Sécurité du Cloud

Chapter 5
Cloud Computing IAM
5 ArcTIC

Manel Medhioub
[email protected]

Esprit 2020-2021
 Lesson plan

1- Introduction
2- Identity and Access Management
3- Identity Federation and SSO
5- IAM Standards for Cloud Computing
6- Benefits and Challenges
 Introduction

In years past, it was quite common to commit to a defensive

strategy confined to internal environments.
The traditional perimeter was secured using firewalls,
network rules, endpoint detection, intrusion detection
and prevention, and education of the user base.
To support the agility and security needs, the security
architecture must shift its focus to the identity, device
and applications levels rather than the network level.
Now, organizations need tools to extend user access and
identity to everything, like Software as a Service (SaaS)
apps and mobile devices.

3
Introduction

4
 Introduction

Business
IT Admin Developer End User Security/ Compliance
Owner

Too many user Redundant Too many Too many Too expensive
stores and code in each passwords orphaned to reach new
account admin app Long waits for accounts partners,
requests Rework code access to apps, Limited channels
Unsafe sync too often resources auditing ability Need for
scripts control

Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd [email protected]

5
Introduction

6
 Introduction

Evolution of IAM over time 7

 Introduction

• Cloud-based platforms are capable of hosting

different application services using the same
physical resources .
• One of the approaches to handle access
control mechanism is to allow each
application service provider to implement
independently access control mechanism.

8
 Introduction

• However, implement independent access

control seems to be quite complex and
expensive and it is not suitable for multi-
domain cloud-based platform.
• This means that there must be an efficient
way to handle identity and access control
mechanisms in cloud-based system

9
 Introduction

• The provider's methods and procedures for

managing user identities and their access to
sensitive resources is one of the most critical
elements of any Cloud initiative.
• It can be difficult for a company to start using
cloud Identity and Access Management
solutions because it is hard for a company to
cede control over infrastructure.

10
 Introduction

• However, what make using an IAM solution very valuable is the

following:
 The ability to spend less on enterprise security by relying on
the centralized trust model to deal with Identity Management
across third-party and own applications.
 It enables your users to work from any location and any device.
 You can give them access to all your applications using just one
set of credentials through Single Sign-On.
 You can protect your sensitive data and apps: Add extra layers
of security to your mission-critical apps using Multifactor
Authentication.
 It helps maintain compliance of processes and procedures.
• A typical problem is that permissions are granted based on
employees’ needs and tasks, and not revoked when they are
no longer necessary, thus creating users with lots of
unnecessary privileges. 11
 Identity and Access Management

• The identity and access management (IAM)

mechanism encompasses the components
and policies necessary to control and track
user identities and access privileges for IT
resources, environments, and systems.
• IAM mechanisms exist as systems comprised
of four main components: Authentication,
Authorization, User Management and
Credential Management.
12
 Identity and Access Management

• Authentication: Username and password

combinations remain the most common forms of user
authentication credentials managed by the IAM
system.
 It also can support digital signatures, digital certificates,
biometric hardware (fingerprint readers), specialized
software (such as voice analysis programs), and locking
user accounts to registered IP or MAC addresses.
• Authorization: The authorization component defines
the correct granularity for access controls and
oversees the relationships between identities, access
control rights, and IT resource availability.
– Provide granular permissions for admins, for developer, for operator
with different kind of role and access.

13
 Identity and Access Management

• User Management: Related to the administrative

capabilities of the system.
 the user management program is responsible for
creating new user identities and access groups,
resetting passwords, defining password policies, and
managing privileges.
• Credential Management: The credential
management system establishes identities and
access control rules for defined user accounts,
which mitigates the threat of lacking
authorization.
14
 Identity and Access Management

• IAM is a primary mechanism for controlling

access to data in the cloud, preventing
unauthorized uses, maintaining user roles, and
complying with regulations .
• It eliminates the need for sharing the
passwords and supports a variety of user
profiles.

15
 Identity and Access Management

• In fact, it:
 identifies the issue of the need for cloud users to
manage two separate authentication and
authorization schemas, the proprietary, and the
one offered by the cloud provider.
 proposes the use of Identity Federation as a
potential solution.

16
 Identity and Access Management

• The Cloud Security Alliance (CSA) identifies the

following major IAM functions :
• Identity Provisioning/de-provisioning: secure and
timely management of on-boarding and off-boarding
users in the cloud
• Authentication: includes credential management,
strong authentication, delegated authentication, and
managing trust across all types of cloud services
• Federation : secure exchange of identity attributes
between the service provider (SP) and Identity
Provider (IdP)
17
 Identity and Access Management

• Authorization and user profile management:

includes establishing trusted user profile and
policy information, using it to control access
within the cloud service.
• Compliance: how Identity Management can
enable compliance with internal or regulatory
requirements

18
 Identity and Access Management
Multifactor Authentication

• Multifactor Authentication (MFA) is a method of identifying

users by presenting two or more separate authentication
stages.
 2-Factor Authentication (2FA) is the most used type of MFA.
• Typically, Multifactor Authentication requires a
combination of something the user knows, something the
user has, and sometimes something the user is.
 Knowledge factors, such as passwords, PINs, or secret questions.
 Possession factors, such as an access card, phone, or hardware
key.
 Inherence factors, which are biometric information, such as the
user’s fingerprint, face, or voice.
19
 Identity Federation and SSO

• A single enterprise business, running in a cloud can

provide more than one application to its end-users. All of
the application services should authenticate clients before
service transaction are executed.
• This means that as number of application grows, so do the
number of security credentials (logins URLs, username and
password).
 Unfortunately, having many security credentials for
authentication purposes is mostly unlikely from security and
system coordination and management perspective.
 Propagating the authentication and authorization information
across multiple cloud services can be a challenge, especially if
numerous cloud services or cloud-based IT resources need to be
invoked as part of the same overall runtime activity.

20
 Identity Federation and SSO

• As cloud applications are adoptable and growing in large

scale, it becomes a major requirement to provide SSO
service to its end-users.

• A security context that established is persisted while the

cloud service consumer accesses other cloud services or
cloud-based IT resources and is remained valid for the
duration of a session.
 Otherwise, the cloud service consumer would need to re-
authenticate itself with every subsequent request.
• The SSO mechanism essentially enables mutually
independent cloud services and IT resources to generate
and circulate runtime authentication and authorization
credentials.
21
 Identity Federation and SSO

• Identity federation allows the organization and

cloud provider to trust and share digital
identities and attributes across both domains,
and to provide a means for single sign-on.
• For federation to succeed, identity and access
management transactions must be interpreted
carefully and protected against attacks.
• Clear separation of the managed identities of the
cloud consumer from those of the cloud
provider must also be ensured to protect the
consumer’s resources from provider-
authenticated entities and vice versa.
22
 Identity Federation and SSOCloud
Data
User Account
& Confidential
Provider #1
Provisioning/ User Account
De-provisioning Information On Demand Provisioning/
Printing CPUs De-provisioning
Authentication Service
CRM Identity & Authentication
Authorization Credentials
Service Authorization
Audit Office Data
Identity & Audit
Apps Credentials
Storage
Service Data
& Confidential
…
Identity & Cloud
Information
Credentials
Identity &
Credentials Provider #2
Enterprise User Account
Provisioning/
De-provisioning Data
& ConfidentialBackup
Authentication Authentication
Identity & Authorization Authorization ILMInformationService
Credentials Audit Service
Audit
Service
•
Employee
OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
Identity &
Service 3
Data Service Credentials
& Confidential User Account
Provisioning/
Information
Identity & Service De-provisioning
Business Credentials …
Apps/Service
…
Internal Cloud …
23
 IAM Standards for Cloud Computing

Identity and Access Management Reference Architecture for Cloud Computing 24

 IAM Standards for Cloud Computing

• A growing number of cloud providers support the SAML

standard and use it to administer users and authenticate
them before providing access to applications and data.
• SAML provides a means to exchange information
between cooperating domains
• SAML request and response messages are typically
mapped over SOAP, which relies on the (XML) for its
format.
• SOAP messages are digitally signed.
 In a public cloud, for instance, once a user has established a
public key certificate with the service, the private key can be
used to sign SOAP requests.
25
 IAM Standards for Cloud Computing

• For example, a SAML transaction can convey

assertions that a user has been authenticated by
an identity provider and also include
information about the user’s privileges.
• Upon receipt of the transaction, the service
provider then uses the information to grant the
user an appropriate level of access, once the
identity and credentials supplied for the user are
successfully verified.
26
 IAM Standards for Cloud Computing

• SAML alone is not sufficient to provide cloud-based

identity and access management services.

• The capability to adapt cloud consumer privileges and

maintain control over access to resources is also needed.

• As part of identity management, standards like the

(XACML) can be used by a cloud provider to control access
to cloud resources.
• XACML is capable of controlling the proprietary service
interfaces of most providers, and some cloud providers
already have it in place.
27
 IAM Standards for Cloud Computing

• Authentication: Hi, I prove who I say I am

 Focus: user’s identity and the proof of identity
 Standards: OpenID, OAUTH, SAML…
• Authorization: Hi, can I transfer this amount?
 policy-driven
 Standard: XACML

28
 IAM Standards for Cloud Computing

“The authorization function determines whether a

particular entity is authorized to perform a given
activity, typically inherited from authentication when
logging on to an application or service.”

29
 IAM Standards for Cloud Computing
Authorization is nearly always about

Who?

Identity + role (+ group)

Credits: all icons from the Noun Project | Invisible: Andrew Cameron
30
 IAM Standards for Cloud Computing
Authorization is nearly always about

Who? What? When? Where? Why? How?

Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
31
 IAM Standards for Cloud Computing
XACML

• The XACML
 eXtensible Access Control Markup Language
 Standard
 defines an XML-based language for stating policy
and forming access control decisions.
 focuses on the mechanism for arriving at
authorization decisions

32
 IAM Standards for Cloud Computing
XACML

• The basic XACML usage model assumes that

when a resource access is attempted, a Policy
Enforcement Point (PEP), responsible for
protecting access to resources into the cloud ,
sends a request to a Policy Decision Point (PDP).
• The request is containing a description of the
attempted access for evaluation against available
policies and attributes.
• The PDP evaluates this request and returns an
authorization decision for the PEP to enforce.
33
 IAM Standards for Cloud Computing
XACML
Enforce
Policy Enforcement Point

Decide
Policy Decision Point

Support
Policy Information Point
Policy Retrieval Point

Manage
Policy Administration Point

34
Fine-Grained Authorization for Cloud-based Services, David Brossard, Axiomatics
 IAM Standards for Cloud Computing
XACML

• Three strategies for externalized authorization in

the cloud:
 OP1:tell your provider to adopt XACML
• Let customers push their own XACML policies
» Not many SaaS vendors support XACML today
 OP2:Proxy your cloud connections
• All access to SaaS apps could be made to tunnel through a
proxy
 OP3: Policy Provisioning based on XACML
• Loss of dynamic nature
• Convert from XACML to expected SaaS format
• Push via SaaS management APIs
35
IAM Standards for Cloud Computing
XACML1. (OP1) SaaS Admin delegates rights to manage access control provided to
customer A. The rights are restricted to only the applications and
resources provided to this particular customer’s users.

Customer A’s admin can manage access

2. for their staff on its own by providing
XACML policies and attributes

XACML
Mgmt
API

App#1

Functional API
3. Customer A users use the SaaS application App#2

App#3
Central IT:
Company A SaaS provider

36
IAM Standards for Cloud Computing
XACML (OP2)

VPN

SaaS App #1

SaaS App #2

SaaS App #3

37
 IAM Standards for Cloud Computing
XACML (OP3)

Convert XACML policies to the native Authorization constraints / permissions

format expected by the SaaS provider in the format expected by the SaaS
provider

Native
API

App#1

Functional API
Customer A users use the SaaS application App#2

App#3
Central IT:
Company A SaaS provider

38
 IAM Standards for Cloud Computing
Standard Supporting companies Open standard Cloud provider Requests
or protocol name
YES
SAML Oracle, IBM, Allow customers to delegate authentication
Novell, Microsoft and choose authentication methods

YES
XACML Oracle, Allow authorization that may represent
IBM, CISCO, Red Hat complex policies, required by enterprise-
scale applications
YES
OAuth Google, Twitter, Allow users to access their data while
Facebook protecting their account and credentials
information, which is not sent.
YES
OpenID Google, IBM, Provides SSO for consumers
Microsoft, yahoo,
Orange, payPal
YES
OATH VeriSign, Unification across three widely used
SanDisk, industrial standards.
Gemalto, Entrust
39
 Benefits and Challenges
Benefits today
Benefits to take you forward
(Tactical)
(Strategic)

Save money and improve operational

efficiency New ways of working

Improved time to deliver applications and

service
Improved time to market
Enhance Security

Closer Supplier, Customer,

Regulatory Compliance and Audit
Partner and Employee relationships

40
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant,
Benefits and Challenges

41
Benefits and Challenges

42
 Benefits and Challenges

 Propagation of Identity and Personal

Information across Multiple Clouds/Services
• Privacy issues (e.g. compliance to multiple
Legislations, Importance of Location, etc.)
• Exposure of business sensitive information (employees’
identities, roles, organizational structures, enterprise
apps/services, etc.)
• Security Threats (Enterprise  Cloud & Service
Providers, Service Provider  Service Provider, …_
• Migration of Services between Cloud and Service
Providers (Management of Data Lifecycle)
43
 Conclusion

• Identity & Access Management is a security

Requirement that cannot be overlooked.
• It requires careful planning and strong
understanding of the technologies involved.
• IAM if correctly implemented would not only
help an organization meet compliance
obligations but would also ensure optimum cost
benefits of the cloud transition.
44