Generally speaking, access control management is a broad function that
encompasses access requirements for your users and system administrators
(privileged users) who access network, system, and application resources.
The access control management functions should address the
following:Who should have access to what resource? (Assignment of
entitlements to users)
Why should the user have access to the resource? (Assignment of
entitlements based on the user’s job functions and
responsibilities)
How should you access the resource? (What authentication method
and strength are required prior to granting access to the
resource)
Who has access to what resource? (Auditing and reporting to
verify entitlement assignments)
The aforementioned aspects of the access control domain should be
addressed by your organization’s access policies and standards and aligned
with the user’s roles and responsibilities, including end users and
privileged system administrators.
1. Access Control in the Cloud
In a cloud computing consumption model, where users are accessing cloud services from any
Internet-connected host, network access control will play a diminishing
role. The reason is that traditional network-based access controls are
focused on protecting resources from unauthorized access based on
host-based attributes, which in most cases is inadequate, is not unique
across users, and can cause inaccurate accounting. In the cloud, network
access control manifests as cloud firewall policies enforcing host-based
access control at the ingress and egress points of entry to the cloud
and logical grouping of instances within the cloud. This is usually
achieved using policies (rules) using standard Transmission Control
Protocol/Internet Protocol (TCP/IP) parameters, including source IP, source port, destination
IP, and destination port.
In contrast to network-based access control, user access control
should be strongly emphasized in the cloud, since it can strongly bind a
user’s identity to the resources in the cloud and will help with fine
granular access control, user accounting, support for compliance, and
data protection. User access management controls, including strong
authentication, single sign-on (SSO), privilege management, and logging and monitoring of
cloud resources, play a significant role in protecting the
confidentiality and integrity of your information in the cloud.
ISO/IEC 27002 has defined six access control objectives that cover end
user, privileged user, network, application, and information access
control. Readers are encouraged to assess cloud services and understand
the relevant ISO/IEC 27002 control objectives that mitigate the most
risk for the business. The following user access management control
statement from ISO 27002 is particularly relevant to cloud
services:
Objective: To ensure authorized user access and to prevent
unauthorized access to information systems. Formal procedures should
be in place to control the allocation of access rights to information
systems and services. The procedures should cover all stages in the
lifecycle of user access, from the initial registration of new users
to the final de-registration of users who no longer require access to
information systems and services. Special attention should be given,
where appropriate, to the need to control the allocation of privileged
access rights, which allow users to override system controls.
The following are the six control statements:
Control access to information.
Manage user access rights.
Encourage good access practices.
Control access to network services.
Control access to operating systems.
Control access to applications and systems.
Similar to ISO 27002, ITIL dictates an access management function that was added
as a new process to ITIL v3. The decision to include this dedicated
process was motivated by IT security reasons: from an IT security
perspective, granting access to IT services and applications only to
authorized users should be of high importance.
The objective of this function is to grant authorized users the
right to use a service, while preventing access to non-authorized users.
The access management processes essentially execute policies defined in
IT security management.
2. Access Control: SaaS
In the SaaS delivery model, the CSP is responsible for managing all
aspects of the network, server, and application infrastructure. In that
model, since the application is delivered as a service to end users,
usually via a web browser, network-based controls are becoming less
relevant and are augmented or superseded by user access controls, e.g.,
authentication using a one-time password. Hence, customers should focus
on user access controls (authentication, federation, privilege
management, deprovisioning, etc.) to protect the information hosted by
SaaS. Some SaaS services, such as Salesforce.com, augment network access
control (e.g., source IP address/network-based control) to user access
control in which case customers have the option to enforce access based
on network and user policy parameters.
Support for user access control is not consistent across
providers, and capabilities may vary. A small set of CSPs (mostly large
SaaS providers, such as Salesforce.com, Google, and Microsoft) are
beginning to pay attention to enterprise IAM requirements, including
support for standards such as SAML that facilitate SSO using identity
federation techniques. However, given the early adoption cycle by large
enterprises, from an enterprise perspective the IAM capabilities are
primitive at best. Customers should continue to demand that their CSPs
provide IAM features, including SAML support, user provisioning using
SPML, and an open API to support various user and access automation
processes. Organizations should leverage their established identity
management practices, processes, and architecture (e.g., IdP) to support
user access management and federation.
3. Access Control: PaaS
In the PaaS delivery model, the CSP is responsible for managing access
control to the network, servers, and application platform
infrastructure. However, the customer is responsible for access control
to the applications deployed on a PaaS platform. Access control to
applications manifests as end user access management, which includes
provisioning and authentication of users.
Support for user access control is not consistent across
providers, and capabilities may vary. As of this writing, major PaaS
providers—with the exception of Force.com and Microsoft Azure (still in
beta)—offer rudimentary user access management support. Enterprises that
leverage their internal identity provider (IdP) will have to understand
PaaS capabilities, including support for federation. It is conceivable
for a PaaS CSP to offer a standard API such as OAuth to manage
authentication and access control to applications. For example, Google
supports a hybrid version of an OpenID and OAuth protocol that combines
the authorization and authentication flow in fewer steps to enhance
usability. You could also delegate authentication to your IdP if the CSP
supports federation standards, such as the Security Assertion Markup
Language (SAML).
4. Access Control: IaaS
IaaS customers are entirely responsible for managing all aspects of access control to
their resources in the cloud. Access to the virtual servers, virtual
network, virtual storage, and applications hosted on an IaaS platform
will have to be designed and managed by the customer. In an IaaS
delivery model, access control management falls into one of the
following two categories:
CSP infrastructure access control
Access control management to the host, network, and
management applications that are owned and managed by the
CSP
Customer virtual infrastructure access control
Access control management to your virtual server (virtual
machines or VMs), virtual storage, virtual networks, and
applications hosted on virtual servers
4.1. CSP infrastructure access control
The CSP is responsible for managing access control to the administrative network
that is used to perform administrator functions. This includes access
control to administrative processes, such as backups, host
(hypervisor) and network maintenance, router and firewall policy
management, and system monitoring and management. Access to
administrative functions should be protected using strong
authentication and role-based access control. Strong operational
procedures should be implemented to support the provisioning and
revocation of administrative privileges. Periodic access control
audits and administrative user certifications should be implemented to
validate least privileges and separation of duties. In this regard,
the aforementioned AWS security white paper states that:
Amazon.com’s Information Security Policies, followed by AWS,
are guided by the fundamental principle of least privilege. Least
privilege protects customer information assets by requiring that no
individual, program or system is granted more access privileges than
are necessary to perform the task. Any employee found to have
violated this policy may be subject to disciplinary action,
including termination.
4.2. Customer virtual infrastructure access control
To start with, IaaS customers must understand the virtual resources
(network, host, firewall, load balancers, management console, etc.)
and the available protection mechanisms to restrict access to
authorized users. It is not uncommon for CSPs to provide customers
with full root access and administrative control over rented virtual
servers. In addition, customers can be assigned privileges to manage
network access policies for both the ingress and egress of their
virtual network and virtual servers. Hence, the customer is
responsible for taking the necessary steps to protect access to
virtual resources.
Note:
It is a standard practice for IaaS CSPs to provide APIs (REST,
SOAP, or HTTP with XML/JavaScript Object Notation [JSON]) to perform
most management functions, such as access control from a remote
location. Some providers also offer a web-based console from which
access control features can be invoked. Organizations consuming IaaS
services should design and implement access management processes
with access request or approval and a gatekeeper, and maintain a
catalog of privileged users who have access to IaaS
resources.
Consider the following areas when managing access control of
your infrastructure in the cloud:
Network access control
Check with the provider on the default configuration of the
network access that is typically enforced by a firewall managed
by the CSP. It is customary for CSPs to deny all access to your
virtual servers by default (factory settings), which
automatically denies all inbound traffic to your virtual
servers. This forces you to explicitly add new rules to allow
access to your virtual servers in the cloud—for example, allow
access to IP 10.0.0.1 from 192.168.0.1 to port 22 (Secure Shell
or SSH), where 10.0.0.1 is the IP address of the
virtual server and 192.168.0.1 is the trusted IP address from
which 10.0.0.1 can be accessed using SSH. Amazon EC2 offers
network group features that allow the creation of multiple
security groups to enforce different ingress policies as needed.
According to Amazon, a customer can control each security group
with a PEM-encoded X.509 certificate and restrict traffic to
each EC2 instance by protocol, service port, or source IP
address.
Virtual server access control
Virtual servers running your preferred OS (Linux, Solaris, or
Windows) should be protected with access controls, such as OS
authentication mechanisms. It is a standard practice to
configure Unix servers with SSH-based logins with strong
authentication. Strong authentication protects against several
security threats (e.g., IP spoofing, fake routes,
man-in-the-middle, and DNS spoofing). The authentication methods
include Rivest-Shamir-Adleman (RSA) encryption algorithm-based
host authentication, pure RSA authentication, one-time passwords with S/Key,
and authentication using Kerberos. When using RSA keys, it is recommended
that the keys are stored in a secure form of media and that they
are secured with a passphrase. These measures help to protect
your keys from unauthorized users.
Cloud management station
Management of your virtual resources on the cloud is usually
accomplished from a client system with applications that
manipulate remote resources using a CSP-proprietary API (REST,
SOAP, or HTTP with XML/JSON). A client management toolkit
(supplied by the CSP) is installed on the management station,
which interacts with the CSP management service via the
published API. Because the station contains sensitive
information, including host and user keys, and firewall
policies, the cloud management station should be viewed as a
command and control center for the cloud infrastructure. Hence,
access to the management station should be protected with strong
authentication and sound access provisioning procedures.
Web-based console
Some CSPs supplement the cloud management station with a
web-based console feature by which customers can manage access to
their virtual infrastructure in the cloud. The console offers an
alternative means to the cloud management station for managing
the cloud infrastructure. Similar to the management station, the
console offers access to sensitive information, including access
to your host keys and firewall policies with just a few mouse
clicks; it acts as a management station for your cloud
infrastructure. Because the web console is a powerful tool that
can control your virtual network and virtual server instances,
you should adequately protect console access. For example, the
web console should be accessed only with HTTPS protocol.
5. Access Control Summary
Access control is a critical security management function in the SPI (SaaS,
PaaS, and IaaS) cloud delivery model and across the standard deployment
models (public, private, and hybrid). Access management is critical to
protecting your information hosted in SPI clouds and may be the primary
means of security control in the absence of encryption and other data
controls. As of this writing, access management features in public
clouds are not consistent and are still evolving. In their current form,
access control capabilities offered by CSPs may not be adequate for
enterprise customers, for the following reasons:
Access control mechanisms, practices, and processes are not
standardized across CSPs. To effectively manage access control to their
virtual cloud infrastructure, customers have to make an extra effort
to understand the CSP-specific access control features and customize
them on a CSP basis.
The lack of a standard API across CSPs makes it very difficult to manage
access across multiple clouds. For example, SAML support is not
available from any of the major CSPs, including AWS.
User access controls to cloud resources are generally weak.
Access controls from CSPs typically support granular network-level
access management, but coarse user access management. User access
controls mostly address the authentication aspects and are
rudimentary at best for managing user authorization to the cloud
infrastructure. CSPs should offer granular privilege access based on
roles that support the principles of least privilege and separation
of duties (e.g., console manager, network access manager, zone
manager, host manager).
In summary, from an enterprise customer perspective, access
management is an essential security process to protect the
confidentiality, integrity, and availability (CIA) of information hosted in the cloud. A robust access
management program should include procedures for provisioning, timely
deprovisioning, flexible authentication, privilege management,
accounting, auditing, and support for compliance management. Cloud
customers should understand the CSP-specific access control features for
networks, systems, and applications, and appropriately manage access.