Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 28 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Why relying on standards is best for secure Cloud Computing

by The Gurus
January 15, 2016
in This Week's Gurus
Share on FacebookShare on Twitter

Why relying on standards is best for secure Cloud Computing
Martin Kuppinger, Kuppinger Cole
Who will have access to what? In a complex world where soon everyone and everything – people, things and services – will be connected everywhere and anytime through a global cloud, IAM is one of the best means to protect enterprise security, especially when firewalls are not sufficient any more. However, to guard cloud computing, the IAM technology must be further developed. For this, standards play a central role. 
The mere defining of roles for individual access permissions is no longer sufficient. IAM has to become more agile and fine grained. It has to allow for decisions about the access of consumers, employees, partners and billions of things dynamically and in real time. Furthermore, plenty of users use multiple identities (or personas) and flexibly switch between them several times per day, often by deploying different authentication mechanisms.
IAM has to make sure that these internal and external personas are still identified as being the same persons. Failing in IAM for the transforming world is failing in business transformation. However, to comply with requirements such as minimal disclosure in the cloud is not easy, since many cloud services offer only rudimentary support for IAM.
Minimal requirements for Cloud IAM
A truly integrated IAM is ideally able to fulfil the same tasks as IAM solutions purely on premise. Minimal requirements are:

  • Lifecycle management of users and their accounts with automatic creation, change and deletion of accounts, whenever necessary
  • Allocating and withdrawing of rights for these user accounts
  • Centralized role management
  • Analysis and Recertification of existing permissions
  • Single Sign-On (SSO) for user access 

IAM must allow for easy management of users and their rights with every kind of service. In a perfect world authorization would be transferred automatically by the applications to a central authoring system. Cloud services would then ask during run time if authorizations can be awarded. Although the needed technology is available and the concepts are well-proven, being used in mainframe environments already for decades, this is only seldom realized even for internal applications.
Hard time for standards
There are two reasons: On the one hand existing standards quickly reach their limits when it comes to the cloud. On the other hand, even more importantly, a vast amount of cloud services don’t support any of these standards. They enable connecting to services only with user name and password, which is not really secure at all anymore.
APIs, which allow creating groups and roles in cloud services, are all too often missing as well. That’s exactly the point: Security only seldom begins parallel to the development of new products and services. Yet Security and Privacy may not follow function, especially not with cloud services. For users looking for a new IAM solution security as an afterthought should be a disqualifier.
Standard protocols securely link internal systems and the cloud
Standard protocols build the link between internal systems and the cloud. The most important ones to enable IAM based cloud services, apart from LDAP (Lightweight Directory Access Protocol), are SAML 2.0, OAuth 2.0 (in combination with OpenID Connect 1.0 as “simple identity layer”) and SCIM 2.0. They all have their own benefits and shortfalls. You will find short descriptions in the box below. For further information, I recommend the respective websites. Again, most cloud services don’t yet support these standards and their interfaces.
The current situation is definitely not satisfying. Main IAM requirements that are easily solved within enterprises are hard to attain for cloud services. More and more the connectors of popular identity provisioning solutions help out for important services. Standards like SCIM or proprietary interfaces of cloud services are being deployed for user provisioning. For the mass of cloud services such solutions, however, still do not exist – often, because the services don’t provide useful APIs, nor support open standards. Even the popular solutions for Cloud SSO, based on SAML v2.0 and OAuth 2.0 or transmitting of credentials, don’t help very much further since they do not solve the problems of lifecycle management for user accounts and rights management.
Higher effort for cloud services necessary
These weaknesses don’t mean that cloud services are not usable. Via proprietary interfaces or manual processes, the basic compliance requirements can more or less be addressed. Therefore, it must be thoroughly examined which services can be used for which purposes and with which compensating controls in place. The effort for administration and access governance can rise much higher for cloud services than for local applications with more improved interfaces.
The most important request goes to the cloud vendors: Fully support SAML 2.0 and/or OAuth 2.0 in combination with OpenID Connect and SCIM 2.0. This is a minimal requirement for a well realized cloud service and not only a “nice to have”.
The three most important standards for IAM based cloud services
SAML 2.0: oldest and still most popular, however closely followed by OAuth 2.0; SAML enables a cloud service to act like a service provider (SP), while an internal application serves as identity provider (IdP). The IdP sends information to the SP that a user has successfully identified himself. The SP then grants access and takes care of the authorization. Because of the IdP the user has only to authenticate once and can then be authorized for access to various cloud services. This central service also allows for single sign-on.
OAuth 2.0: is a direct alternative to the before mentioned standard, following the aim to provide developers with an easy way for authorizing access to Web-Applications or to mobile devices via apps. Information about autenticated sessions and end users are either gathered proprietarily or, better, via OpenID Connect. In general, OAuth 2.0 is being deployed only for very coarse-grained authorization, i. e. whether an app is allowed to access data on a cellphone and which. It is, however, possible to fine-grain authorization as well. The problem is that currently there is no standard mechanism to exchange information about dynamically changing scopes for different resources at an SP also with the opposite party. This leaves space for further progressive development of OAuth 2.0 and OpenID Connect.
SCIM 2.0: „System for Cross-domain Identity Management “, reasonable standard for cloud provisioning with unfortunately a low acceptance rate among cloud vendors, although most IAM vendors support SCIM. If cloud vendors do, they mostly support only version 1.1. SCIM 2.0 allows the management of users and their attributes via a REST-API.
 
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.

FacebookTweetLinkedIn
ShareTweet
Previous Post

WISeKey and Kaspersky Lab join forces to keep wearables safe from cyber-thieves

Next Post

Three Predictions for IT Security in 2016

Recent News

Guide to ransomware and how to detect it

Guide to ransomware and how to detect it

September 28, 2023
software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information