By adopting cloud-based security services, or service-mode security (SECaaS), organizations can streamline and take advantage of more flexible services that would otherwise have been harder to operate locally, or for which human resources needed would have been lacking.
One of the most popular SECaaS applications is Identity and Access Management (IAM). This service can be completely remote on a cloud platform or it can work in combination with internal systems, following a hybrid model.
Identity management - the ability to create, modify, and delete an identity - and access - the authorization of limited identity to appropriate resources - are essential in today's environments. Being able to define roles with the appropriate access to resources, while keeping security in mind, is of utmost importance for an organization using cloud services.
Adoption of the cloud-based IAM is progressing, and it is likely that many new organizations will move into the cloud in the future, when they have not already begun.
Before switching to IAM in Cloud mode
There are a few things to consider when making decisions about which AMI service to implement.
Before you even begin discussing IAM in cloud mode, you need to understand how the system provisions and deprecates user accounts. In a cloud service, this also means that an organization must have a secure way to maintain the directory services from which users will be managed.
The entire user account management lifecycle will now involve the cloud and determine if the identity in question will receive the requested access. These cloud-based IAM systems will also be responsible for provisioning a policy to which accounts will be submitted when attempting to access a resource. What was normally done internally will be built in the cloud, and the same level of directory security must be maintained.
User accounts must live in a directory and the location of this directory is very important. Often, there is a combination, or hybrid, implementation of services, where an LDAP directory is used to store unique identities, but authentication is delegated to a cloud-based service. But these user repositories can also be moved to the cloud. A good IAM service offers options to include multi-factor authentication in the user account authentication procedure.
For authentication in a cloud-based IAM perspective, it is strongly recommended that you use two-factor authentication, or even adjust the authentication requirements based on the risk.
There are a few things to consider when making decisions about which AMI service to implement.
Before you even begin discussing IAM in cloud mode, you need to understand how the system provisions and deprecates user accounts. In a cloud service, this also means that an organization must have a secure way to maintain the directory services from which users will be managed.
The entire user account management lifecycle will now involve the cloud and determine if the identity in question will receive the requested access. These cloud-based IAM systems will also be responsible for provisioning a policy to which accounts will be submitted when attempting to access a resource. What was normally done internally will be built in the cloud, and the same level of directory security must be maintained.
User accounts must live in a directory and the location of this directory is very important. Often, there is a combination, or hybrid, implementation of services, where an LDAP directory is used to store unique identities, but authentication is delegated to a cloud-based service. But these user repositories can also be moved to the cloud. A good IAM service offers options to include multi-factor authentication in the user account authentication procedure.
For authentication in a cloud-based IAM perspective, it is strongly recommended that you use two-factor authentication, or even adjust the authentication requirements based on the risk.
IAM Policies in Cloud Mode
Creating policies within an identity and access management system to authorize an account or service is the focal point of the IAM. A Policy Decision Point (PDP) will be used to create these rules and to determine whether an entity or identity is authorized to satisfy the request of a specific user.
Normally, a policy enforcement point (PEP) will serve as a gateway for these requests and will send the attributes to the PDP to determine the appropriate permissions are there to meet the demand. The PEP software can be an agent in a web server or integrated directly into the LDAP directory. The main point to understand is that the PEP applies the policy that the PDP has defined. These policies are applied according to rules on which the PEP has been configured to intervene.
Reporting always plays an important role in the IAM, whether the implementation is done locally or in cloud mode. Reports on access failures, auditing user accounts, and evaluating how accounts are provisioned and deprovisioned should be reviewed during implementation. Understanding all changes and changes to user accounts and if there is unusual access will help resolve operational issues. In addition, it is mandatory in any regulated industry to show that logging and reporting is enabled and handled properly.
When looking for a cloud-based IAM service, it's a good idea to look at how the service should be implemented in terms of architecture, and to validate that the provider is using standard protocols. It is also relevant to favor providers that use protocols such as Security Assertion Markup Language (SAML) to exchange authentication and authorization data; SCIM (System for Cross Domain Identity Management), to exchange user identities between systems; And Open Authorization, or OpenID, as additional methods to facilitate authentication and authorization. If a provider does not use the latest protocols or does not use standardized protocols, this is a sign to look elsewhere.
When the systems follow standards such as the protocols mentioned above, this limits the dependence on the provider. If a provider does not support standard protocols or the user directory is stored in Cloud, where the identities can not be migrated, the customer will be trapped by its provider.
Creating policies within an identity and access management system to authorize an account or service is the focal point of the IAM. A Policy Decision Point (PDP) will be used to create these rules and to determine whether an entity or identity is authorized to satisfy the request of a specific user.
Normally, a policy enforcement point (PEP) will serve as a gateway for these requests and will send the attributes to the PDP to determine the appropriate permissions are there to meet the demand. The PEP software can be an agent in a web server or integrated directly into the LDAP directory. The main point to understand is that the PEP applies the policy that the PDP has defined. These policies are applied according to rules on which the PEP has been configured to intervene.
Reporting always plays an important role in the IAM, whether the implementation is done locally or in cloud mode. Reports on access failures, auditing user accounts, and evaluating how accounts are provisioned and deprovisioned should be reviewed during implementation. Understanding all changes and changes to user accounts and if there is unusual access will help resolve operational issues. In addition, it is mandatory in any regulated industry to show that logging and reporting is enabled and handled properly.
When looking for a cloud-based IAM service, it's a good idea to look at how the service should be implemented in terms of architecture, and to validate that the provider is using standard protocols. It is also relevant to favor providers that use protocols such as Security Assertion Markup Language (SAML) to exchange authentication and authorization data; SCIM (System for Cross Domain Identity Management), to exchange user identities between systems; And Open Authorization, or OpenID, as additional methods to facilitate authentication and authorization. If a provider does not use the latest protocols or does not use standardized protocols, this is a sign to look elsewhere.
When the systems follow standards such as the protocols mentioned above, this limits the dependence on the provider. If a provider does not support standard protocols or the user directory is stored in Cloud, where the identities can not be migrated, the customer will be trapped by its provider.
0 Comments