Editor's note: This article focusing on secure cloud computing infrastructure using single sign-on solutions is part of a series offering expert advice on the complex cloud computing security and network control issues. Network engineers are charged with extending secure access to their approved users on an infrastructure outside the enterprise firewall, which is often outside their comfort zones. To make sure applications and data are secure enough to meet enterprise policy rules, check out how to
balance cloud computing security risks with convenience, and data encryption security offers essential cloud computing protection.<
Many influential organizations are working on how best to build systems that will allow enterprises to move applications and data to the cloud.
Identity and Access Management (IAM) is the foundation of any security infrastructure, so for me, the key challenge lies in being able to manage and enforce access control for employees, customers and partners beyond the enterprise firewall. Cloud computing turns us all into remote workers, and cloud applications and data, by definition, are outside the enterprise, so you can no longer rely on multiple layers of authentication, firewalls and other perimeter defenses to do the job for you.
The argument for single sign-on (SSO) solutions
Extending IAM into the cloud leads to its becoming collectively operated by the enterprise, its partners and providers. This means you have to start by having robust lifecycle management of your own users and an IAM strategy that makes full use of federated identity management.
Do not get sucked into adopting application authorization schemas proprietary to a cloud provider. This will cause provider portability problems, and you really need to provide identity in a consistent, reusable way.
Standards support for achieving scalable federation is crucial, primarily including these specifications: WS-Federation (developed by, among others, Microsoft, IBM and VeriSign), the Liberty Alliance Project federation, the Liberty Alliance Project Identity-Federation Framework (Liberty ID-FF) and SAML (Security Assertion Markup Language), which is emerging as the leading standard for enabling SSO.
You should also be looking to ensure that your cloud computing infrastructure supports XACML (eXtensible Access Control Markup Language). While SAML defines how identity and access information is exchanged, XACML provides a standardized language and method of access control and policy enforcement, allowing you to define who can do what with the data and when.
These standards give you the ability to extend existing access and identity policies from inside the firewall out to the cloud while still enforcing the appropriate authentication strength mandated by your information protection and data classification policies. They also moves application identity silos into a common enterprise layer, making identity an integral part of the business logic. Centralized policy management is also a lot easier because many of the management and replication challenges disappear.
Identity as a Service eases federated identity management transition
You may want to consider using a cloud-based "Identity as a Service" solution to make the move to federated identity management easier. You can outsource the integration issues to the service provider while maintaining consistent directory synchronization between your enterprise and identity service provider directory. For example, Symplified's SinglePoint Cloud Access Manager transforms Windows desktop sessions into Security Assertion Markup Language (SAML) and HTTP sessions for transparent and federated access to Software as a Service (SaaS) applications. Built-in connectors to collaboration apps such as Salesforce, Google, Box.net and Microsoft Business Office Online mean that identity services can easily be embedded during application development. A move to a cloud computing infrastructure could become a driver to introducing better and more centralized security practices.
About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in November 2009