Medium-size and large organizations usually have specific requirements
for authorization features for their cloud users (i.e., assignment of
privileges, or entitlements, to users based on their job functions). In
some cases, a business application may require role-based access control
(RBAC), in which case authorization is structured to suit the
organization’s functional role requirements. As of this writing, cloud
service authorization enforcement and management capabilities are weak,
and when they are available they are very coarse-grained. The services
available may not meet your enterprise requirements.
Most cloud services support at least dual roles (privileges):
administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative
privileges. These privileges allow administrators to provision and
deprovision identities, basic attribute profiles, and, in some cases, to
set access control policies such as password strength and trusted networks
from which connections are accepted.
As we mentioned earlier, XACML is the preferred standard for expressing and enforcing
authorization and user authentication policies. As of this writing, we are
not aware of any cloud services supporting XACML to express authorization
policies for users.
IAM Support for Compliance Management
As much as cloud IAM architecture and practices impact the efficiency of
internal IT processes, they also play a major role in managing
compliance within the enterprise. Properly implemented IAM practices and
processes can help improve the effectiveness of the controls identified
by compliance frameworks. For example, by automating the timely
provisioning and deprovisioning of users and entitlements, organizations can reduce the risk of
unauthorized users accessing cloud services and meet your privacy and
compliance requirements. In addition, identity and attribute management
will be key areas of compliance focus for regulatory and privacy
issues—proper IAM governance processes should be instituted to address
these issues.
IAM practices and processes offer a centralized view of business
operations and an automated process that can stop insider threats before
they occur. However, given the sparse support for IAM standards such as
SAML (federation), SPML (provisioning), and XACML (authorization) by the
CSP, you should assess the CSP capabilities on a case-by-case basis and
institute processes for managing compliance related to identity
(including attribute) and access management.