Introduction
Identity as a Service (IDaaS) is fundamentally the externalization to and management of identities in the cloud. This definition of IDaaS branches it’s meaning depending on the service being software, platform or infrastructure based for both public and private clouds. Identities can still be managed internally within an organization but externalized through a Service Oriented Architecture (SOA) creating a Platform as a Service (PaaS) layer (either public and/or private) to facilitate an I&AM cloud based solution. Identities can be externalized without having a SOA in place by having those identities managed in a cloud utilizing SaaS Machine images can also be created within an Infrastructure as a Service (IaaS)cloud environment so that pre-configured I&AM instances could be launched and used.
Cloud Security Challenges
The challenges for IDaaS are different not just from the perspective of the SPI (“SaaS, PaaS, IaaS”) but also in how security impacts specific stakeholders utilizing the cloud for an identity management solution. Corporate IT and R&D traditionally both manage users differently (internal to an organization and users within products/services respectively). The challenges of each inherently become different as a result and the challenges with IDaaS have to be applicable to each stakeholder. The challenges that consumers face having their identity serviced in a cloud environment also are very different and bring about issues of reputation that must start being considered (both from vendor & consumer).
Issues and Challenges
SaaS
Corporate IT: When implementing IDaaS essentially outsourced to another provider the privacy of your internal employee information needs to be considered. This implementation is non-federated so the credentials of users and the ability for those users (if comprised) to gain access to internal systems becomes possible. How passwords are stored, personal information protected, and the Software Development Lifecycle (SDLC) of their product all need to be inline to your policy as if they were internalized. Consideration for non-physical access to authenticat now needs to be considered. Consideration also needs to be given for how administrative access is granted and if this over the Internet creating an attack vector.
R&D: Products/Services face different challenges when externalizing I&AM service to software managed by others. Depending on which of the specific parts of the solution being provided is coupled to your solution determines how what security to incorporate into your product development lifecycle.
Consumers: There is of course a need to make sure that the privacy policy of the software you are using is acceptable to you on how they share your personal information but this alone is not enough. Your identity as a consumer in the cloud is becoming a commodity. Identity for consumers is more than just your personal information (i.e. social security number). For consumers identity is now about reputation across feedback for auction items, your social feed & following friends and professional recommendations all have impact to your identity in the cloud.
PaaS
Transactional integrity across multiple SOA operations create audit issues. While providing interoperability an SOA is not transactional across disparate interfaces. Depending on the implementation of the interface it may not have transactions within it accross operations /methods even with a session existing.
IaaS
Here the issues & challenges for Corporate IT and R&D are intrinsic to how and from whom the machine image was made. Open sourced solutions vs specific vendor products on these images also have different issues in trust and assurance (Quality & Vulnerability) to the code you are expecting to be running as service to have an I&AM instance available to launch.
Solutions and Recommendations
Identity as a Service should follow the same best practice that an I&AM implementation does along with added considerations for Privacy, Integrity and Audit ability.
Solution Options
SaaS
Corporate IT has to review the options the cloud provider has to couple their network either through VPN or proprietary gateway device. The reduction of cost using the cloud needs to have the risk mitigated around the privacy considerations with having employee information stored remotely and how the cloud provider (e.g. encryption of data at rest) is managing that data.
R&D teams need to bring into their SDLC the interactions with I&AM providers as part of their threat assessment. The specifics to this can be reviewed in the Application Security domain in regards to vulnerabilities.
Consumers need to review the privacy policies of where they have their information. This however is not sufficient security as your identity (not in your personal information i.e. social security number) is also about now about your reputation. Your use of the cloud systems tie directly back to who you are and this continue as more systems are mapping identities and providing federated interface as such. It is important that information that you have in the cloud is understood that it ties back to you. For information that would affect your reputation should have the level of protection that you feel would equate to what you give out in the real world. It is vital that cloud providers understand this being more about privacy of information (not necessarily about identifying characteristics of an identity but in fact the information related and known to an identity as a person).
PaaS
Stay away from proprietary solutions in how any part of what you have broken out of your traditional I&AM enviornment. It is important to keep to standards for the components of I&AM that you are decoupling within your implementation and followed in practice by the cloud provider and used correctly. If standards are not yet adopted it is not a deterrent but should have more caution than if it has been generally available, adopted and has continued support e.g. XACML for authorization, XDAS for distributed auditing and SPML for provisioning.
IaaS
Images created by others need to have some support & maintenance around it. When open sourced the integrity of an instances has to be reviewed and should have some caution as the build may not be what you expect unless coming from a reputable organization that is willing to support it.
Recommendations
· Use the cloud to bring and remove the redundancy in resources without sacrificing existing practices.
· Keep all existing practices to I&AM in place with additional focus when moving your data off-site and/or decoupling the pillars of the solution into an SOA.
Questions for your Provider and Assessment Checklist
· Please provide any documentation you have outlining the security architecture of this solution covering web services security, authentication, audit trails, user-id timestamps etc .
· Please describe what protocols / options are available for single sign on.
· Please provide security administration manual or security portions of the system administration manual.
· Please describe user account and password controls and options.
· Please describe security reports available from the system. Please provide sample reports.
· Please provide us a copy of your privacy policy.
· What standards do you support?
· Do we have the option to have parts of the cloud private?
Future Outlook
The cloud provides a number of benefits with IDaaS becoming a maturing part of this revolution yet this specific market is still very early in its development. Some organizations, at the time of this writing, have staked their claim to managing identities in the cloud and externalizing the identities through SOA. They often provide both options to clound and non-cloud (traditional) so a viable solution can be put in place that meets your requirements. Cloud providers need to keep offering options between traditional Identity Management and Identity as a Service while bolstering the on ramp towards maturatity and across the chasm.
For consumers the lines between clouds and the reputation of your identity will continue to blur. The time may never come where your auction’s negative feedback affects your ability to get a loan but these are the security issues to understand and continue address.
References
http://blogs.forrester.com/srm/2007/08/two-faces-of-id.html
http://blog.odysen.com/2009/06/security-and-identity-as-service-idaas.html
/*
Joe Stein
http://www.linkedin.com/in/charmalloc
*/