Businesses of all sizes and types are increasingly using cloud computing services in production deployments for business-critical operations. Some of these organisations use cloud services to store and process their most sensitive business data. To gain the security advantages of simplicity and consistency, it is crucial to integrate the identity and access management (IAM) systems in use for cloud-based systems with the IAM protections used in-house. Let’s discuss critical considerations for that integration in this article.
Additionally, cloud technologies offer a promising platform for the deployment of IAM services themselves. When implemented well, cloud-based services for IAM can provide significant benefits, including:
- Shorter deployment cycles: Traditional on-premises IAM implementation can run as long as several years. This is because some do not offer returns on investment quickly enough. IAM programs can lose momentum and face cancellation. With the advent of cloud computing, this has begun to change. A cloud-based IAM service deployment can slash implementation time to a matter of months., allowing the programs to demonstrate their benefits faster and meet the shorter datelines companies may have for access risk remediation and system improvements.
- Elasticity and dynamic nature of services capacity: A cloud-based IAM service deployment enables an organisation to expand and contract services and right-size computing resources on demand, based on the organisation’s needs. For example, IAM processes such as “Access Review and Certification” can benefit from resource flexibility. There are typically only short periods of peak usage when organisations conduct their reviews and certification of individuals’ access. In a traditional on-premises IAM implementation, companies are forced to buy systems robust enough to handle that peak demand, even though they only need it for a short period. By comparison, cloud-based IAM services can dynamically adjust resources to accommodate these spikes.
- Lower total cost of ownership: In a cloud-based IAM deployment, ongoing service support maintenance is handled by a trusted service provider, allowing your organisation to focus your resources on initiatives that support your core business. Cloud licensing models will enable you to only pay for what you use; so, costs are based on your usage of the service. Additionally, the cloud-based model in a hosted arrangement may eliminate the need to procure hardware, facilities, and other core IT infrastructure that is often needed to support the solution.
When considering cloud for IAM services, the organisation should carefully determine cloud strategies that are aligned with business needs. These strategies typically involve the following:
- IAM cloud deployment models (on-premises/hosted, private, public, or hybrid)
- IAM service models (IaaS, PaaS, and SaaS)
- IAM cloud security and risk management.
IAM CLOUD DEPLOYMENT MODELS
Private cloud refers to a form of deployment in which a cloud environment is set up exclusively for a given entity or organisation. As shown in Figure 1.1, this cloud environment may be on premises, meaning that the private cloud deployed within the organisation or may be hosted off-premises at a cloud service provider (CSF) with a dedicated environment for the organisation (resources are not shared with any other entity). Private cloud deployment can fit a wide range of business models. They are an efficient solution when setting up a shared pool of IAM services for a large organisation with several separate business units. It allows a delegation of IAM provisioning and other tasks that are better performed closer to each business unit’s end users. Private clouds are ideal when you need to accelerate innovation and have some large compute requirements with strict control, security, and compliance needs.
In a public cloud deployment, applications, infrastructure, and platforms are shared across multiple organisations, and a public medium such as the internet is used to access the cloud service. Amazon EC2 would be an example of a public cloud service. It provides a virtual compute environment over the internet, enabling an organisation to use web service interfaces to launch instances with a variety of operating systems, load them with a custom application environment, manage network access permissions, and run the compute image using as many or few systems as the organisation requires.
Public cloud can all or some select layers of enterprise architecture, from storage to user interface. As shown above, in Figure 1-1, public cloud IAM deployments provide an IAM service shared across multiple tenants. A tenant is any application either inside or outside the organisation that requires its own exclusive virtual computing environment. In public clouds, multi-tenants are interactive applications with multiple enterprise end users.
The main benefit of public cloud IAM services is the cost savings. Resources are shared with many users, and the hardware the CSP provides is built on a system that makes the most efficient use of it. The organisation doesn’t have some upfront costs or time for IAM implementation for basic functionality as the traditional IAM deployment.
Hybrid cloud deployment model is composed of two or more clouds, public or private; or on-premises IAM solutions in combination with off-premises public or private clouds. In both scenarios, at least two unique entities are set up and connected (under common management) by standardised technology that provides data and application between the two.
One of the benefits of a hybrid cloud model is that for organisations that are sceptical about the move to the cloud, it offers a “safer” deployment environment to move IAM services to the private cloud. As the first step in combination with their on-premises IAM services and eventually scale to a public cloud for excellent IAM services once the organisation has a higher degree of confidence in the cloud model. This is especially true for IAM as service processes that involve sensitive identity and access data such as provisioning and certification. Use of a hybrid approach enables organisations to continue to use on-premises solutions while beginning to implement security in the cloud and have the flexibility to move to the cloud on their schedule, instead of adopting an “all or nothing” approach.
There is a common misconception that IAM cloud computing implies an “external” cloud, based on public cloud services. IAM cloud computing is a way of computing, not a physical destination. Most enterprises will benefit from IAM cloud computing within their own data centres, building “private clouds,” and getting there in an iterative process through their existing virtualisation initiatives. When considering cloud deployment models, organisations should choose after careful consideration of business needs and goals.
There are three common deployment models:
- Employ a public to offload time-consuming maintenance tasks
- Establish a private cloud to become an IAM service provider to your business units
- Move non-revenue generating functions out of your datacentres
Figure 1-2 depicts the select attributes of the deployment options to summarise the fundamental differences of the models. In the next section of this article, I describe the cloud services models that are typically used in conjunction with these deployments help organisations achieve their business goals.
IAM CLOUD SERVICE MODELS
Cloud-based IAM services can be categorised into three distinct types of cloud service models:
1. Software as a service (SaaS)
SaaS refers to a means of providing business functionality through applications typically running on an externally hosted environment in which the purchaser/consumer pays by usage fee or a monthly fee. These software services usually delivered through the web and require a web browser to access applications (g., web-based CRM). The purchaser does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application maintenance, with the possible exception of limited user-specific application configuration settings. Hosted IAM services are often provided through the SaaS model. For example, within the IAM process domain, “Enforcement” and “Review and Certification” domains provide additional benefits based on the predictable nature of resource usage. A cloud-based IAM solution for these process domains can provide resource flexibility by adjusting resources to accommodate anticipated peak usage demand (e.g., annual or quarterly review cycles).
2. Platform as a Service (PaaS)
According to the National Institute of Standards and Technology (NIST), PaaS is “the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage but has control over the deployed applications by possibly application hosting environment configurations. PaaS focuses on everything underneath the application layer, including the underlying platform and some components of infrastructure. IAM deployments in the PaaS model will seek to share resources at the software platform level will have more transparency and control in comparison to the SaaS model.
3. Infrastructure as a service (IaaS)
IaaS refers to a service model that provides a hosted environment wherein a buyer can purchase infrastructure capacity that can be rapidly provisioned and deployed according to need. This may be useful in IAM deployments where the organisation seeks more control and transparency over security and availability of capabilities.
A cloud-based IAM service model should be aligned with your organisation’s target state business scenario and IAM process, protected resources and type of targeted user population. Common business scenarios within these IAM process domains are the following:
- Employee access to external applications (both traditional hosted and cloud-based hosted business applications)
- Employee access to internal applications
- Business to business partner access
- Consumer access to internally hosted and externally hosted services.
As shown in Figure 1-4, for each of these scenarios, protected resources can include SaaS applications (Google Apps, Office 365, etc.), and traditional on-premises applications.
For example, an organisation may choose to implement a shared authentication service for its cloud-based applications and on-premises applications to provide its employees with a seamless user experience across applications. Another example would be that an organisation can provide an access review and certification process as a cloud-based IAM service and the results of the review and certification may feed into an internal access de-provisioning process.
IAM CLOUD SECURITY AND RISK MANAGEMENT
A primary inhibitor of widespread adoption of cloud-based IAM service models is a concern for the security of applications and sensitive data that may need to reside in the cloud. For cloud-based IAM services to become a vital part of the IT enterprise portfolio, providers need to implement adequate security controls for sensitive enterprise data and applications. Cloud-based IAM service providers have made significant strides in addressing these concerns through their internal controls and service provisioning strategies. The purchasing organisation’s internal controls must augment the service provider’s security and privacy protections and validated further by that organisation’s third-party risk management program.
The fundamentals of protecting the confidentiality, integrity, and availability of information are not different in cloud-based services. When using a cloud environment, organisations must understand the risks to their systems and data. Asking some fundamental questions to your organisation’s CSP is a good starting point.
Typical questions to ask:
- Where will the organisation’s data be located?
- Who will have access to the organisation’s assets and data? How will the organisation’s systems and data be secured?
- What is being monitored and logged?
- What evidentiary reporting will the CSP provide to enable compliance?
Regardless of the deployment and service model used, cloud computing creates new IAM challenges that must be addressed. Management of virtual machines within the cloud requires elevated rights that when compromised may give attackers the ability to gain control of the most valuable targets in the cloud. Such rights also provide the attackers with the ability to create sophisticated data intercept capabilities that may be difficult for cloud providers to detect promptly. The risk of undetected data loss, tampering, and resultant fraud can be magnified unless controls are in place.
CSPs should have documented processes for their IAM practices. This includes both physical and logical access environments. Traditional vendor risk management practices will apply for physical access to the hosting environments (background checks, employment status, hosting company location, roles and responsibilities, etc.) On the logical access side, the flexible and dynamic nature of virtual environments introduce new challenges as virtual machines can be moved, copied, or important configuration settings can be modified easily. For this reason, automated security controls at the hypervisor level are necessary. For example, CSPs must implement privileged access management (PAM) solution at the hypervisor level. Organisations should take steps required to understand the controls CSPs have implemented around each hypervisor administrator identity.
Organisations considering a cloud-based IAM service model should tailor security controls to the type of cloud deployment, service model, security requirements for IAM service, and confirm that CSP can meet these requirements. Can the cloud service provider security controls in compliance with the organisation’s security policies for on-premises solutions? Can the organisation still operate its IAM security process if one or more parts of the cloud-based IAM service become unavailable?
Both my research and experience working for large enterprise organisations indicate that organisations that turn IAM into an explicit business enabler rather than a cost centre will create competitive advantage. By offering cloud-based IAM services around the six IAM processes of request and approval, provisioning, enforcement, (authentication and authorisation), review and certification, reconciliation, and reporting and auditing, the IT security organisation become and IAM CSPM to the rest of the enterprise.