The concept of Identity management and access control in cloud computing covers most areas of technology, access control is merging and aligning with other combined activities. Some of these are automated using single sign-on capabilities; others operate in a standalone, segregated fashion.
The combination of access control and effective management of those technologies, processes, and controls has given rise to identity and access management (IAM). In a nutshell,
IAM includes people, processes, and systems that manage access to enterprise resources.
This is achieved by ensuring that the identity of an entity is verified (who are they, can they prove who they are) and then granting the correct level of access based on the assets, services, and protected resources being accessed.
IAM typically looks to utilize a minimum of two—preferably three or more—factors of authentication. Within cloud environments, services should include strong authentication mechanisms for validating users’ identities and credentials .
In line with best practice, one-time passwords should be utilized as a risk reduction and mitigation technique .
The key phrases that form the basis and foundation for IAM in the enterprise include the following:
- Provisioning and de-provisioning
- Centralized directory services
- Privileged user management
- Authentication and access management
Each is discussed in the following sections Identity management and access control in cloud computing.
1. Provisioning and Deprovisioning
Provisioning and de-provisioning are critical aspects of access management and Identity management and access control in cloud computing. Think of setting up and removing users.
In the same way, as you would set up an account for a user entering your organization requiring access to resources, provisioning is the process of creating accounts to allow users to access appropriate systems and resources within the cloud environment.
The ultimate goal of user provisioning is to standardize, streamline, and create an efficient account creation process while creating a consistent, measurable, traceable, and auditable framework for providing access to end-users.
Deprovisioning is the process whereby a user account is disabled when the user no longer requires access to the cloud-based services and resources.
This is not just limited to a user leaving the organization but may also be due to a user changing a role, function, or department.
Deprovisioning is a risk-mitigation technique to ensure that authorization creep or additional and historical privileges are not retained, thus granting access to data, assets, and resources that are not necessary to fulfill the job role.
2. Centralized Directory Services
As when building a house or large structure, the foundation is key. In the world of IAM, the directory service forms the foundation for IAM and security both in an enterprise environment and within a cloud deployment.
Directory service stores, processes, and facilitates a structured repository of information stored, coupled with unique identifiers and locations.
The primary protocol for centralized directory services is Lightweight Directory Access Protocol (LDAP), built and focused on the X.500 standard.16 LDAP works as an application protocol for querying and modifying items in directory service providers like Active Directory.
Active Directory is a database-based system that offers authentication, directory, policy, and other services to a network. Essentially, LDAP acts as a communication protocol to interact with Active Directory.
LDAP directory servers store their data hierarchically (similar to domain name system [DNS] trees and UNIX file structures) with a directory record’s distinguished name (DN) read from the individual entries back through the tree, up to the top level.
Each entry in an LDAP directory server is identified through a DN access to directory services, should be part of the IAM solution, and should be as robust as the core authentication modes used.
The use of privileged identity management (PIM) features is strongly encouraged for managing access of the administrators of the directory.
If these are hosted locally rather than in the cloud, the IAM service requires connectivity to the local LDAP servers, in addition to any applications and services for which it is managing access.
Within cloud environments, directory services are heavily utilized and depended upon as the go-to trusted source by the IAM framework as a secure repository of identity and access information.
The same can be said for federated environments.
Again, trust and confidence in the accuracy and integrity of the directory services are must-haves.
3. Privileged User Management
As the name implies, privileged user management focuses on the process and ongoing requirements to manage the lifecycle of user accounts with the highest privileges in a system.
Privileged accounts typically carry the highest risk and impact because compromised privileged user accounts can lead to significant permissions and access rights being obtained, thus allowing the user or attacker to access resources and assets that may negatively affect the organization.
The key components from a security perspective relating to privileged user management should, at a minimum, include the ability to track usage, authentication successes and failures, and authorization times and dates; log successful and failed events; enforce password management, and contain sufficient levels of auditing and reporting related to privileged user accounts.
Many organizations monitor this level of information for standard or general users, which would be beneficial and useful in the event of an investigation; however, the privileged accounts should capture this level of detail by default because attackers often target and compromise a general or standard user, with the view to escalating privileges to a more privileged or admin account.
Not forgetting that a number of these components are technical by nature, the overall requirements that are used to manage these should be driven by organizational policies and procedures.
Note that segregation of duties can form an extremely effective mitigation and risk reduction technique around privileged users and their ability to effect major changes.
4. Authorization and Access Management
Access to devices, systems, and resources forms a key driver for use of cloud services (broad network access); without it, the overall benefits that the service may provide are reduced to the enterprise, and legitimate business or organizational users are isolated from their resources and assets.
In the same way that users require authorization and access management to be operating and functioning to access the required resources, security requires these service components to be functional, operational and trusted to enforce security within cloud environments. In its simplest form, authorization determines the user’s right to access a certain resource.
(Think of entry onto a plane with your reserved seat or when you may be visiting an official residence or government agency to visit a specified person.) Access management is focused on the manner and way in which users can access relevant resources, based on their credentials and characteristics of their identity.
Think of a bank or highly secure venue only certain employees or personnel can access the main safe or highly sensitive areas.
Note that both authorization and access management are point-in-time activities that rely on the accuracy and ongoing availability of resources and functioning processes, segregation of duties, privileged user management, password management, and so on, to operate and provide the desired levels of security.
If one of the mentioned activities is not carried out regularly as part of an ongoing managed process, it can weaken the overall security posture.