Part 5/Secure Federated Identity Management: Enable 5 Key Security Processes to Protect a Conv Cloud
By Jan DeClercq
The final key security process for protecting a converged cloud environment is secure federated identity and access management. It is a major enabler for secure interactions between internal cloud platforms, users, administrators, applications and cloud providers in a converged cloud environment.
Secure federated identity and access management incorporates the following identity and access management disciplines or sub- functions:
- Identity repositories (directories)
- Access management (authentication, authorization, and auditing, including logging and activity monitoring)
- Identity provisioning
- Single sign-on
- Self-service (password management and identity attribute management)
- Identity federation
- Workflow for identity-related approval and activation and de-activation processes
- Dashboard for tracking identity-related events, issues, and problems
- Identity governance for establishing and managing identity-related processes, policies, and procedures
Identify federation is a particularly important area of identity and access management in a converged cloud. Identity federation allows for the secure and transparent exchange of identity attributes between identity providers (the organization) and service providers (cloud service providers). It also enables important services in a converged cloud environment, such as single sign-on.
Federated identity and access management in a converged cloud deals with the following entities:
- Identity provider (organization)—stores and maintains identities and attributes (e.g., using the corporate directory)
- Authentication – authorization service (organization)—authenticates, authorizes accounts, and creates secure tokens (assertions), vouches for one or more identity attributes, and acts as a Secure Token Service (STS).
- Federation service—creates and maintains federation trust relationships and assures identity attribute mapping.
- Service provider—provides services and controls access to services
Federated identity and access management in a converged cloud also includes automated user provisioning to create shadow identities. This includes the replication of changes made by the identity provider to the service providers. Equally important in federated identity and access management is the logging and auditing of service requests received by the cloud service provider. This allows the cloud service provider to make more intelligent security decisions and achieve better compliance reporting.
Secure Federated Identity and Access Management
Taken together, these five key security processes—secure virtual machine lifecycle management, secure service aggregation and cloud bursting, secure data lifecycle management, secure universal remote access and secure federated identity and access management—can help mitigate important risks associated with converged cloud environments.
Remember that this is not an exhaustive list of the security processes that are needed to securely operate and maintain a converged cloud environment. I selected these five processes because organizations not always pay the same level attention to them as they do for other classical security management-related processes such patch, change, incident, compliance management and so on.
This is the Sixth and final article on the series "Enable 5 Key Security Processes to Protect a Converged Cloud". To read the rest of the articles on the "Cloud Protection" series, go to these links:
- NEW Cloud Security Series: Enable 5 Key Security Processes to Protect a Converged Cloud (link)
- Part 1/VM Image Lifecycle: Enable 5 Key Security Processes to Protect a Converged Cloud (link)
- Part 2/Service Aggregation and Cloud Bursting: Enable 5 Key Security Processes to Protect a Converged Cloud (link)
- Part 3/Secure Virtual Machine Lifecycle Management: Enable 5 Key Security Processes to Protect a Converged Cloud (link)
- Part 4/Secure Universal Remote Access: Enable 5 Key Security Processes to Protect a Converged Cloud (link)
- Read this white paper to learn more about handling security risks in the cloud: "5 Cloud Security Concerns You Must Address"
- See what's happening around cloud computing at HP Discover 2012
- Learn more about HP's Cloud Protection Services
- Find out more about other HP Cloud Consulting Services
- Listen to Jan's podcast about cloud security, identity and access management, mobility security, and security for Microsoft platforms and solutions: podcast.
- Read this CSA white paper to learn more about secure data lifecycle management: "CSA Security Guidance for Critical Areas in Cloud Computing"
Jan De Clercq is a solution architect with HP's worldwide HP Technology Consulting IT assurance portfolio team. He focuses on cloud security, identity and access management, mobility security, and security for Microsoft platforms and solutions.