Identity management is a complex topic that has been making its way into the cloud and enhancing the prospect for companies to federate and engage with previously unavailable identity services.
By embracing security services in the cloud, or security as a service (SECaaS), enterprises are able to streamline and take advantage of more flexible services that they might have been struggling to maintain on premises or for which they weren't staffed.
One of the more popular SECaaS applications is identity and access management. This service can either be fully maintained within a cloud platform or it can work with systems at a customer's site in a hybrid model.
Both identity management -- the ability to create, modify and delete an identity -- and access management -- the authorization of that identity for only the proper resources -- are extremely necessary in today's environment. Having the capability to create roles with the proper access to resources, while keeping security in mind, is of the utmost importance to an organization utilizing the cloud.
Cloud identity and access management (IAM) is growing, and it's likely that many organizations will start utilizing similar services in the future, if they haven't already started.
What to consider before using cloud IAM
There are a few items to be aware of when making a decision about which cloud identity and access management service to implement.
Before even starting the conversation about cloud IAM, there needs to be an understanding of how the system provisions and deprovisions user accounts. In a cloud service, this also means an organization has to have a secure manner of keeping the directory services the users will be sourcing from up to date.
The entire lifecycle of user account management will now involve the cloud, and will determine if the identity in question will be granted the requested access. These cloud IAM systems would also be responsible for the provisioning of a policy that the accounts will be subjected to when attempting to access a resource. What was normally done on premises would be built in the cloud, many times as a third party, and the same security of the directory needs to be maintained.
User accounts need to live in a directory, and the location of this directory is very important. Many times, we see a combination, or hybrid, implementation of services, where an on-premises Lightweight Directory Access Protocol (LDAP) directory is used to store the unique identities, but they're being authenticated, or even authorized, by a cloud service. These repositories of users can be either in the cloud completely or, as mentioned, within an on-premises LDAP implementation already configured at the user's site. A good IAM service offers options to include multifactor authentication into the process of authenticating these user accounts.
When dealing with authentication from a cloud IAM perspective, it's highly recommended to use two-factor authentication, with the option for risk-based authentication for certain services. Access to a service living off of your network adds additional security concerns, but it also shouldn't decrease the authentication and access that an enterprise is used to when dealing with an on-premises IAM service.
Cloud IAM policies
Creating the policies within an identity and access management system to authorize a user account or service is the bread and butter of IAM. A policy decision point (PDP) will be used to create these rules and to determine if an entity or identity is authorized to fulfill the request that a particular user is demanding.
Normally, a policy enforcement point (PEP) will act as the gateway for these requests and send the attributes to the PDP to determine if they have the proper authorization to complete the request. The PEP software can be an agent within a web server or integrated directly into LDAP. The main point to understand is that the PEP enforces the policy that the PDP has configured, and these policies are enforced based on the rules on which it has been configured to act.
Reporting always plays a big part in IAM, whether an organization is implementing it in the cloud or on premises. Reporting on access failures, auditing user accounts and evaluating how accounts are provisioned and deprovisioned need to be reviewed during the implementation. Understanding all the changes and modifications to users' accounts and if there is unusual access will assist with operational issues that arise. Plus, it is mandatory in any regulated industry to show that logging and reporting are enabled and acted on accordingly.
When searching for a cloud IAM service, it's a good idea to review how the service would need to be architected and to validate that the vendor is using standard protocols within its technology. It's also a good idea to look for vendors that use protocols like Security Assertion Markup Language, for exchanging authentication and authorization data; System for Cross-domain Identity Management, to exchange user identities between systems; and Open Authorization, or OpenID, as additional methods to assist with authentication and authorization. If a vendor isn't using the most up-to-date protocols, or is not using standardized protocols at all, it's a sign to look elsewhere.
When systems follow standards like the protocols described above, it helps limit vendor lock-in within the cloud. If a vendor doesn't allow for standard protocols to be used, or the user directory is being stored in the cloud, where the identities can't be migrated, the client will be locked into this vendor for service.
Having the option for both interoperability and portability between vendors is highly recommended when moving to cloud-based IAM.
Get three expert perspectives on cloud identity and access management
Learn about updating an IAM policy to work with newer technologies
Find out what's new in IAM security and strategy