Identity and Access Management : Cloud Service Provider IAM Practice

Cloud Service Provider IAM Practice

From the CSP’s (SaaS, PaaS, or IaaS) perspective, IAM features should be included in the cloud service’s design criteria, with the goal of delegating user authentication and authorization to the customer using user management and federation standards. Support for IAM features has integration implications for both customers (e.g., single sign-on, user provisioning) and CSPs (e.g., billing, accounting resource utilization). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofits. Hence, cloud service architects and platform application developers should be embedding IAM features at various stages of the product life cycle—architecture, design, and implementation (e.g., externalize the authentication from the application using the federation feature).

From a cloud customer perspective, the application’s IAM capabilities (or lack thereof), such as identity federation, will impact the cloud service governance, integration, and user experience (e.g., barriers to adopt the cloud service). Hence, architects, designers, and developers of cloud applications should understand the IAM requirements of cloud applications and bake the features into the RFP or CSP evaluation criteria.

Enterprise IAM requirements include:

• Provisioning of cloud service accounts to users, including administrators.

• Provisioning of cloud services for service-to-service integration (e.g., private [internal] cloud integration with a public cloud).

• SSO support for users based on federation standards (e.g., SAML support).

• Support for internal- and regulatory-policy compliance requirements, including segregation of duties using RBAC, rules, or claims-based authentication methodology. RBAC features promote a least-privilege-based access model where a user is granted the right number of privileges required to perform the job. Claims-based methodology enables some important privacy use cases because it allows for only the user’s entitlements, not her actual identity, to flow with messages, which allows for fine-grained authorization without the requirement to actually embed the user’s identity into messages.

• User activity monitoring, logging, and reporting dictated by internal policies and regulatory compliance, such as SOX, PCI, and HIPAA.

1. SaaS

One of the primary concerns of IT and business decision makers regarding software-as-a-service applications is security management.

Although most SaaS vendors have been able to demonstrate that their cloud-based applications are secure from an operational point of view, there are still access control issues that organizations need to address to ensure that their corporate data is fully secure from a corporate policies and procedures standpoint.

It is becoming particularly important to address these issues because SaaS applications are gaining popularity due to their low barrier to adoption and their pay-as-you-go service model. In some cases, business units are sidestepping IT and directly engaging with SaaS vendors, which can lead to additional IT headaches. IT must manage risks that may come out of this loss of visibility and control, and be able to ensure that the right users have the right level of access to information hosted by SaaS vendors.

Organizations considering integrating into SaaS services should consider two major challenges for identity management:

• Is the organization ready to provision and manage the user life cycle by extending its established IAM practice to the SaaS service?

• Are the SaaS provider capabilities sufficient to automate user provisioning and life cycle management without implementing a custom solution for the SaaS service?

1.1. Customer responsibilities

In SaaS services, customers have limited responsibility and available controls to secure information. In general, SaaS solutions are multitenant and are delivered to the customer via a web browser. The only controls that are available to the customer are IAM controls such as identity provisioning, authentication policies (e.g., password strength), profile configuration, and basic authorization policies that manifest as user profiles. The following are the responsibilities of customers from an IAM perspective:

User provisioning

User provisioning methods are typically unique to the SaaS provider. Customers need to understand the preferred method, lag time to activate users, and user attributes that are supported by the SaaS service. Most often the provisioning process is manual and may involve uploading spreadsheets or documents in XML format. Almost all SaaS providers support bulk upload of user identities, as that’s the most common use case for provisioning users. Some SaaS providers may support just-in-time provisioning where user identities are created on the fly using a provisioning request (sometimes SPML-employed) that is usually triggered by user activity such as the user clicking on a hyperlink that is unique to the user identity.

Profile management

As part of the provisioning process, customers may have the ability to create user profiles that play a role in user authorization. User profiles such as user and manager are an approach to assigning entitlements to users within the SaaS application. Admittedly, these are not sophisticated features and will require customers to understand the flexibility and management of the profiles.

SaaS IAM capability evaluation

Customers are responsible for evaluating the support for IAM features such as SSO (using identity federation) by CSPs. SAML is the de facto standard for federating identities and is now supported by large SaaS providers (among them Google and Salesforce.com). However, not all providers are supporting SAML 2.0, and some may support only SAML 1.1. For example, Salesforce.com supports SAML 1.1 while Google Apps supports SAML 2.0. Hence, it is important to understand what federation protocols are supported by which providers and the integration requirements to federate and support SSO.

Investigation support

Logs and audit trails are also often needed to investigate incidents. For example, PCI DSS requires the provider to “provide for timely forensic investigation” if the service provider suffers a breach. Since the SaaS provider’s logs are internal and are not necessarily accessible externally or by customers, monitoring (let alone investigation) is difficult. Since access to logs is required for PCI compliance and may be requested by auditors and regulators, make sure to negotiate access to the provider’s logs as part of any service agreement.

Compliance management

Although the same security concerns companies already have within their own networks—securing the network, hardware, applications, and data—apply for companies outsourcing their data with SaaS, trust and transparency exacerbate the situation in cloud computing. When compliance with government regulations such as SOX, the Gramm-Leach-Bliley Act (GLBA), and HIPAA and with industry standards such as PCI DSS come into the scope of the data hosted in SaaS, it could be challenging to meet those demands. In general, customers of SaaS services are responsible for compliance management, although the provider hosts the data. Make an effort to understand the access control, logging, reporting, and auditing capabilities offered by SaaS providers and assess whether those controls are adequate to meet compliance management requirements.

1.2. CSP responsibilities

With regard to IAM, some responsibilities belong to the CSP and some belong to the customer. Here are CSP responsibilities:

Authentication services

Unless the SaaS provider supports delegated authentication via federation, it typically authenticates the SaaS users—usually via a web form delivered over HTTPS—using a user identifier and static password. Since users can be accessing the service from anywhere on the Internet, it is up to the SaaS provider to authenticate users based on the network trust level. For example, some CSPs can preregister the IP address or IP range of a user’s location (home, office, etc.) to protect data from hackers who are stealing the user’s identity and credentials using keystroke loggers (potentially installed on the user’s computer in a stealthy manner). Given that authentication activity is a precursor to the actual use of the SaaS service, it is critical for the CSP to deliver and maintain a continuously available authentication service.

Account management policies

CSPs should communicate the account management policies including account lock-outs (after many login failures), account provisioning methods, and privilege account management roles.

Federation

CSPs supporting identity federation using standards such as SAML should publish the information necessary for customers to take advantage of this feature and enable SSO for their users. Such information includes the version (SAML 1.1, SAML 2.0), a use case implementation example, and implementation details of the federation using the API (e.g., support for SAML using REST and SOAP).

2. PaaS

Organizations considering extending their established IAM practices to PaaS cloud providers have few options at their disposal. PaaS CSPs typically delegate authentication functions using federation to the PaaS provider’s IdP (e.g., the Google App Engine delegates authentication to Google’s authentication service). In some cases, such as Salesforce.com’s Force.com, there is limited support for delegated authentication and it is usually performed without the aid of SAML assertions (e.g., it is proprietary to each PaaS provider implementation). CSPs also supply software components that can be invoked using programming languages (usually PaaS-specific) to perform authentication and limited authorization.

Microsoft recently introduced the “Geneva” Claims-Based Access Platform that is SAML 2.0 compliant (and is still in beta as of this writing). The project’s goal is to help developers externalize authentication, authorization, and personalization from .NET applications, and help organizations federate users using Microsoft’s federation offering, Security Token Service (STS). Microsoft developers could potentially utilize STS deployed in an enterprise, and interoperate with applications that are deployed on an Azure platform. This solution is specifically targeted toward Microsoft customers who are interested in extending their Active Directory directory into a cloud by way of federation. Therefore, it is not apparent whether the Geneva Claims-Based Access Platform will interoperate with existing SaaS and PaaS providers who are SAML 2.0 compliant.

3. IaaS

As of this writing, enterprises considering extending their established IAM practices to IaaS cloud providers (computing and storage) have limited or no options. Because IaaS providers provide computing or storage-as-a-service, they do not have visibility to applications that are hosted on the IaaS platform. Almost all IaaS providers use Secure Shell (SSH) to log on and administer users and credentials; few providers, such as Amazon Web Services (AWS) EC2, offer a web console to provision users, manage user keys, and assign users to security groups that relate to the administrative functions of IaaS.

Some of the responsibilities and challenges in managing users in IaaS services are:

User provisioning

Provisioning of users (developers, administrators) on IaaS systems that are dynamic in nature. Given that hundreds of systems are provisioned for workload management, user provisioning will have to be automated at the time of image creation and should be policy-based. Ideally, systems should rely on corporate directories (LDAP, Active Directory) for user management to avoid duplication of identities on systems. However, the virtual network topology in cloud and network security policies may interfere with directory-based authentication schemes and should be assessed on a per-CSP basis.

Privileged user management

Managing private keys of system administrators and protecting the keys when system administrators leave the company (e.g., SSH host keys).

Customer key assignment

Assigning IDs and keys required to access the service. These keys are used for managing access to customer accounts for billing reasons, as well as for authenticating customers to their services. For example, Amazon assigns an Access Key ID, a Secret Access Key, an X.509 certificate, and a corresponding private key to every EC2 customer. You authenticate to an AWS request using either the Access Key ID and Secret Access Key or the X.509 certificate and private key. Hence, customers are responsible for provisioning and safeguarding these keys.

Developer user management

Provisioning of developers and testers to IaaS instances, and deprovisioning the same when access is no longer required.

End user management

Provisioning users who need access to applications hosted on IaaS.

Currently, there is no automated way to synchronize an organizational LDAP or Active Directory directory with IaaS providers to avoid a redundant user database at each of the IaaS clouds. Some third-party identity management service providers claim to have developed adapters for EC2 user provisioning and management, however.