Among top challenges for cloud , I discussed Security as the top concern. I also detailed the top concerns with regard to securing the cloud in the subsequent post. Cloud computing tests the limits of security operations and infrastructure for the various security and privacy domains
Managing Datacenter Identities
Identity and Access Control needs to deliver capability that can be used to provide role based access to securely connect users to the cloud. The users include the cloud service provider as well as consumer roles. Within each user groups we need to support User as well as Administrator Roles. The identity and access management should the 4As - Authentication, Authorization, Auditing and Assurance.
- For a cloud consumer user, it is about making sure the user identity is verified and authenticated at the self service portal and providing right access to the resource pools.
- For the administrator, we need to provide role based access to Service Lifecycle Management functions
- We will need to integrate with existing User Directory infrastructure (AD/LDAP/NIS) to extend the user identity to the cloud environment as well.
- Once in the cloud environment, we need to automatically manage access to the cloud resources, through provisioning and de-provision of resource profiles and users against the resources in the cloud identity and access management systems. Manual processes to manage accounts for users on various virtual systems and applications are not going to scale in a cloud environment. The same is true with the manual processes to process various audit logs to meet compliance and audit requirements
- In massively parallel, cloud-computing infrastructures involves enormous pools of external users as well. We need to ensure smooth user experience for the users so that they don’t need to enter their credentials multiple times to access various applications hosted within the enterprise or by business partners and Cloud providers.
Management of user identities and access rights across hosted, private and hybrid clouds for internal Enterpise users is also a major challenge that includes
- Centralized user access management to on and off-premise applications and services
- Enables Federated Single Sign-on and Identity Mediation across different service providers
Lets look at some of the capabilities that we can leverage to solution these requiremnts.
IBM Security Identity and Access Assurance - provides the following capabilities. These capabilities enable clients to reduce costs, improve user productivity, strengthen access control, and support compliance initiatives.
- Automated and policy-based user management solution that helps effectively manage user accounts.
- Enterprise, Web, and federated single sign on, inside, outside, and between organizations, including cloud deployments.
- Identity and access support for files, operating platforms, Web, social networks, and cloud-based applications.
- Integration with stronger forms of authentication (smart cards, tokens, one-time passwords, and so on).
- Automated monitoring, investigating, and reporting on user activity across the enterprise.
- IBM Tivoli Identity Manager complements its role management capabilities with role mining and lifecycle management, provided by the IBM Security Role and Policy Modeler component, which helps reduce time and effort to design an enterprise role and access structure, and automates the process to validate the access information and role structure with the business.
- IBM Security Access Manager for Enterprise Single Sign-On offers wide platform coverage, strong authentication enhancements, and simpler deployments. It introduces 64-bit operating system and application support, a virtual appliance for easier installation and configuration of the server, expanded support for smart cards, and simplified profiling.
- IBM Tivoli Federated Identity Manager offers additional Open Authorization (OAuth) authorization standards support, (for business to consumer deployments and utilization of cloud-based applications and identities), enhanced security for Secure Hash Algorithm (SHA-2), usability enhancements, and new Business Gateway capabilities.