Why relying on standards is best for secure Cloud Computing
Martin Kuppinger, Kuppinger Cole
Who will have access to what? In a complex world where soon everyone and everything – people, things and services – will be connected everywhere and anytime through a global cloud, IAM is one of the best means to protect enterprise security, especially when firewalls are not sufficient any more. However, to guard cloud computing, the IAM technology must be further developed. For this, standards play a central role.
The mere defining of roles for individual access permissions is no longer sufficient. IAM has to become more agile and fine grained. It has to allow for decisions about the access of consumers, employees, partners and billions of things dynamically and in real time. Furthermore, plenty of users use multiple identities (or personas) and flexibly switch between them several times per day, often by deploying different authentication mechanisms.
IAM has to make sure that these internal and external personas are still identified as being the same persons. Failing in IAM for the transforming world is failing in business transformation. However, to comply with requirements such as minimal disclosure in the cloud is not easy, since many cloud services offer only rudimentary support for IAM.
Minimal requirements for Cloud IAM
A truly integrated IAM is ideally able to fulfil the same tasks as IAM solutions purely on premise. Minimal requirements are:
- Lifecycle management of users and their accounts with automatic creation, change and deletion of accounts, whenever necessary
- Allocating and withdrawing of rights for these user accounts
- Centralized role management
- Analysis and Recertification of existing permissions
- Single Sign-On (SSO) for user access
IAM must allow for easy management of users and their rights with every kind of service. In a perfect world authorization would be transferred automatically by the applications to a central authoring system. Cloud services would then ask during run time if authorizations can be awarded. Although the needed technology is available and the concepts are well-proven, being used in mainframe environments already for decades, this is only seldom realized even for internal applications.
Hard time for standards
There are two reasons: On the one hand existing standards quickly reach their limits when it comes to the cloud. On the other hand, even more importantly, a vast amount of cloud services don’t support any of these standards. They enable connecting to services only with user name and password, which is not really secure at all anymore.
APIs, which allow creating groups and roles in cloud services, are all too often missing as well. That’s exactly the point: Security only seldom begins parallel to the development of new products and services. Yet Security and Privacy may not follow function, especially not with cloud services. For users looking for a new IAM solution security as an afterthought should be a disqualifier.
Standard protocols securely link internal systems and the cloud
Standard protocols build the link between internal systems and the cloud. The most important ones to enable IAM based cloud services, apart from LDAP (Lightweight Directory Access Protocol), are SAML 2.0, OAuth 2.0 (in combination with OpenID Connect 1.0 as “simple identity layer”) and SCIM 2.0. They all have their own benefits and shortfalls. You will find short descriptions in the box below. For further information, I recommend the respective websites. Again, most cloud services don’t yet support these standards and their interfaces.
The current situation is definitely not satisfying. Main IAM requirements that are easily solved within enterprises are hard to attain for cloud services. More and more the connectors of popular identity provisioning solutions help out for important services. Standards like SCIM or proprietary interfaces of cloud services are being deployed for user provisioning. For the mass of cloud services such solutions, however, still do not exist – often, because the services don’t provide useful APIs, nor support open standards. Even the popular solutions for Cloud SSO, based on SAML v2.0 and OAuth 2.0 or transmitting of credentials, don’t help very much further since they do not solve the problems of lifecycle management for user accounts and rights management.
Higher effort for cloud services necessary
These weaknesses don’t mean that cloud services are not usable. Via proprietary interfaces or manual processes, the basic compliance requirements can more or less be addressed. Therefore, it must be thoroughly examined which services can be used for which purposes and with which compensating controls in place. The effort for administration and access governance can rise much higher for cloud services than for local applications with more improved interfaces.
The most important request goes to the cloud vendors: Fully support SAML 2.0 and/or OAuth 2.0 in combination with OpenID Connect and SCIM 2.0. This is a minimal requirement for a well realized cloud service and not only a “nice to have”.
The three most important standards for IAM based cloud services
SAML 2.0: oldest and still most popular, however closely followed by OAuth 2.0; SAML enables a cloud service to act like a service provider (SP), while an internal application serves as identity provider (IdP). The IdP sends information to the SP that a user has successfully identified himself. The SP then grants access and takes care of the authorization. Because of the IdP the user has only to authenticate once and can then be authorized for access to various cloud services. This central service also allows for single sign-on.
OAuth 2.0: is a direct alternative to the before mentioned standard, following the aim to provide developers with an easy way for authorizing access to Web-Applications or to mobile devices via apps. Information about autenticated sessions and end users are either gathered proprietarily or, better, via OpenID Connect. In general, OAuth 2.0 is being deployed only for very coarse-grained authorization, i. e. whether an app is allowed to access data on a cellphone and which. It is, however, possible to fine-grain authorization as well. The problem is that currently there is no standard mechanism to exchange information about dynamically changing scopes for different resources at an SP also with the opposite party. This leaves space for further progressive development of OAuth 2.0 and OpenID Connect.
SCIM 2.0: „System for Cross-domain Identity Management “, reasonable standard for cloud provisioning with unfortunately a low acceptance rate among cloud vendors, although most IAM vendors support SCIM. If cloud vendors do, they mostly support only version 1.1. SCIM 2.0 allows the management of users and their attributes via a REST-API.
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.
