BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Clouds are distributed systems with many moving parts that all work independently. There are resources, such as storage and compute systems, as well as more fine-grained services, such as APIs. Admins need to track user activity within these systems, including the use of all cloud-based resources, applications and databases. In addition, they need to be able to federate security information between cloud-based and on-premises systems. Federated identity and access management in cloud computing helps make this happen.
To understand identity and access management (IAM) best practices for cloud, it's helpful to walk through an example. The first step is to create an account on your cloud provider's platform. That account is yours, and other users will do the same. However, to provide the best integration, admins also need to authenticate other users in their company on their corporate network. Users' identities are federated between the user directories that exist on premises, and those that exist within the public cloud provider's platform.
The role of groups in cloud identity and access management systems
After setting up user identities, and federating those identities between cloud and on-premises directories, admins need to manage those identities to define what individual users, and groups of users, can do. Groups, in the world of an identity and access management system, are collections of IAM users.
With groups, admins can specify permissions for a collection of users. This structure allows them to deal with and manage entire groups at the same time, versus managing each individual user. Users can belong to many different groups, such as accounting or company leadership, and admins can grant permissions to two or more groups. Groups can't be nested within an identity and access management system -- meaning admins can't add groups within groups. And sometimes there are limits; at least, on Amazon Web Services (AWS), groups are limited to 100, and there can only be 10 groups per user.
Be sure to plan out groups correctly the first time. Some things seems like a good idea -- such as grouping users by geography -- but this could require admins to change the grouping in the future, which means migration, retesting and a lot of wasted time and money. Do thorough planning up front.
All major cloud providers, including AWS, Microsoft and Google, have some sort of IAM system within their cloud services. The basic patterns and federation capabilities are the same. However, the interfaces and how admins use them are not. You need to understand how each provider approaches an identity and access management system, including groups.
Choosing a directory service for your IAM system
It's important to use an on-premises directory service that can integrate with your cloud provider of choice. For this, you need to look for the use of standards, such as Security Assertion Markup Language (SAML)-compliant directories.
AWS, for instance, permits a federated user to access AWS cloud services. This allows admins to grant users permission to carry out any tasks in AWS that they've been granted permission to do on premises. Microsoft also integrates with SAML-compliant directories, including its own Active Directory, and Google supports SAML, as well.
Always test your on-premises and cloud-based systems using whatever IAM approaches you employ. Ensure both users and groups are properly managed, and that they are granted or not granted access as configured in the identity and access management system.
Build an identity-based security strategy
Add more security with multifactor authentication
Learn to use AWS and Azure federated IAM tools