Cloud computing security and privacy: identity and access management

This article is excerpted from the fifth chapter of the book "Cloud Security and privacy". This chapter describes the current state of identity and access Management (IAM) practices, and also describes the identity and access management support features that help users access cloud computing services for authentication, authorization, and auditing.

Trust boundaries and identity and access management

In a typical organization, applications are deployed within the framework of the Organization, and "trust boundaries" are under the monitoring control of the IT department and are almost static. In traditional mode, the trust boundary includes the network, the system, and the applications that are located in the private data center and managed by the IT department (and sometimes by third-party providers under it supervision). Secure access to networks, systems and applications through virtual private network (VPN), Intrusion detection System (IDS), intrusion Prevention system (IPS) and multifactor identity authentication.

With cloud computing services, the trust boundaries of institutions will become dynamic and migrate beyond the scope of it control. In cloud computing, the boundaries of institutions ' networks, systems, and applications extend to service providers (for most e-business, http://www.aliyun.com/zixun/aggregation/14310.html "> Supply Chain Management, This is already true for outsourcing and large companies that collaborate with partners and communities. This loss of control poses great challenges to existing trust management and control models, including trusted sources for employees and contractors, and, if not properly managed, hinders the use of cloud computing services by institutions.

To compensate for the loss of network control and enhance risk assurance, institutions will have to adopt higher levels of software control, such as application security and user access control. These controls represent strong authentication, role-based or declarative authorization, reliable sources of accurate attributes, identity syndication, single sign-on (SSO), user behavior monitoring, and auditing. In particular, organizations need to pay attention to the identity federation architecture and processes, as this strengthens control and trust between the agency and the Cloud computing service provider (CSP).

Identity Union is an industry best practice for dealing with polymorphic, dynamic, loosely coupled trust relationships, while trust is the characteristic of external and internal supply chain and collaboration patterns. Identity unions also enable systems and applications that are separated by institutional trust boundaries to interact, such as a salesperson interacting with Salesforce.com from a corporate network. Due to the combination of good identity and access management practices, identity Union can be achieved through centralized access control services using authorization, network single sign-on and rights management methods to achieve strong authentication, identity union for accelerating the adoption of cloud computing will play a central role.

In some cases, IAM practices within an organization may be affected by the lack of a centralized management and identity information architecture. Identity storage is often manually entered through multiple administrators, and the user's opening process is not well regulated. Not only is this inefficient, but it also follows the existing bad practices into cloud computing services. In such cases, the weak access mode will overrun the unauthorized user in cloud computing.

IAM is a two-way street. Cloud computing service providers need to support IAM standards (such as SAML) and practices, such as expanding their practices for users to use identities to maintain compliance with internal policies and standards. The support of IAM-enabled cloud computing services, such as identity syndication, accelerates the migration of traditional IT applications from trusted corporate networks to trusted cloud services patterns. For users, well implemented user IAM practices and processes will help protect the confidentiality, integrity, and regulatory compliance of information stored in cloud computing. Support for the IAM standard cloud computing services such as SAML can accelerate the adoption of new cloud computing services and drive the migration of IT applications from trusted corporate networks to trusted cloud computing service patterns.

(Responsible editor: Liu Fen)