Managing Datacenter Identities for Cloud
challenges for cloud , I discussed Security as the top concern. I also
detailed the top concerns with regard to securing the cloud in the subsequent post.
Cloud computing tests the limits of security operations and infrastructure for
the various security and privacy domains
Cloud brings in lot of additional considerations like
multi-tenancy, data separation, virtualization etc. In a cloud environment,
access expands, responsibilities change, control shifts, and the speed of
provisioning resources and applications increases - greatly affecting all
aspects of IT security. We will discuss
the different security aspects classifying them against specific adoption
patterns (see post here).
The cloud enabled data center pattern is the more predominant one which has Infrastructure
and Identity management as the top concerns. Within cloud security doing the right design
for the infrastructure security is the important aspect – the details of which
and how it is done by different public clouds we discussed in the previous post.
Now with regard to Identity lets discuss the top requirements, use cases and
look at what solutions that we can provide to make the cloud secure. Lets start
with managing datacenter identities which is the top concern.
Managing Datacenter Identities
Identity and Access Control needs to deliver capability that
can be used to provide role based access to securely connect users to the cloud.
The users include the cloud service provider as well as consumer roles. Within
each user groups we need to support User as well as Administrator Roles. The
identity and access management should the 4As - Authentication, Authorization,
Auditing and Assurance.
For a cloud consumer user, it is
about making sure the user identity is verified and authenticated at the self
service portal and providing right access to the resource pools.
For the administrator, we need to
provide role based access to Service Lifecycle Management functions
We will need to integrate with
existing User Directory infrastructure (AD/LDAP/NIS) to extend the user
identity to the cloud environment as well.
Once in the cloud environment, we
need to automatically manage access to the cloud resources, through provisioning
and de-provision of resource profiles and users against the resources in the cloud
identity and access management systems. Manual processes to manage accounts for
users on various virtual systems and applications are not going to scale in a
cloud environment. The same is true with the manual processes to process
various audit logs to meet compliance and audit requirements
In massively parallel,
cloud-computing infrastructures involves enormous pools of external users as
well. We need to ensure smooth user experience for the users so that they don’t
need to enter their credentials multiple times to access various applications
hosted within the enterprise or by business partners and Cloud providers.
Management of user identities and
access rights across hosted, private and hybrid clouds for internal Enterpise
users is also a major challenge that includes
o Centralized user access management to on and off-premise applications
o Enables Federated Single Sign-on and Identity Mediation across
different service providers
Lets look at some of the capabilities that we can leverage
to solution these requiremnts.
IBM Security Identity and Access Assurance - provides
the following capabilities. These
capabilities enable clients to reduce costs, improve user productivity,
strengthen access control, and support compliance initiatives.
and policy-based user management solution that helps effectively manage
- Enterprise, Web, and
federated single sign on, inside, outside, and between organizations,
including cloud deployments.
and access support for files, operating platforms, Web, social networks,
and cloud-based applications.
with stronger forms of authentication (smart cards, tokens, one-time
passwords, and so on).
monitoring, investigating, and reporting on user activity across the
Tivoli Identity Manager complements its role management
capabilities with role mining and lifecycle management, provided by the
IBM Security Role and Policy Modeler component, which helps reduce time
and effort to design an enterprise role and access structure, and
automates the process to validate the access information and role
structure with the business.
Security Access Manager for Enterprise Single Sign-On offers wide
platform coverage, strong authentication enhancements, and simpler
deployments. It introduces 64-bit
operating system and application support, a virtual appliance for easier
installation and configuration of the server, expanded support for smart
cards, and simplified profiling.
Tivoli Federated Identity Manager offers additional Open Authorization
(OAuth) authorization standards support, (for business to consumer
deployments and utilization of cloud-based applications and identities),
enhanced security for Secure Hash Algorithm (SHA-2), usability
enhancements, and new Business Gateway capabilities.