Research paper cloud computing

cc0511.pptx

Home >Information Systems homework help >Research paper cloud computing

School of Computer & Information Sciences

ITS-532 Cloud Computing

Chapter 5 – Identity as a Service (IDaaS)

Content from:

Primary Textbook: Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.

Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.

Learning Objectives

Describe challenges related to ID management.

Describe and discuss single sign-on (SSO) capabilities.

List the advantages of IDaaS solutions.

Discuss IDaaS solutions offered by various companies.

IDaaS Defined

Identity (or identification) as a service (IDaaS)—Cloud-based approaches to managing user identities, including usernames, passwords, and access. Also sometimes referred to as “identity management as a service.

Identity and Access Management (IAM)

Identity and Access Management includes the components and policies necessary to control user identify and access privileges.

Authentication

Username/Password, digital signatures, digital certificates, biometrics

Authorization

Granular controls for mapping identities and rights

User Management

Creation and administration of new user identities, groups, passwords, and policies

Credential Management

Establishes identities and access control rules for user accounts

(Erl, 2014)

Single Sign-On (SSO)

Single sign-on (SSO)—PA process that allows a user to log into a central authority and then access other sites and services for which he or she has credentials.

Advantages of SSO

Fewer username and password combinations for users to remember and manage

Less password fatigue caused by the stress of managing multiple passwords

Less user time consumed by having to log in to individual systems

Fewer calls to help desks for forgotten passwords

A centralized location for IT staff to manage password compliance and reporting

Disadvantages of SSO

The primary disadvantage of SSO systems is the potential for a single source of failure. If the authentication server fails, users will not be able to log in to other servers.

Thus, having a cloud-based authentication server with system redundancy reduces the risk of system unavailability.

How Single Sign On Works

The single sign on mechanism enables one cloud service consumer to be authenticated by a security broker. Once established, the security context is persistent when the consumer accesses other cloud based IT resources.

(Erl, 2014)

Figure 10.9 - A cloud consumer provides the security broker with login credentials (1). The security broker response with an authentication token (message with small lock symbol) upon successful authentication, which contains cloud service consumer identify information (2) that is used to automatically authenticate the cloud service consumer across Cloud Services A, B, and C (3).

Federated ID Management

FIDM describes the technologies and protocols that combine to enable a user to bring security credentials across different security domains (different servers running potentially different operating systems).

Security Assertion Markup Language (SAML)

Behind the scenes, many FIDM systems use the Security Assertion Markup Language (SAML) to package a user’s security credentials.

Account Provisioning

The process of creating a user account on a system is called account provisioning.

Because different employees may need different capabilities on each system, the provisioning process can be complex.

When an employee leaves the company, a deprovisioning process must occur to remove the user’s accounts.

Unfortunately, the IT staff is not always immediately informed that an employee no longer works for the company, or the IT staff misses a server account and the user may still have access to one or more systems.

4 A’s of Cloud Identity

Authentication: The process of validating a user for on-site and cloud-based solutions.

Authorization: The process of determining and specifying what a user is allowed to do on each server.

Account management: The process of synchronizing user accounts by provisioning and deprovisioning access.

Audit logging: The process of tracking which applications users access and when.

Real World: Ping Identity IDaaS

Ping Identity provides cloud-based ID management software that supports FIDM and user account provisioning.

Real World: PassworkBank IDaaS

PasswordBank provides an IDaaS solution that supports on-site and cloud-based system access. Its Federated ID Management (FIDM/FIM) service supports enterprise-wide SSO (E-SSO) and SSO for web-based applications (WebSSO).

The PasswordBank solutions perform the FIDM without the use of SAML.

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

No need to type in credentials

No need to remember and renew passwords

No weak passwords

PasswordBank solutions support a myriad of devices, including the iPhone.

PasswordBank's unique Identity-as-a-Service (IDaaS) Single Sign-On software securely automates all logons to corporate and cloud applications.

OpenID

OpenID allows users to use an existing account to log in to multiple websites. Today, more than 1 billion OpenID accounts exist and are accepted by thousands of websites.

Companies that support OpenID include Google, Yahoo!, Flickr, Myspace, WordPress.com, and more

OpenID was created in the summer of 2005 by an open source community trying to solve a problem that was not easily solved by other existing identity technologies.

OpenID was created in the summer of 2005 by an open source community trying to solve a problem that was not easily solved by other existing identity technologies. As such, OpenID is decentralized and not owned by anyone, nor should it be. Today, anyone can choose to use an OpenID or become an OpenID Provider for free without having to register or be approved by any organization.

Advantages of Using OpenID

Increased site conversion rates (rates at which customers choose to join websites) because users do not need to register

Access to greater user profile content

Fewer problems with lost passwords

Ease of content integration into social networking sites

Mobile ID Management

Threats to mobile devices include the following:

Identity theft if a device is lost or stolen

Eavesdropping on data communications

Surveillance of confidential screen content

Phishing of content from rogue sites

Man-in-the-middle attacks through intercepted signals

Inadequate device resources to provide a strong security implementation

Social attacks on unaware users that yield identity information

Cloud Based Security Groups

Cloud resource segmentation is a process of creating separate physical and virtual IT environments for different users and groups to increase security.

(Erl, 2014)

Figure 10.11 - Cloud-Based Security Group A encompasses Virtual Servers A and D and is assigned to Cloud Consumer A. Cloud-Based Security Group B is comprised of Virtual Servers B, C, and E and is assigned to Cloud Consumer B. If Cloud Service Consumer A’s credentials are compromised, the attacker would only be able to access and damage the virtual servers in Cloud-Based Security Group A, thereby protecting Virtual Servers B, C, and E.

Hardened Virtual Server Images

When creating a virtual server from a template, the hardening process removes unnecessary software from the system to limit vulnerabilities that could be exploited by hackers.

(Erl, 2014)

Figure 10.13 - A cloud provider applies its security policies to harden its standard virtual server images.

Key Terms

References

Primary:

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.

Secondary:

Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.

Identity management

Identity Management as a service (IDAAS)

A Case example using ms azure

Contents

Definitions

Security – A Shared Responsibility

Authentication and Authorization

Managed Identities (Azure)

Security Advantages

Organizations face many challenges with securing their datacenters, including recruiting and keeping security experts, using many security tools, and keeping pace with the volume and complexity of threats.

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts. Security of the operational environment is now a concern shared by both cloud providers and customers. By shifting these responsibilities to a cloud service like Azure, organizations can reduce focus on activities that aren't core business competencies. Depending on the specific technology choices, some security protections will be built into the particular service, while addressing others will remain the customer's responsibility. To ensure that the proper security controls are provided, a careful evaluation of the services and technology choices becomes necessary.

Security is a shared responsibility

Look in the slide notes below for topics to consider talking about

The first shift you'll make is from on-premises data centers to infrastructure as a service (IaaS). With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. At this level, it's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure. At Contoso Shipping, you are taking advantage of IaaS when you start using Azure VMs instead of your on-premises physical servers. In addition to the operational advantages, you receive the security advantage of having outsourced concern over protecting the physical parts of the network.

Moving to platform as a service (PaaS) outsources several security concerns. At this level, Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. PaaS also comes with many operational advantages. Rather than building whole infrastructures and subnets for your environments by hand, you can "point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed. Contoso Shipping uses Azure Event Hubs for ingesting telemetry data from drones and trucks — as well as a web app with an Azure Cosmos DB back end with its mobile apps — which are all examples of PaaS.

With software as a service (SaaS), you outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer. Like so many companies, Contoso Shipping uses Office 365, which is a great example of SaaS!

For all cloud deployment types, you own your data and identities. You are responsible for helping secure your data and identities, your on-premises resources, and the cloud components you control (which vary by service type).

Regardless of the deployment type, you always retain responsibility for the following items:

Data

Endpoints

Accounts

Access management

A Layered Approach

Data

In almost all cases, attackers are after data:

Stored in a database

Stored on disk inside virtual machines

Stored on a SaaS application such as Office 365

Stored in cloud storage

It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

A Layered Approach

Application

Ensure applications are secure and free of vulnerabilities.

Store sensitive application secrets in a secure storage medium.

Make security a design requirement for all application development.

Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. We encourage all development teams to ensure their applications are secure by default, and that they're making security requirements non-negotiable.

A Layered Approach

Compute

Secure access to virtual machines.

Implement endpoint protection and keep systems patched and current.

Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues

A Layered Approach

Networking

Limit communication between resources.

Deny by default.

Restrict inbound internet access and limit outbound, where appropriate.

Implement secure connectivity to on-premises networks.

At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.

A Layered Approach

Perimeter

Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.

Use perimeter firewalls to identify and alert on malicious attacks against your network.

At the network perimeter, it's about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

A Layered Approach

Identity and access

Control access to infrastructure and change control.

Use single sign-on and multi-factor authentication.

Audit events and changes.

The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.

A Layered Approach

Physical security

Physical building security and controlling access to computing hardware within the data center is the first line of defense.

With physical security, the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.

Authentication and Authorization

Authentication & Authorization Defined

Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.

Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.

Active Directory (Microsoft Azure)

What is Azure Active Directory?

Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone.

This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials.

Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.

What is Azure Active Directory?

Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone.

This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials.

Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.

Azure Active Directory (AD)

Azure AD provides services such as:

Authentication.

Single-Sign-On (SSO).

Application management.

Business to business (B2B) identity services.

Business-to-Customer (B2C) identity services.

Device Management.

Azure AD provides services such as:

Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.

Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.

Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.

Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data

Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.

Device Management. Manage how your cloud or on-premises devices access your corporate data.

Single Sign-On

SSO with Azure Active Directory

By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph.

This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD.

By using a centralized identity provider, you'll have centralized the security controls, reporting, alerting, and administration of your identity infrastructure.

As Contoso Shipping integrates its existing Active Directory instance with Azure AD, you will make controlling access consistent across the organization.

Doing so will also greatly simplify the ability to sign into email and Office 365 documents without having to reauthenticate.

The more identities a user must manage, the greater the risk of a credential-related security incident. More identities mean more passwords to remember and change. Password policies can vary between applications and, as complexity requirements increase, it becomes increasingly difficult for users to remember them.

Now, consider the logistics of managing all those identities. Additional strain is placed on help desks as they deal with account lockouts and password reset requests. If a user leaves an organization, tracking down all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this could allow access when it should have been eliminated.

With single sign-on (SSO), users need to remember only one ID and one password. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.

Multi-factor authentication

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

Something you know

Something you possess

Something you are

Something you know would be a password or the answer to a security question. Something you possess could be a mobile app that receives a notification or a token-generating device. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.

Using MFA increases security of your identity by limiting the impact of credential exposure. An attacker who has a user's password would also need to have possession of their phone or their face in order to fully authenticate. Authentication with only a single factor verified is insufficient, and the attacker would be unable to use only those credentials to authenticate. The benefits this brings to security are huge, and we can't emphasize enough the importance of enabling MFA wherever possible.

Azure AD has MFA capabilities built in and will integrate with other third-party MFA providers. MFA should be used for users in the Global Administrator role in Azure AD, because these are highly sensitive accounts. All other accounts can have MFA enabled.

For Contoso Shipping, you decide to enable MFA any time a user is signing in from a non-domain-connected computer — which includes the mobile apps your drivers use.

Providing identities to services

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

Something you know

Something you possess

Something you are

It's usually valuable for services to have identities. Often, and against best practices, credential information is embedded in configuration files. With no security around these configuration files, anyone with access to the systems or repositories can access these credentials and risk exposure.

Azure AD addresses this problem through two methods: service principals and managed identities for Azure services.

Service principals

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

Something you know

Something you possess

Something you are

Service principals

To understand service principals, it's useful to first understand the words identity and principal, because of how they are used in the identity management world.

An identity is just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates.

A principal is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and principal separately, but think of using 'sudo' on a Bash prompt in Linux or on Windows using "run as Administrator." In both those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing. Groups are often also considered principals because they can have rights assigned.