Welcome!

Cloud Access Security

Subscribe to Cloud Access Security: eMailAlertsEmail Alerts
Get Cloud Access Security via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Security Expert, Gunnar Peterson, on Understanding Cloud Security Standards, Part 1

A long time information security friend with long experience in crypto products and projects, said to me recently, “I just started getting involved in identity stuff, and I felt like I was back in the 1990s crypto days, so many standards, concepts, and acronyms!” No question about it, Identity standards are an alphabet soup SAML, OAUTH, OpenId, XACML, and the list goes on. Like most evolving technology, there is a lot to keep track of, but in this case its necessary.

*Identity architecture matters. * Across the board, Identity plays a role. Identity is implicit in how all Cloud application integration occurs, Identity directly affects the user and user experience (such as Single Sign On), and of course it’s central in delivering security to Access Control systems.

Cloud Identity & Security Anti-Patterns “A portion of the cost savings obtained by Cloud Computing services must be invested into increased scrutiny of the security capabilities of the provider, application of security controls, and ongoing detailed assessments and audits, to ensure requirements are continuously met”- Cloud Security Alliance Guidance

Enterprises have enterprise directories such as LDAP and Active Directory for managing users inside their own domains. Enterprise directories are mature technologies that offer a great deal flexibility, manageability and security. But what happens to the Identity and Access Management equation when some of the enterprise users, data, and functionality moves to the Cloud?

Several anti-patterns have emerged:

  • Low/no access control
  • Replicating user accounts
  • Copying credentials
  • “Trusted” proxy

Low/no access control - Cloud applications sometimes begin their production life with very little access control turned on. The rationale is often - “we’ll see if it works and then turn on security later” but as another former colleague of mine says- “there is nothing more permanent than a temporary solution.” If the initial Cloud deployment is successful from a business point of view, security will be looked as “extra” add on cost and effort later. Its better to factor security from the first Cloud deployment.

Replicating user accounts - copying in full or an extract of your Enterprise directory is another popular workaround for Cloud security, but it fails to solve the security problem and introduces new challenges. Replication means the users must log on again, there is no user that wants another username and password. Worse from a security point of view, is that the user accounts are now stored and managed in a separate location with different governance and operations; this introduces a host of compliance and policy challenges. Its inefficient to introduce a new Identity management location and lifecycle in the Cloud.

Copying credentials - sometimes Enterprises copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage. Credentials like passwords grant access to users and in this scenario the Cloud opens up the possibility for an attacker to discover and take possession of critical credentials to impersonate and spoof identity

“Trusted” proxy - Question: how many legs does a three legged dog have if you call a tail a leg? Answer: three. Just because you call a tail a leg doesn’t make it a leg. Trust is an overloaded term in information security. But trust must be earned, simply adding “air quotes” and calling a proxy “trusted” is not the same as deserving trust. Proxies and Gateways are vital tools for Cloud Security. The security of a proxy is determined by the protection and detection services that are added on.

From Anti-Patterns to Cloud Security Patterns Moving from Anti-Patterns means identifying how security services like Gateways enable strong access control, limit user account and credential vulnerabilities through stronger identity standards, and deliver improved visibility into the operational events at runtime.

The first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture.

A checklist for Mitigating the Anti-Patterns

  • Low/no access control - strong access control protocols for authentication and authorization
  • Replicating user accounts - retain enterprise provisioning on Cloud Consumer side
  • Copying credentials - implement federated identity
  • “Trusted” proxy - improved audit logging and monitoring on the Gateway

In the following posts we will explore each of these in detail and look at how open identity standards and Gateways like Cloud Access 360 can allow you to unlock the value of Cloud applications in a safe manner.

gunnar1.jpg

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

Comments (1)

Read the original blog entry...

More Stories By Cloud Access Security

This blog has some of our best blog posts about how Intel is enabling trusted client to cloud access.