Building a secure cloud computing infrastructure: The case for single sign-on

Building a secure cloud computing infrastructure is challenging because the applications and data are outside the security of the enterprise firewall. Network engineers should look to single sign-on solutions using existing standards and processes to manage and enforce access control for employees, customers and partners.

Editor's note: This article focusing on secure cloud computing infrastructure using single sign-on solutions is

part of a series offering expert advice on the complex cloud computing security and network control issues. Network engineers are charged with extending secure access to their approved users on an infrastructure outside the enterprise firewall, which is often outside their comfort zones. To make sure applications and data are secure enough to meet enterprise policy rules, check out how to balance cloud computing security risks with convenience, and data encryption security offers essential cloud computing protection.<

Many influential organizations are working on how best to build systems that will allow enterprises to move applications and data to the cloud.

Do not get sucked into adopting application authorization schemas proprietary to a cloud provider.
Michael Cobb
Founder and Managing DirectorCobweb Applications Ltd.
For example, the Jericho Forum has set out a framework called Collaboration Oriented Architectures (COA), which defines how systems outside of your control could work together without jeopardizing cloud computing security. But many elements required for COA are not readily available, and network engineers are under pressure to build secure cloud-based infrastructures now.

Identity and Access Management (IAM) is the foundation of any security infrastructure, so for me, the key challenge lies in being able to manage and enforce access control for employees, customers and partners beyond the enterprise firewall. Cloud computing turns us all into remote workers, and cloud applications and data, by definition, are outside the enterprise, so you can no longer rely on multiple layers of authentication, firewalls and other perimeter defenses to do the job for you.

The argument for single sign-on (SSO) solutions

Extending IAM into the cloud leads to its becoming collectively operated by the enterprise, its partners and providers. This means you have to start by having robust lifecycle management of your own users and an IAM strategy that makes full use of federated identity management.

More on single sign-on solutions

How to enable federated single sign-on

A CIO's advice for implementing single sign-on solutions

Does single sign-on improve security?

(The aim of federated identity is to enable users to securely access data or systems across autonomous security domains.) I recommend that you start enabling single sign-on (SSO) within your own enterprise applications and leveraging this architecture to simplify cloud provider engagements and implementation.

Do not get sucked into adopting application authorization schemas proprietary to a cloud provider. This will cause provider portability problems, and you really need to provide identity in a consistent, reusable way.

Standards support for achieving scalable federation is crucial, primarily including these specifications: WS-Federation (developed by, among others, Microsoft, IBM and VeriSign), the Liberty Alliance Project federation, the Liberty Alliance Project Identity-Federation Framework (Liberty ID-FF) and SAML (Security Assertion Markup Language), which is emerging as the leading standard for enabling SSO.

You should also be looking to ensure that your cloud computing infrastructure supports XACML (eXtensible Access Control Markup Language). While SAML defines how identity and access information is exchanged, XACML provides a standardized language and method of access control and policy enforcement, allowing you to define who can do what with the data and when.

These standards give you the ability to extend existing access and identity policies from inside the firewall out to the cloud while still enforcing the appropriate authentication strength mandated by your information protection and data classification policies. They also moves application identity silos into a common enterprise layer, making identity an integral part of the business logic. Centralized policy management is also a lot easier because many of the management and replication challenges disappear.

Identity as a Service eases federated identity management transition

You may want to consider using a cloud-based "Identity as a Service" solution to make the move to federated identity management easier. You can outsource the integration issues to the service provider while maintaining consistent directory synchronization between your enterprise and identity service provider directory. For example, Symplified's SinglePoint Cloud Access Manager transforms Windows desktop sessions into Security Assertion Markup Language (SAML) and HTTP sessions for transparent and federated access to Software as a Service (SaaS) applications. Built-in connectors to collaboration apps such as Salesforce, Google, Box.net and Microsoft Business Office Online mean that identity services can easily be embedded during application development. A move to a cloud computing infrastructure could become a driver to introducing better and more centralized security practices.

About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.


This was first published in November 2009

Dig deeper on Internet and application security

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close