Managing Datacenter Identities for Cloud
Among top challenges for cloud , I discussed Security as the top concern. I also detailed the top concerns with regard to securing the cloud in the subsequent post. Cloud computing tests the limits of security operations and infrastructure for the various security and privacy domains
Cloud brings in lot of additional considerations like multi-tenancy, data separation, virtualization etc. In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all aspects of IT security. We will discuss the different security aspects classifying them against specific adoption patterns (see post here). The cloud enabled data center pattern is the more predominant one which has Infrastructure and Identity management as the top concerns. Within cloud security doing the right design for the infrastructure security is the important aspect – the details of which and how it is done by different public clouds we discussed in the previous post. Now with regard to Identity lets discuss the top requirements, use cases and look at what solutions that we can provide to make the cloud secure. Lets start with managing datacenter identities which is the top concern.
Managing Datacenter Identities
Identity and Access Control needs to deliver capability that can be used to provide role based access to securely connect users to the cloud. The users include the cloud service provider as well as consumer roles. Within each user groups we need to support User as well as Administrator Roles. The identity and access management should the 4As - Authentication, Authorization, Auditing and Assurance.
§ For a cloud consumer user, it is about making sure the user identity is verified and authenticated at the self service portal and providing right access to the resource pools.
§ For the administrator, we need to provide role based access to Service Lifecycle Management functions
§ We will need to integrate with existing User Directory infrastructure (AD/LDAP/NIS) to extend the user identity to the cloud environment as well.
§ Once in the cloud environment, we need to automatically manage access to the cloud resources, through provisioning and de-provision of resource profiles and users against the resources in the cloud identity and access management systems. Manual processes to manage accounts for users on various virtual systems and applications are not going to scale in a cloud environment. The same is true with the manual processes to process various audit logs to meet compliance and audit requirements
§ In massively parallel, cloud-computing infrastructures involves enormous pools of external users as well. We need to ensure smooth user experience for the users so that they don’t need to enter their credentials multiple times to access various applications hosted within the enterprise or by business partners and Cloud providers.
§ Management of user identities and access rights across hosted, private and hybrid clouds for internal Enterpise users is also a major challenge that includes
o Centralized user access management to on and off-premise applications and services
o Enables Federated Single Sign-on and Identity Mediation across different service providers
Lets look at some of the capabilities that we can leverage to solution these requiremnts.
IBM Security Identity and Access Assurance - provides the following capabilities. These capabilities enable clients to reduce costs, improve user productivity, strengthen access control, and support compliance initiatives.
- Automated and policy-based user management solution that helps effectively manage user accounts.
- Enterprise, Web, and federated single sign on, inside, outside, and between organizations, including cloud deployments.
- Identity and access support for files, operating platforms, Web, social networks, and cloud-based applications.
- Integration with stronger forms of authentication (smart cards, tokens, one-time passwords, and so on).
- Automated monitoring, investigating, and reporting on user activity across the enterprise.
- IBM Tivoli Identity Manager complements its role management capabilities with role mining and lifecycle management, provided by the IBM Security Role and Policy Modeler component, which helps reduce time and effort to design an enterprise role and access structure, and automates the process to validate the access information and role structure with the business.
- IBM Security Access Manager for Enterprise Single Sign-On offers wide platform coverage, strong authentication enhancements, and simpler deployments. It introduces 64-bit operating system and application support, a virtual appliance for easier installation and configuration of the server, expanded support for smart cards, and simplified profiling.
- IBM Tivoli Federated Identity Manager offers additional Open Authorization (OAuth) authorization standards support, (for business to consumer deployments and utilization of cloud-based applications and identities), enhanced security for Secure Hash Algorithm (SHA-2), usability enhancements, and new Business Gateway capabilities.