The Mounting Case for Cloud Access Brokers
#infosec #cloud #iam Addressing the need for flexible control of access to off-premise applications Unifying identity and access management has been a stretch goal for IT for nearly a decade. At first it was merely the need to have a single, authoritative source of corporate identity such that risks like orphaned or unauthorized accounts could be addressed within the enterprise. But with a growing number of applications - business applications - being deployed "in the cloud", it's practically a foregone conclusion that organizations are going to need similar capabilities for those applications, as well. It's not easy, there are myriad reasons why unifying identity and access control is a stretch goal and not something easily addressed by simply deploying a solution. Federation of identity and access control requires integration. It may require modification of applications. It may require architectural changes. All of these are disruptive and, ultimately, costly. But the costs of not addressing the issue are likely higher. Security a Rising Concern for Cloud-Based Application Usage With access to these applications taking place from a variety of locations including smartphones (80 percent),tablets (71 percent) and non-company computers (80 percent) and with a large percentage of organizations (73 percent) needing to grant temporary access to cloud apps, respondents cited concerns around identity management, governance and complexity. ... Nearly three-quarters (72 percent) of the respondents said they have the need to provide external users, such as consultants, with temporary access to the company’s cloud applications, while just under half (48 percent) of respondents said they are still not able to sign in to cloud applications with a single set of credentials. [emphasis mine] There is a significant loss of control - in terms of governance - that's occurring, where the organization no longer has the means by which they can control who has access to applications, from what device or location, and when. That's the downside of cloud, of distributed systems that are not architected with security in mind. Make no mistake, it's not just IT making a power grab for power's sake. This is a real, significant issue for the business side of the house, because it is their applications - and ultimately data - that is at risk by failing to properly address issues of access. THE CASE FOR CLOUD ACCESS BROKERS The least disruptive - and most efficient - means of addressing this disconnect is to insert into the data center architecture an access broker tier, a layer of dynamic access and identity management services designed to provide federation and unification of credentials across cloud and data center resources based on the organization's authoritative source of identity. The advantages of such a tier are that they are less disruptive, it respects the authoritative source of identity and it is highly flexible. The same cloud access broker that provides authentication and authorization to internal resources can do so for cloud-based resources. The downside is integration with a growing variety of SaaS and custom cloud-deployed applications used by the enterprise. A standards-based way of integrating off-premise applications with a cloud access broker is needed, and we find such a standard in SAML 2.0, an increasingly popular means of integrating identity and access management services across the cloudosphere. In addition to providing access control through such integration, a cloud access broker also provides the means for IT to address the issue of password security noted in "Security a Rising Concern for Cloud-Based Application Usage": The survey indicated unsafe password management continues to be a challenge, with 43 percent of respondents admitting that employees manage passwords in spreadsheets or on sticky notes and 34 percent share passwords with their co-workers for applications like FedEx, Twitter, Staples and LinkedIn. Twenty percent of respondents said they experienced an employee still being able to log in after leaving the company. By enabling federation and single-sign on capabilities, organizations can mitigate this problem by ensuring users have fewer passwords to recall and that they do not share them with off-premise applications like FedEx. Because IT controls the authoritative source of identity, it also governs policies for those credentials, such as password length, history, interval of change, and composition. FEDERATION MEANS HEIGHTENED (AND ENFORCEABLE) SECURITY Federation of identity and access management through a cloud access broker can alleviate the loss of control - and thus expanding security threats. By maintaining the authoritative source of identity on-premise, organizations can enforce security policies regarding password strength and length while improving the overall experience for end-users by reducing the number of credentials they must manage to conduct daily business operations. Issues such as orphaned or rogue accounts having access to critical business applications and data can be more easily - and quickly - addressed, and by using a flexible cloud access broker capable of transitioning security protocols, device incompatibility becomes a non-issue. As more and more organizations recognize the ramifications of unfettered use of cloud services it is inevitable that cloud access brokers will become a critical component in the data center.
새로운 모바일, 하이브리드 세상의 접근 관리
This post is adapted from Jay Kelley's original entry. 기업 환경에 완전히 새로운 세상이 출현함에 따라 ‘새로운 표준’들과 새로운 기회가 생겨나는 반면, 기업들은 조직 전체에 전광석화처럼 다가올 새로운 도전과제들과 마주하게 되었다. 오늘 날 그리고 미래의 근무환경은 계속해서 모바일 중심으로 나아갈 것이다. 모바일 근로자의 수만큼 모바일 디바이스가 두 세배로 증가하게 될 것이라는 전망은 말할 것도 없는 명백한 사실이다. IDC가 2015년 연말에 이르면 전 세계 노동력의 37%가 모바일 근로자가 될 것이라고 분석하였고 이는 전 세계적으로 13억 명의 모바일 근로자가 올해 안에 생긴다는 뜻이다. 오렌지 비즈니스 서비스(Orange Business Services)에 따르면, 2018년에 이르면 전 세계 IP 트래픽의 55%가 모바일 비즈니스 인터넷 트랙으로 인해 발생할 것이라고 한다. 즉, 모빌리티는 현재 진행되고 있으며 우리 생활의 일부가 되었음을 알 수 있다. IDC는 아시아 태평양 지역의 BYOD(Bring your own device) 디바이스 시장이 계속해서 활발한 성장세를 이어나갈 것으로 예상했다. 2014년 아태지역 내 BYOD 관련 디바이스의 숫자는 스마트폰 1억 5천 5백만개, 태블릿PC 4백만개 이상을 기록하였다. 이는 전년 대비 각각 40.4%, 62.7%씩 성장한 숫자이며 현재 급증하고 있는 웨어러블 디바이스는 포함되지 않은 수치라는 것을 감안했을 때 매우 큰 수치이다. 모바일 인력이 빠르게 증가하고 기업 내에서 사용하는 스마트폰, 태블릿PC, 웨어러블 기기들이 폭발적으로 증가함에 따라, 기업 내에서 사용하는 클라우드 및 SaaS 기반 애플리케이션의 증가 속도 또한 맹렬하게 치솟고 있다. 클라우드 애플리케이션 제공업체인 스카이하이 네트웍스(Skyhigh Networks)의 최근 조사에 따르면, 오늘 날 기업들이 사용하고 있는 클라우드 서비스는 759개에 달한다고 한다. 가장 당혹스러운 것은 현재 사용 중에 있는 클라우드 애플리케이션 및 서비스의 규모가 크다는 점이 아니다. 클라우드 보안 연맹(Cloud Security Alliance)의 연구에 따르면, 문제는 대부분 기업의 IT 부서는 그들이 사용 중인 클라우드 기반 애플리케이션이 50개 이하라고 생각한다는 것이다. 즉, 기업마다 평균 700개 이상의 클라우드 애플리케이션 및 서비스를 사용하고 있지만 아무도(사용자 또한) 애플리케이션 및 서비스에 대한 관리를 하고 있지 않으며 어떠한 기업 정보도 공유되지 않고 있다는 사실이다. 문제는 이렇게 알지 못하는 문제점에 대해서는 예방조차도 되지 못한다는 사실인 것이다. 결국, 기업들에게 있어 “새로운 표준”이라는 혼란스러운 퍼즐의 마지막 조각은 바로 호스티드 프라이빗, 공공 및 클라우드 인프라와 함께 데이터센터와 클라우드 기반 애플리케이션 및 데이터가 절묘하게 조합된 하이브리드 네트워크이다. 가트너는 “실제 하이브리드 클라우드 컴퓨팅의 구축 사례는 찾아보기 어렵고, 대기업들의 4분의 3은 2015년 이내에 하이브리드 클라우드를 구축하길 기대한다”고 분석했다. 모바일 인력이 인프라 변화를 가져오는 것을 감안할 때 더욱 다양한 디바이스 생태계의 문제 해결에 대한 필요성도 제기되고 있다. 모빌리티를 해결한 인프라는 팽창하고 있는 디바이스 생태계를 지원하기 위한 클라우드 기반의 애플리케이션 및 서비스에 대한 더 큰 규모의 투자를 필요로 한다. 그러므로, 당분간 가까운 미래 네트워크의 트렌드는 하이브리드 형태가 될 것이라는 것을 알 수 있다. 모빌리티, 클라우드 및 하이브리드 네트워크의 “새로운 표준”을 통해 네트워크, 애플리케이션 그리고 데이터 접근성을 어떻게 해결할 수 있을까? 모바일 디바이스이자 기업 통제 아래 있는 새로운 디바이스들은 넘쳐나고, 애플리케이션 및 데이터는 네트워크와 다양한 클라우드 및 SaaS 구축 기반에 흩어져 있는 상태에서 기업들은 어떻게 신속 적합하고 인증 및 승인된 접근을 확인할 수 있을까? 이렇게 다양한 변수들 속에서도 변함없는 한 가지는 바로, 개인정보이다. 사용자 그리고 그들의 개인정보는 현재 그리고 앞으로도 기업에게 있어 틀림없는 “새로운 경계선(방어선)”이 될 것이다. 기존 네트워크 경계가 사라지거나 대부분의 경우 여러 부분으로 흩어지면서 새로운 경계로 등장한 것이 바로 개인정보이다. 애플리케이션, 데이터 그리고 네트워크까지 클라우드로 빠르게 나아감에 따라, 사용자가 관리하고 BYOD가 주도하는 모바일 생태계는 기하급수적으로 팽창하고 있다. 또한 기업의 관리는 더욱 어려워지고 광범위해졌으며 외부에 더욱 의존하게 되었다. 문제는 이들 외부업체가 대부분 보안에 대한 충분한 지식이 없거나 무관한 업체라는 점이다. 그럼에도 사용자 개인정보 문제는 전혀 개선되지 않고 있다. AAA 기술(authentication, authorization 및 accounting)의 뒷받침으로 개인정보는 이제 안전한 기업 접속 방어의 최전선에 위치하고 있다. 그러나, 개인정보는 접근권의 새로운 매개변수를 관리하는 방법의 일부분이다. 사용자 접근 요청의 내용, 접근 요청 시의 환경은 개인정보에 버금가며, 논의할 것도 없이 개인정보처럼 적합한 접근을 보장하는 것과 관련된 것이다. 누가, 언제, 어디서, 무엇을 어떻게, 왜라는 육하원칙을 해결하는 능력이 네트워크, 클라우드, 애플리케이션, 데이터 등이 어디에 있고 어떻게 구성되어있던 간에 안전한 접근을 보장하고 강화하고 차별화한다. 사용자의 개인정보를 네트워크, 클라우드, 애플리케이션, 데이터 등 어디에서나 효율적이고 안전하게 공유될 수 있게 보장하는 것은 이제 필수적인 사항이 되었다. 그러나 여전히 개인정보 사일로(silo), 클라우드 기반 그리고 SaaS 기반 애플리케이션 및 데이터 등의 온프레미스 개인정보 그리고 여러 사용자 이름과 비밀번호로 사용자들을 피로하게 하는 암호 피로도와 같은 해결과제들이 남아있다. 바로 이 지점에서 개인정보 브릿지가 활용될 수 있다. 페더레이션은 SAML과 같은 업계 표준을 통해 네트워크, 클라우드, 애플리케이션 등의 양자간의 신뢰할 수 있는 사용자 개인정보 망을 구축해준다. 개인정보 디렉토리의 번거로운 중복과 삽입은 더 이상 불필요한 사항이 되었다. 개인정보와 접근은 기업과 클라우드 및 SaaS 제공업체들 사이의 인증을 통해 기업에 의해 관리되고 있다. 일시적인 사용자 인증과 만료는 한 곳으로 집중되어 기업이 관리할 수 있다. 아이덴티티 페더레이션은 접근 가시성과 관리 기능을 함께 제공해준다. 기업들에게 접근 관리를 위한 개인정보보호 활용과 개인정보보호 브릿지 설정은 이제 반드시 거쳐야 하는 단계가 되었다. 애플리케이션이 기업 도메인의 외부로 이동하고 내부 인력과 디바이스가 모바일화되어 기업 내부에 머무르지 않으면 기업 도메인 또한 이동했기 때문이다. 모빌리티, 클라우드 및 하이브리드 인프라. 기업들이 피해나갈 수 없는 이 “새로운 표준”을 위한 보다 적극적인 기업의 준비와 전략이 필요한 때이다.
Access Control in the New Mobile, Hybrid World
There is a brave new world dawning for the corporate world. There are many “new norms” – and a gold rush of new opportunities, but also new challenges with which they come – streaking like lightning throughout organizations. The workforce of today and into the future is, and will continue to be mobile. Consider that according to analyst IDC, 37 percent of the worldwide workforce will be mobile by the end of 2015. That’s about 1.3 billion mobile workers, worldwide – not to mention there will be two or more times as many mobile devices as mobile workers! – by the end of this calendar year! Then, consider this: According to Orange Business Services, 55 percent of worldwide business IP traffic will be mobile business Internet traffic by 2018. Mobility is here, and it’s here to stay. (In the Asia Pacific region, IDC anticipates the bring your own device (BYOD) market will continue its robust growth. There were an estimated 155 million smartphones and over 4 million tablets in use supporting BYOD initiatives across the region last year (2014), with year-on-year growth of 40.4 percent and 62.7 percent, respectively. And, that’s not even considering the burgeoning area of wearable devices, either.) As the mobile workforce accelerates like a rocket into the stratosphere, cascading torrents of smartphones, tablets, and wearables across organizations in its wake, the number of cloud- and SaaS-based applications used within organizations is also skyrocketing at a breakneck pace. According to a recent study sponsored by SkyHigh Networks, there are on average 759 cloud services in use by today’s organizations. The most puzzling piece isn’t the magnitude of in use cloud apps and services. Instead, its that, according to a Cloud Security Alliance study, most organization IT teams believe they have fewer than 50 cloud-based apps in use. That means that over 700 cloud apps and services on average are in use within enterprises – but no one (but the user) has control over those apps and services, and any corporate information shared with them! The problem is, you cannot defend what you don’t know about! Finally, the last piece of the “new norm” puzzle for organizations is the hybrid network, an eclectic mix of data center and cloud-based apps and data, with a stew of hosted private, public and cloud infrastructures. According to analyst Gartner, “while actual hybrid cloud computing deployments are rare, nearly three-fourths of large enterprises expect to have hybrid deployments by 2015.” Consider that a mobile workforce will drive infrastructure changes, needed to address a more diverse device ecosystem. Then consider that infrastructure addressing mobility requires greater investment in cloud-based apps and services to support that expanding device ecosystem. So, as you can see, the future of the network fabric for the foreseeable future will be hybrid. So, with a “new norm” of mobility, cloud, and hybrid networks, how can organizations address network, application, and data accessibility? With so many new devices that are mobile and are under limited corporate control, and applications and data scattered about the network and in various clouds and SaaS deployments, how can an enterprise be assured of fast, appropriate, authenticated and authorized access? With so many variables, there is one constant that remains: Identity. The user – and their identity – is, arguably, the “new perimeter” for the enterprise, today and onward. As the traditional network perimeter has been broken, fragmented, and in many instances shattered into many pieces, identity has become the new perimeter. As applications, data, and even networks move faster toward the cloud, and the user-controlled, BYOD-driven mobile ecosystem expands exponentially, corporate control has become more difficult, dispersed, and dependent on others – and many times, that’s the security uninformed and apathetic user. User identity, though, never changes. And, backed by authentication, authorization, and accounting (AAA), identity is now the first line of defense for secure corporate access. But, identity is just the tip of the spear for controlling the new parameters of access. The context of a user’s access request, and their environment at the time of access request, follow identity; inarguably, they have as much to do with securing appropriate access as identity. The ability to address the 5 w’s and 1 h (who, what, when, where, why, and how) assures, enhances, and differentiates secure access to networks, clouds, applications and data – wherever they may reside and however they are comprised. Insuring user identity is efficiently, securely shared between networks, clouds, applications, and data – wherever they live – is now a necessity. Yet, there are challenges: Identity silos, on-premise identity with cloud- and SaaS-based apps and data, and user password fatigue leading to weak user names and passwords – which are easily compromised. That’s where building an identity bridge comes in. Federation builds a trusted chain of user identity between two entities – networks, clouds, applications, etc. – through industry standards, such as SAML. The cumbersome duplication and insertion of identity directories becomes unnecessary. Identity and access is controlled by an enterprise, with authentication occurring between the enterprise, and cloud and SaaS providers. Instant user authentication and its termination is centralized and under enterprise control. Identity federation delivers access visibility and control together. Leveraging identity for access control, and building identity bridges are now imperative for organizations, as applications move outside the enterprise domain, the workforce and their devices are more mobile and leave the enterprises in droves, and the enterprise domain, too, has moved. It’s the “new norm”.Identity Gone Wild! Cloud Edition
#IAM #cloud #infosec Identity lifecycle management is out of control in the cloud Remember the Liberty Alliance? Microsoft Passport? How about the spate of employee provisioning vendors snatched up by big names like Oracle, IBM, and CA? That was nearly ten years ago. That’s when everyone was talking about “Making ID Management Manageable” and leveraging automation to broker identity on the Internets. And now, thanks to the rapid adoption of SaaS driven, so say analysts, by mobile and remote user connectivity, we’re talking about it again. “Approximately 48 percent of the respondents said remote/mobile user connectivity is driving the enterprises to deploy software as a service (SaaS). This is significant as there is a 92 percent increase over 2010.” -- Enterprise SaaS Adoption Almost Doubles in 2011: Yankee Group Survey So what’s the problem? Same as it ever was, turns out. The lack of infrastructure integration available with SaaS models means double trouble: two sets of credentials to manage, synchronize, and track. IDENTITY GONE WILD Unlike Web 2.0 and its heavily OAuth-based federated identity model, enterprise-class SaaS lacks these capabilities. Users who use Salesforce.com for sales force automation or customer relationship management services have a separate set of credentials they use to access those services, giving rise to perhaps one of the few shared frustrations across IT and users – Yet Another Password. Worse, there’s less control over the strength (and conversely the weakness) of those credentials, and there’s no way to prevent a user from simply duplicating their corporate credentials in the cloud (a kind of manual single-sign on strategy users adopt to manage their lengthy identity lists). That’s a potential attack vector and one that IT is interested in cutting off sooner rather than later. The lack of integration forces IT to adopt manual synchronization processes that lag behind reality. Synchronization of accounts often requires manual processes that extract, zip and share corporate identity with SaaS operations as a means to level access on a daily basis. Inefficient at best, dangerous as worst, this process can easily lead to orphaned accounts – even if only for a few weeks – that remain active for the end-user even as they’ve been removed from corporate identity stores. “Orphan accounts refer to active accounts belonging to a user who is no longer involved with that organization. From a compliance standpoint, orphan accounts are a major concern since orphan accounts mean that ex-employees and former contractors or suppliers still have legitimate credentials and access to internal systems.” -- TEST ACCOUNTS: ANOTHER COMPLIANCE RISK What users – and IT – want is a more integrated system. For IT it’s about control and management, for end-users it’s about reducing the impact of credential management on their daily workflows and eliminating the need to remember so many darn passwords. IDENTITY GOVERNANCE: CLOUD STYLE From a technical perspective what’s necessary is a better method of integration that puts IT back in control of identity and, ultimately, access to corporate resources wherever they may be. It’s less a federated governance model and more a hierarchical trust-based governance model. Users still exist in both systems – corporate and cloud – but corporate systems act as a mediator between end-users and cloud resources to ensure timely authentication and authorization. End-users get the benefit of a safer single-sign on like experience, and IT sleeps better at night knowing corporate passwords aren’t being duplicated in systems over which they have no control and for which quantifying risk is difficult. Much like the Liberty Alliance’s federated model, end-users authenticate to corporate identity management services and then a corporate identity bridging (or brokering) solution asserts to the cloud resource the rights and role of that user. The corporate system trusts the end-user by virtue of compliance with its own authentication standards (certificates, credentials, etc…) while the SaaS trusts the corporate system. The user still exists in both identity stores – corporate and cloud – but identity and access is managed by corporate IT, not cloud IT. This problem, by the way, is not specific to SaaS. The nature of cloud is such that almost all models impose the need for a separate set of credentials in the cloud from that of corporate IT. This means an identity governance problem is being created every time a new cloud-based service is provisioned, which increases risks and the costs associated with managing those assets as they often require manual processes to synchronize. Identity bridging (or brokering) is one method of addressing these risks. By putting control over access back in the hands of corporate IT, much of the risk of orphan accounts is mitigated. Compliance with corporate credential policies (strength and length of passwords, for example) can be restored because authentication occurs in the data center rather than in the cloud. And perhaps most importantly, if corporate IT is properly set up, there is no lag between an account being disabled in the corporate identity store and access to cloud resources being denied. The account may still exist, but because access is governed by corporate IT, the risk is diminished to nearly nothing; the user cannot gain access to that resource without the permission of corporate IT, which is immediately denied. This is one of the reasons why identity and access management go hand in hand today. The distributed nature of cloud requires that IT be able to govern both identity and access, and a unified set of services enables IT to do just that.The Infrastructure 2.0–Security Connection
#infosec #infra2 If you take one thing away from the ability to programmatically control infrastructure components take this: it’s imperative to maintaining a positive security posture You’ve heard it before, I’m sure. The biggest threat to organizational security is your own employees. Most of the time we associate that with end-users who may with purposeful intent to do harm carry corporate information offsite but just as frequently we cite employees who intended no harm – they simply wanted to work from home and then Murphy’s Law took over, resulting in the inadvertent loss of that sensitive (and often highly regulated) data. “The 2009 CSI Computer Crime survey, probably one of the most respected reports covering insider threats, says insiders are responsible for 43 percent of malicious attacks.” (The true extent of insider security threats, May 2010) And yet one of the few respected reports concerning the “insider threat” indicates that the danger comes not just from end-users but from administrators/operators as well. Consider a very recent case carried out by a disgruntled (former) administrator and its impact on both operations and the costs to the organization, which anecdotally backup the claim “insider breaches are more costly than outsider breaches” (Interesting Insider Threat Statistics, October 2010) made by 67% of respondents to a survey on security incidents. The Feb. 3 attack effectively froze Shionogi's operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail," the U.S. Department of Justice said in court filings. Total cost to Shionogi: $800,000. Cornish had resigned from the company in July 2010 after getting into a dispute with management, but he had been kept on as a consultant for two more months. Then, in September 2010, the drug-maker laid off Cornish and other employees, but it did a bad job of revoking passwords to the network. (Fired techie created virtual chaos at pharma company, August 2011) Let us pause for a moment and reflect upon that statement: it did a bad job of revoking passwords to the network. Yeah. The network. See, a lot of folks picked up on the piece of this story that was directly related to virtualization because Mr. Malicious leveraged a virtualization management solution to more efficiently delete, one by one, critical operational systems. But what’s really important here is the abstraction of the root cause – failure to revoke access to the network – because it gets to the heart of a much deeper rooted and insidious security threat: the disconnected way in which we manage access to data center infrastructure. INFRASTRUCTURE IDENTITY MANAGEMENT Many years ago I spent an entire summer automating identity management from a security perspective using a variety of tools available at the time. These systems enabled IT to automate the process of both provisioning and revocation of access to just about any system in the data center – with the exception of the network. Now that wasn’t a failing on the part of the systems as much as it was the lack of the means to do so. Infrastructure 2.0 and its implied programmatic interfaces were just starting to pop up here and there throughout the industry so there were very few options for including infrastructure component access in the automated processes. For the most part these comprehensive identity management systems focused on end-user account management so that wasn’t as problematic as it might be today. But let’s consider not only where IT is headed but where we are today with virtualization and cloud computing and how access to resources are provisioned today and how they might be provisioned tomorrow. Are you getting the sense that we might need something akin to identity management systems to automate the processes to provision and revoke access to infrastructure components? I thought you might. The sheer volume of “services” that might be self-service provisioned and thus require management as well as eventual revocation are overwhelming * .Couple that with the increasing concentration of “power” in several strategic points of control throughout the network from which an organization’s operational posture may be compromised with relative ease and it becomes fairly clear that this is not a job for an individual but for a systematic process that is consistent and adaptable. What needs to happen when an employee leaves the organization – regardless of the circumstances – is their access footprint needs to be wiped away. For IT this can be highly problematic because it’s often the case that “shared” passwords are used to manage network components and thus all passwords must be changed at the same time. It’s also important to seek and destroy those accounts that were created “just in case” as backdoors that were not specifically authorized. These “orphan” accounts, as they are often referred to in the broader identity management paradigm, must be eradicated to ensure illegitimate access is not available to rogue or disgruntled operators and administrators. (And let’s not forget cloud computing and the challenges that introduces. Incorporating management of remote resources will become critical as organizations deploy more important applications and services in “the cloud.” ) None of these processes – revocation, mass password changes, and orphan account discovery – are particularly sought after tasks. They are tedious and fraught with peril, for the potential to miss one account can be disastrous to systems. A systematic, programmatic, automated process is the best option; one that is integrated and thus able to not only manage credentials across the infrastructure but recognize those credentials that were not authorized to be created. The bonus in implementing such a system is that it, in turn, can aid in the evolution of the data center toward a more dynamic, self-service oriented set of systems. THE INFRASTRUCTURE 2.0 CONNECTION Thus we arrive at the means of integration with these identity management systems: infrastructure 2.0. APIs, service-enabled SDKs, service-oriented infrastructure. Whatever you prefer to call these components it is the ability to integrate and programmatically control infrastructure components from a more holistic identity management system that enables the automation of processes designed to provision, manage, and ultimately revoke access to critical infrastructure components. Without the ability to integrate these systems, it becomes necessary to rely on more traditional, old-skool methods of management involving secure shell access and remote scripts that may or may not themselves be a source of potential compromise. The ability to manage identity and access rights to infrastructure components is critical to maintaining a positive security – and operational – posture. It’s not that we don’t have the means by which we can accomplish what is certainly a task of significant proportions given the currently entrenched almost laissez-faire methodology in data centers today toward access management, it’s that we haven’t stepped back and taken a clear picture of the ramifications of not undertaking such a gargantuan task. The existence of programmatic APIs means it is possible to incorporate into a larger automation the provisioning and revocation of credentials across the data center. What’s not perhaps so simple is implementation, which may require infrastructure developers or very development-oriented operators capable of programmatically integrating existing APIs or architecting new, organizational process-specific services that can be incorporated into the data center management framework. More difficult will be the integration of operational process automation for credential management into HR and corporate-wide systems to enable the triggering of revocation processes. For a while, at least, these may need to be manually initiated. The important piece, however, is that they are initiated in the first place. Infrastructure 2.0 makes it possible to architect and implement the systems necessary to automate infrastructure credential management, but it will take a concerted effort on the part of IT – and perhaps a highly collaborative one at that – to fully integrate those systems into the broader context of IT and, ultimately, the “business.” * This is one of the reasons I advocate a stateless infrastructure, but given the absence of mechanisms through which such an architecture could be implemented, well, it’s not productive to wish for rainbows and unicorns when what you have is clouds and goats. Insider Threats: Actual Attacks by Current and Former Software Engineers Interesting Insider Threat Statistics The true extent of insider security threats Verizon Business 2009 Data Breach Investigation Report Special Report: IT Automation – Identity Management The Cloud Configuration Management Conundrum This is Why We Can’t Have Nice Things IT as a Service: A Stateless Infrastructure Architecture ModelF5 Friday: Never Outsource Control
Extending identity management into the cloud The focus of several questions I was asked at Interop involved identity management and application access in a cloud computing environment. This makes sense; not all applications that will be deployed in a public cloud environment are going to be “customer” or “market” focused. Some will certainly be departmental or business unit applications designed to be used by employees and thus require a certain amount of access control and integration with existing identity management stores, like Active Directory. Interestingly F5 isn’t the only one that thinks identity and access management needs to be addressed for cloud computing initiatives to succeed. It's important to not reinvent the wheel when it comes to moving to the cloud, especially as it pertains to identity and access management. Brown [Timothy Brown, senior vice president and distinguished engineering of security management for CA] said that before moving to the cloud it's important that companies have a plan for managing identities, roles and relationships. Users should extend existing identity management systems. The cloud, however, brings together complex systems and opens to door for more collaboration, meaning more control is necessary. Brown said simple role systems don't always work, dynamic ones are required. [emphasis added] --“10 Things to Consider Before Moving to the Cloud”, CRN, 2010 Considering the emphasis on “control” and “security”, both of which identity management is closely tied, were the top two concerns of organizations in an InformationWeek Analytics Cloud Computing survey this is simply good advice. The problem is how do you do that? Replicate your Active Directory forest? Maybe just a branch or two? There are overarching systems that can handle that replication, of course, but do you really want your corporate directory residing in the cloud? Probably not. What you really want is to leverage your existing identity management systems where they reside – in the corporate data center – but use its authentication and authorization information to allow or deny access to cloud-based applications.
