals in this area could quickly be exposed.
"Audit logs are a critical part of the IAM process," the report stated. "Logs of activity, including all authentication and access attempts (both successful and failed) should be kept by the application/solution."
But while some principles and priorities do translate from in-house to cloud computing environments, there are some unique challenges that may not be recognized upon first glance. The first major consideration companies should account for when partnering with an IAM SecaaS provider is an issue of control.
As the report suggested, the third-party host will often be the one holding onto all of the identity and policy data in these arrangements. This is a stark contrast to the authoritarian control companies with in-house installations might be used to. As such, the ability to import, export and continuously update this information between parties is a critical feature that should be offered by the cloud service provider.
Additionally, SecaaS strategies can introduce significant complexity into compliance and reporting tasks. According to CSA advisors, subscribers may have to negotiate new clauses in service level agreements to obtain the data visibility they need to review and audit activity logs in a timely manner. Geography also has a role to play, as companies could find themselves subject to new jurisdictional issues and expectations depending on where the cloud service providers servers are actually stationed. For example, it is comparatively easier for law enforcement officials in the U.S. to request and gain access to public cloud infrastructure than it is for European investigators.
Whether it is an IT administrator wondering exactly how to provision new credentials or a compliance officer hoping to understand the bigger picture, a baseline knowledge of the authentication layers involved in IAM SecaaS offerings can be a valuable asset.
"In terms of this new [cloud] paradigm, IAM architecture spans across businesses, opening up a plethora of options to expand the portfolio of services that the business offers," the report stated. "This not only enhances the ability to provide services within the organization, but also the ability to collaborate with other businesses in more elegant and efficient ways."
At one end, there are the internal employees, applications and devices that travel to the cloud in search of access, identity, compliance and data services. According to the report, the features could include federated single sign-on (SSO), password syncing, audit trail creation and identity warehousing, among others. Companies pursue these strategies for reasons of both scalability and/or technical superiority over in-house capabilities.
On the other end, there are outside entities such as customers, suppliers, mobile workers and additional cloud services that interact with the central IAM platform as well. Once inside this layer, there can be lateral activity as well as users shift between data and access services to enforce policy or leverage compliance monitoring abilities to track user provisioning.
Cloud Security News from SimplySecurity.com by Trend Micro