alphaspirit - Fotolia


Crafting an identity-based security strategy for cloud

Identity and access management tools play a critical role in enterprise cloud security. But remember to carefully consider your requirements before jumping in.

The rise of cloud computing has led to a rethinking of IT security, both in and out of the cloud. Considering the complex and distributed nature of cloud-based platforms, identity-based security models seem to be the best fit. This is a fundamental shift in thinking -- and in technology.

Identity and access management (IAM) strategies and tools are increasingly prevalent in cloud computing. Even so, moving to identity-based security methods is not always easy. There is much to learn, and more to change.

While it's not difficult to build new security approaches into new applications that reside on the cloud, the harder aspect of IAM is to extend this security model into traditional IT. Security should be consistent and systematic, which in most traditional systems, it is not. An IT team needs to consider this security problem before venturing deep into the cloud.

Exploring common IAM patterns

To select the right security product, list your core IAM requirements and match them to the product components that each IAM vendor provides.

Before selecting and implementing an IAM procedure for cloud security management, consider your core requirements. While each problem domain is different, and requires a different security approach, there are some common patterns and technologies beginning to emerge:

  • Identity management services: These services refer to identity lifecycle management, access provisioning, centralized role management, and workflow design and implementation. The idea is to provide management services that allow you to define core identities for all resources/users, provide access for those resources, and provide a centralized and organization-wide mechanism for storing and reading those identities.
  • Access management services: These capabilities enable single sign-on services, federation services, role-based access and access to the platform. They work in conjunction with the identity management services, using identity information to grant access based on authorization.
  • Identity governance services: These refer to role engineering, compliance and identity assurance. The governance services place policies around how identities are managed, including the roles they have, how identities are linked with compliance policies, and other aspects of managing identities when governance controls should be put in place.
  • Authentication services: These refer to multifactor authentication, out-of-band authentication and managed authentication services.

To select the right security product, list your core IAM requirements and match them to the product components that each IAM vendor provides. This is more complicated than it might seem. For example, a Global 2000 company defines its core security requirements and sets out to find a common IAM process -- what security architects call a meta-architecture. However, if the company overlooks the needs of smaller problem domains inside the business, it will oversimplify its security strategy, and the end result will be failure.

Building an identity-based security model for cloud

Pick an IAM product that's appropriate for your cloud security needs. In many cases, organizations that deploy cloud-based platforms may use two or three IAM technologies. One might manage identity, while another manages single sign-on.

Best practices are still emerging around the use of identity-based security for cloud, but certain approaches are worthy of attention. Think about the integration of cloud-based identity management tools with enterprise security from the outset. Many IT teams create security silos that use different technologies, but these silos can be counterproductive over time. You'll eventually need to consolidate around a single security model.

Don't be afraid to focus on the design and architecture of your identity-based security strategy before selecting the technology. The results will be more complex, but the architecture should endure through many changes in technology. Never let technology lead your requirements or design.

Once you select products, be sure of their capabilities. Splurge on testing, including "white hat" security tests, to identify any vulnerabilities.

In addition, make sure the design process accounts for performance. Most IAM systems won't slow things down, but they can. Performance issues are hard to fix after deployment, and could cause users to figure out ways around the security tool.

Consider your industry and its particular compliance regulations for cloud. Identity governance features within IAM systems typically manage these, and they need to be understood in the beginning. It's tough to retrofit these policies after implementation.

Next Steps

Avoid these seven common cloud security risks

Five security issues that come with hybrid cloud

Embrace a shared responsibility model for cloud security

Dig Deeper on Cloud security tools