The cloud provides scalability and flexibility but also poses security challenges for enterprises with strict requirements. It discusses security needs like privacy, compliance, authentication, authorization and access controls. Advanced techniques are needed like attribute-based access control policies and metadata tagging to enable fine-grained security. Standards-based solutions can help meet enterprise needs and facilitate secure collaboration while enabling migration of workloads to the cloud.
4. More Security Requirements
Intellectual Property Licensing and Collaboration
Background and Foreground IP
Trade Secret Protection
High Security / High Assurance
NIST 800-63 Level 3 and 4 authentication
Fine-grained access controls
Need-to-know
8. Organizations need to collaborate with
business partners
The cloud is a natural place for collaboration
Easy to set up workspaces as needed
Identity management can be a combination of federated identities for
those with robust IAM infrastructures and cloud-managed identities for
business partners without the heavy-duty IAM infrastructures
Protecting intellectual property in collaborative environments can be a
challenge
9. Enterprise IAM infrastructure in place
LDAP
SAML
XACML PAP
Enterprise IAM
Infrastructure
SSO
XACML PEP XACML PDP
The Cloud
SaaS
IaaS
PaaS
File
Repositories
Web
Apps
Cloud
IAM
Enterprise
Applications
SCIM
10. Evolution of access controls
Time
IAM Solution
Complexity
Evolves
To Meet
Scalability
and
Granularity
Requirements
Users
Groups
RBAC
ABAC PBAC
12. Policy/Attribute-based access control
XACML for consistent attribute-based access control in both the cloud
and on-premise infrastructure
Profiles for privacy, export controls, intellectual property controls, and
data loss prevention
Interoperability at the transport layer
Can facilitate the migration to Mandatory Access Control (MAC) model
13. Fine-grained Authorization
Subject identity is just one variable in the authorization equation
Resources have identities too! Resource attributes must also be
evaluated in runtime authorization decisions
Subject Resource
Environment Action
14. Fine-grained AuthZ
Two major categories of data necessitate two different approaches:
Unstructured data: standardized metadata tags on data objects
Structured data: policy-based access controls applied via SQL and web
application proxies
Backend Attribute Exchange: one domain trusts another to provide
authoritative attributes for authenticated users
15. Metadata tagging and AuthZ
Create
Document
Content
Analysis
Metadata
Application
XACML PEP XACML PDP
By United States Air Force.718 Bot at en.wikipedia [Public domain], from Wikimedia Commons
http://upload.wikimedia.org/wikipedia/commons/6/62/1948_Top_Secret_USAF_UFO_extraterrestrial_document.png
Read
Metadata
Class:
Top Secret
Decision
Pass Metadata as
Resource
Attributes
LDAP
Subject User
Subject
Attributes
16. Policy-based SQL and application proxies
LDAP
XACML PAP
SQL/
XACML PEP
XACML PDP
Thick Client
App
DB
Web
App
WAF/XACML
PEP
DB
Certain row/column
Results match policies
Certain application
Actions match
policies
17. Backend Attribute Exchange
User
authenticates
in Domain A
Domain B SSO
gets attributes
from Domain A
User
receives access
in Domain B
User
requests access
to resource
in Domain B
Assumption: Domain B trusts that Domain A is authoritative for specific attributes about
users originating from there.
SSO
LDAP
SAML
SSO SSO
SAML
SSO Web
App
1
2
4
3
5
6
7
8
9
18. Mandatory Access Control
Gov't Classification Commercial Analogs
Unclassified Public Domain
Confidential Confidential
Secret Competition Sensitive / Restricted
Top Secret Limited Distribution
No Read Up
No Write Down
Bell-LaPadula
No Read Down
No Write Up
Biba Integrity
19. Compliance Monitoring and Risk
Management
Standardized authentication and authorization mechanisms for
consistent enforcement and reporting
Integration with Security Incident and Event Management for real-time
alerting
Integration with GRC software
20. Conclusion
Is the cloud ready for enterprise security?
Yes, some providers offer solutions in most areas described
above.
Cloud service providers will capture more customers with high
security service offerings
Resource identities (attributes) are just as important in access
control decisions as subject identities