Cloud identity and access management is about the people, processes, and procedures used to create, manage, and destroy identities of all kinds,
Whether you are dealing with system administrators or plain users of cloud services, the creation and management of identities are key in maintaining secure operations.
- IAM systems consist of several components, as shown below Figure.
- First and foremost is that they are designed to verify or authenticate users to gain access to resources.
- Once authenticated, the users are then authorized and given subsequent access to resources. The user is generally managed through a central user repository.
- This is often accomplished with role-based access. This allows for a broader and more consistent set of controls for users.
- Rather than the administrator having to create, modify, delete, and otherwise manage a user, role-based access allows the administrator to modify the role a user has, thereby impacting the entire group in that role at once.
What are the Elements of Cloud identity and access management?
IAM functionality is divided into identity management and access management:
What does “Identity Management” mean in cloud?
- Identity management is the process whereby individuals are given access to system resources by associating user rights with a given identity.
- Provisioning is the first phase of identity management, where each subject is issued a unique identity assertion (something that serves as an identification, such as a user ID).
- During this process, the user is usually also issued a password for use in authenticating the identity assertion.
- The entity issuing the password and identity assertion will retain a record of each for use in recognizing the user later (when the user uses them to log in to resources).
- The generation, storage, and security controls of these passwords are known as password management.
- In a self-service identity management configuration (as opposed to a provider-managed configuration), the cloud customer is in charge of provisioning each user’s identity/identity assertion.
What does “Access Management” mean in cloud?
Access management is the part of the process that deals with controlling access to resources once they have been granted.
Access management is what tries to identify who a user is and what they are allowed to access each time they attempt to access a resource.
Establishes identity by asking who you are and determining whether you are a legitimate user (often by combining the use of an identity assertion and an authentication factor; for example, a user ID and password).
Evaluates what you have access to after authentication occurs (in many cases, this means comparing the identity assertion against an access control list [ACL]).
Serves as the enforcement arm of authentication and authorization and is established based on business needs and senior management decisions.
An association of organizations that facilitate the exchange of information as appropriate about users and access to resources, allowing them to share resources across disparate organizations.
The directory services for the administration of user accounts and their associated attributes.
- These components are stored in what is called an identity repository directory. Think of it as the Active Directory on steroids.
- The schema used is much more detailed and has many more uses, and it is a valuable crown jewel that must be protected at all costs. A breach of this component would be devastating to the organization.
- Besides identity repositories and their directory, other core facets of IAM include federated identity management, federation standards, federated identity providers, various types of single sign-on (SSO), multifactor authentication, and supplemental security devices.
What does “Identity Repositories and Directory Services” mean in cloud?
Identity repositories are the store of information or attributes of identities.
Directory services are how those identities and attributes are managed.
They allow the administrator to customize user roles, identities, and so on.
All of this becomes even more important when we deal with the federation, as there must be a consistent means of accessing these identities and their associated attributes to work across disparate systems.
Here are some of the most widely used directory services in Cloud identity and access management:
- X.500 and LDAP
- Microsoft Active Directory
- Novell eDirectory
- Metadata replication and synchronization
What does “Single Sign-On (SSO)” mean by mean in cloud?
When an organization has a variety of resources that each require authentication, usage and utilization can become cumbersome for users, especially when they have to keep track of passwords and user IDs that have different requirements.
Single sign-on (SSO) is a way to address this and simplify the operational experience for the user.
While there are several ways to implement SSO, in general, the term refers to a situation where the user signs in once, usually to an authentication server;
Then when the user wants to access the organization’s resources (say, on different servers throughout the environment), each resource will query the authentication server to determine if the user is logged in and properly authenticated;
The authentication server then approves the request and the resource server grants the user access.
All of this should be transparent to the user, streamlining their use of the resources on the network.
Theoretically, the user could log in just once per day, when they sit down at their desk to begin work and never have to reenter any additional sign-on credentials.
What does “Federated Identity Management” mean in cloud?
Federated identity management (or “federation,” in general) is much the same as normal identity management except it is used to manage identities across disparate organizations.
You can think of it as a single sign-on (SSO) for multiple organizations.
Let’s look at an example. A group of research universities wants to share their research data.
They can create a federation so that a scientist signing in at their university, on their system, can then access all the research resources of the other universities in the federation, without having to present other, new identity and authentication credentials.
There are two general types of federation: the web-of-trust model and the use of a third-party identifier.
In the web of trust, each member of the federation (that is, each organization that wants to share resources and users) has to review and approve each other member for inclusion in the federation.
While it’s a good method to be sure that everyone else in the federation reaches your particular level of trust, this can become costly and unwieldy once the federation reaches a significant number of member organizations” it just doesn’t scale well.
By using a third-party identifier, on the other hand, the member organizations outsource their responsibilities to review and approve each other to some external party.
who will take on this responsibility on behalf of all the members.
This is a popular model in the cloud environment, where the identifier role can often be combined with other functions (for instance, crypto key management) and outsourced to a cloud access security broker (CASB).
When discussing federation, we apply the terms identity provider and relying on parties.
The identity provider is the entity that provisions and authenticates identity assertions (validating users, provisioning user IDs and passwords, managing both, deprovisioning them, and so forth)
The relying party is any member of the federation that shares resources based on authenticated identities.
In the web-of-trust model, the identity provider is each member of the federation (provisioning identity assertions for each of their users, respectively) and they are also the relying parties (sharing resources, based on those authenticated identities.
In the trusted third-party model of the federation, the identity provider is the trusted third party, and the relying parties are each member organization within the federation.
What does “Federation Standards” mean in cloud?
There are many federation standards, but the most widely used one is Security Assertion Markup Language (SAML).
The latest version of SAML is SAML 2.0.
It is XML-based and consists of a framework for communicating authentication, authorization, or entitlement information and attribute information across organizations.
In other words, it is a means for users from outside organizations to be verified and validated as authorized users inside or with another organization without the user having to create identities in both locations.
Some of the other standards that exist in Cloud identity and access management area are as follows:
- WS-Federation : This uses the term realms in explaining its capabilities to allow organizations to trust each other’s identity information across organizations.
- OAuth : Often used in authorization with mobile apps, the OAuth framework provides third-party applications limited access to HTTP services.
- OpenID Connect : This is an interoperable authentication protocol based on the OAuth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords.