cloud computing

profilehari krishna12
cc051.pptx
Home>Information Systems homework help>cloud computing

School of Computer & Information Sciences

ITS-532 Cloud Computing

Chapter 5 – Identity as a Service (IDaaS)

Content from:

Primary Textbook: Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.

Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.

1

Learning Objectives

Describe challenges related to ID management.

Describe and discuss single sign-on (SSO) capabilities.

List the advantages of IDaaS solutions.

Discuss IDaaS solutions offered by various companies.

IDaaS Defined

Identity (or identification) as a service (IDaaS)—Cloud-based approaches to managing user identities, including usernames, passwords, and access. Also sometimes referred to as “identity management as a service.

Identity and Access Management (IAM)

Identity and Access Management includes the components and policies necessary to control user identify and access privileges.

Authentication

Username/Password, digital signatures, digital certificates, biometrics

Authorization

Granular controls for mapping identities and rights

User Management

Creation and administration of new user identities, groups, passwords, and policies

Credential Management

Establishes identities and access control rules for user accounts

4

(Erl, 2014)

Single Sign-On (SSO)

Single sign-on (SSO)—PA process that allows a user to log into a central authority and then access other sites and services for which he or she has credentials.

Advantages of SSO

Fewer username and password combinations for users to remember and manage

Less password fatigue caused by the stress of managing multiple passwords

Less user time consumed by having to log in to individual systems

Fewer calls to help desks for forgotten passwords

A centralized location for IT staff to manage password compliance and reporting

Disadvantages of SSO

The primary disadvantage of SSO systems is the potential for a single source of failure. If the authentication server fails, users will not be able to log in to other servers.

Thus, having a cloud-based authentication server with system redundancy reduces the risk of system unavailability.

How Single Sign On Works

The single sign on mechanism enables one cloud service consumer to be authenticated by a security broker. Once established, the security context is persistent when the consumer accesses other cloud based IT resources.

8

(Erl, 2014)

Figure 10.9 - A cloud consumer provides the security broker with login credentials (1). The security broker response with an authentication token (message with small lock symbol) upon successful authentication, which contains cloud service consumer identify information (2) that is used to automatically authenticate the cloud service consumer across Cloud Services A, B, and C (3).

Federated ID Management

FIDM describes the technologies and protocols that combine to enable a user to bring security credentials across different security domains (different servers running potentially different operating systems).

Security Assertion Markup Language (SAML)

Behind the scenes, many FIDM systems use the Security Assertion Markup Language (SAML) to package a user’s security credentials.

Account Provisioning

The process of creating a user account on a system is called account provisioning.

Because different employees may need different capabilities on each system, the provisioning process can be complex.

When an employee leaves the company, a deprovisioning process must occur to remove the user’s accounts.

Unfortunately, the IT staff is not always immediately informed that an employee no longer works for the company, or the IT staff misses a server account and the user may still have access to one or more systems.

4 A’s of Cloud Identity

Authentication: The process of validating a user for on-site and cloud-based solutions.

Authorization: The process of determining and specifying what a user is allowed to do on each server.

Account management: The process of synchronizing user accounts by provisioning and deprovisioning access.

Audit logging: The process of tracking which applications users access and when.

Real World: Ping Identity IDaaS

Ping Identity provides cloud-based ID management software that supports FIDM and user account provisioning.

Real World: PassworkBank IDaaS

PasswordBank provides an IDaaS solution that supports on-site and cloud-based system access. Its FIDM service supports enterprise-wide SSO (E-SSO) and SSO for web-based applications (WebSSO).

The PasswordBank solutions perform the FIDM without the use of SAML.

PasswordBank solutions support a myriad of devices, including the iPhone.

OpenID

OpenID allows users to use an existing account to log in to multiple websites. Today, more than 1 billion OpenID accounts exist and are accepted by thousands of websites.

Companies that support OpenID include Google, Yahoo!, Flickr, Myspace, WordPress.com, and more

Advantages of Using OpenID

Increased site conversion rates (rates at which customers choose to join websites) because users do not need to register

Access to greater user profile content

Fewer problems with lost passwords

Ease of content integration into social networking sites

Mobile ID Management

Threats to mobile devices include the following:

Identity theft if a device is lost or stolen

Eavesdropping on data communications

Surveillance of confidential screen content

Phishing of content from rogue sites

Man-in-the-middle attacks through intercepted signals

Inadequate device resources to provide a strong security implementation

Social attacks on unaware users that yield identity information

Cloud Based Security Groups

Cloud resource segmentation is a process of creating separate physical and virtual IT environments for different users and groups to increase security.

18

(Erl, 2014)

Figure 10.11 - Cloud-Based Security Group A encompasses Virtual Servers A and D and is assigned to Cloud Consumer A. Cloud-Based Security Group B is comprised of Virtual Servers B, C, and E and is assigned to Cloud Consumer B. If Cloud Service Consumer A’s credentials are compromised, the attacker would only be able to access and damage the virtual servers in Cloud-Based Security Group A, thereby protecting Virtual Servers B, C, and E.

Hardened Virtual Server Images

When creating a virtual server from a template, the hardening process removes unnecessary software from the system to limit vulnerabilities that could be exploited by hackers.

19

(Erl, 2014)

Figure 10.13 - A cloud provider applies its security policies to harden its standard virtual server images.

Key Terms

References

Primary:

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.

Secondary:

Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.

21