Transcription
White Paperwww.novell.comIdentity and Access Management inthe CloudCloud Security Alliance Research PaperSponsored by Novell
ForewardAt a time when companies are looking for ways to cut costs, cloud computing looks like an attractive alternative,one which you would think most cash-strapped IT departments would take a long look at. But a recent survey ofmostly IT professionals conducted by Novell finds a strong mistrust for cloud computing in the workplace, whileat the same time, a surprisingly wide acceptance for personal use.The survey was conducted using members of Novell's Cool Solutions Community from July to September, 2009.453 people responded, of which 81 percent identified themselves as IT professionals. The respondents werefrom a variety of geographic locations including the US, India, China, Australia, Canada, South Africa andwestern Europe. The company sizes varied from 25 or less to more than 5000, with 44.6 percent working forcompanies with more than 1000 employees.When asked to list the top 5 things they feared or mistrusted about cloud computing in the workplace, securitycame in on top, with 34.6 percent listing it as their top choice. This is not surprising as many other surveys haveindicated the same mistrust and confusion among end-users of the cloud. So, what is the truth – is cloud moresecure than the enterprise or is it totally insecure. The answer is probably somewhere in the middle.This paper is an in-depth look at the identity and access management issues in the cloud. It goes into thedifferent aspects of managing identities such as provisioning, federation, compliance as well newly emergingmodels of having identities in the cloud. It looks at these issues from the enterprise perspective and lists whatenterprises need to ask cloud providers before they move to the cloud.This research will also serve as the foundation for the Trusted Cloud Initiative that was launched by CSA andNovell in March 2010 to research and outline a certification criteria that all cloud providers can adhere to. Thisinitiative takes a major step in providing transparency and a level of trust for end-customers who are concernedabout security in the cloud. For more information on this initiative, please logon to http://www.trusted-cloud.comor his paper is part of domain 12 research on: Identity and Access Management by the Cloud Security Alliance(CSA). The material in this document is a copyrighted work of the Cloud Security Alliance. The Cloud SecurityAlliance is a non-profit organization formed to promote the use of best practices for providing security assurancewithin cloud computing and provide education on the uses of cloud computing to help secure all other forms ofcomputing. For more information on the Cloud Security Alliance, visit www.cloudsecurityalliance.org.p. 2
Domain 12: Guidance forIdentity & AccessManagement V2.1Prepared by theCloud Security AllianceApril 2010
Domain 12: Guidance for Identity & Access Management V2.1IntroductionThe permanent and official location for this Cloud Security Alliance Domain 12 Guidancefor Identity & Access Management research saguide-dom12.pdfThis research is a component of the Trusted Cloud Initiative, sponsored by Novell, Inc. 2010 Cloud Security Alliance.All rights reserved. You may download, store, display on your computer, view, print, andlink to the Cloud Security Alliance “Domain 12 Guidance for Identity & AccessManagement” at uide-dom12v2.10.pdf subject to the following: (a) the Guidance may be used solely for yourpersonal, informational, non-commercial use; (b) the Guidance may not be modified oraltered in any way; (c) the Guidance may not be redistributed; and (d) the trademark,copyright or other notices may not be removed. You may quote portions of the Guidanceas permitted by the Fair Use provisions of the United States Copyright Act, provided thatyou attribute the portions to the Cloud Security Alliance Domain 12 Guidance forIdentity & Access Management research Version 2.1 (2010).Copyright 2010 Cloud Security Alliance2
Domain 12: Guidance for Identity & Access Management V2.1Identity and Access ManagementContributors: Subra Kumaraswamy, Sitaraman Lakshminarayanan, MichaelReiter, Joseph Stein, Yvonne WilsonINTRODUCTION .6IDENTITY PROVISIONING .7Identity Provisioning: Requirements.7Software as a Service . 7Platform as a Service. 8Infrastructure as a Service . 9Identity Provisioning: Challenges .9Software as a Service . 9Platform as a Service.10Infrastructure as a Service .10Identity Provisioning: Solutions and Recommendations . 10Software as a Service/Platform as a Service .11Infrastructure as a Service .11Identity Provisioning: Questions for Your Provider and Assessment Checklist. 11Software as a Service / Platform as a Service .11Infrastructure as a Service .12Identity Provisioning: Future Outlook . 12Software as a Service / Platform as a Service .12Infrastructure as a Service .12AUTHENTICATION.13Authentication: Requirements and Challenges. 13Authentication: Solutions and Recommendations. 14SaaS and PaaS.14IaaS.15Private IaaS Clouds .16Strong Authentication .16FEDERATION .16Single Sign On. 17Multiple Federation Standards.17SAML for Web SSO .18Identity Provider: Support for multiple standards .18Copyright 2010 Cloud Security Alliance3
Domain 12: Guidance for Identity & Access Management V2.1Federation Gateways .18Single Sign‐On Authentication Model and Authentication Strength.18Questions for Vendors / Cloud Providers: . 19ACCESS CONTROL AND USER PROFILE MANAGEMENT.19Access Control: Cloud Challenges. 20Software as a Service .21Platform as a Service.21Infrastructure as a Service .22Access Control: Solutions and Recommendations . 221. Access Control Model.232. Authoritative Source .233. Privacy Policy .244. Access Control Policy Format.245. Policy Transmission .246. User Profile Transmission .257. Policy Decision Request.268. Policy Decision Enforcement.269. Audit Logs .26Summary Table.28Software as a Service .29Platform as a Service.29Infrastructure as a Service .29Questions for Your Provider and Assessment Checklist . 30General Questions .30Software as a Service .30Platform as a Service.31Infrastructure as a Service .31Future Outlook . 32Software as a Service .32Platform as a Service.32Infrastructure as a Service .32CLOUD IDENTITY AS A SERVICE (IDAAS) .33IDaaS: Security Challenges . 33Issues and Challenges . 33SaaS.33PaaS.35IaaS.35IDaaS: Solutions and Recommendations . 36Identity as a Service should follow the same best practices that an internal IAM implementationdoes, with added considerations for privacy, integrity, and auditability.36SaaS.36Copyright 2010 Cloud Security Alliance4
Domain 12: Guidance for Identity & Access Management V2.1PaaS.36IaaS.37IDaaS: Recommendations.37IDaaS: Questions for Your Provider and Assessment Checklist . 37IDaaS: Future Outlook. 38REFERENCES.38Authentication: User‐Centric.38Attribute Exchange: User‐Centric .39Authorization .39IDaaS .39Copyright 2010 Cloud Security Alliance5
Domain 12: Guidance for Identity & Access Management V2.1IntroductionManaging identities and access control for enterprise applications remains one ofthe greatest challenges facing IT today. While an enterprise may be able toleverage several cloud computing services without a good identity and accessmanagement strategy, in the long run extending an organization’s identityservices into the cloud is a necessary prerequisite for strategic use of on-demandcomputing services. Supporting today’s aggressive adoption of an admittedlyimmature cloud ecosystem requires an honest assessment of an organization’sreadiness to conduct cloud-based Identity and Access Management (IAM), aswell as understanding the capabilities of the organization’s cloud computingproviders.We will discuss the following major IAM functions that are essential forsuccessful and effective management of identities in the cloud: Identity provisioning/deprovisioningAuthentication & federationAuthorization & user profile managementSupport for complianceThe SPI (SaaS, PaaS, IaaS) cloud delivery models call for IT departments andthe cloud service provider (CSP) to jointly extend the organization’s IAMpractices, processes, and procedures to cloud services in ways that are scalable,effective, and efficient for both the provider and its customers.Identity Provisioning: One of the major challenges for organizations adoptingcloud computing services is the secure and timely management of on-boarding(provisioning) and off-boarding (deprovisioning) of users in the cloud. Further,enterprises that have invested in user management processes within anenterprise will seek to extend those processes to cloud services.Authentication: When organizations utilize cloud services, authenticating usersin a trustworthy and manageable manner is a vital requirement. Organizationsmust address authentication-related challenges such as credential management,strong authentication, delegated authentication, and managing trust across alltypes of cl
cloud services. It is very common for cloud services to rely on a registry of users, each representing either an individual or an organization, maintained by the cloud service provider (CSP) to support billing, authentication, authorization, federation, and auditing processes.
