Clouds has been on the top ’to-read’ list for most CXO’s for a while now. As a hot topic it has got much media and analyst attention (read ‘hype’) with warranted and justified focus on clouds as a business enabler – indeed, it is recognised as a possible paradigm shifter in computing world, introducing a level of flexibility and responsiveness previous unachievable to but those with the deepest pockets and technical skills. However, security (and specifically Identity Management in this context) concerns are often rightly cited by the more prudent and regulated entities as a key blocker to adoption because, bizarrely, very little has been done to extend control frameworks into the cloud. A quick Google for ‘identity management in the clouds’ will confirm this. To understand this and demonstrate the fact that this need not be the case requires a quick walk through how we got to today. The models one could expect include a “Cathedral model” where there is more centralised identity provider and “Bazaar” model where there a federation of identity providers It remains to be seen which of this would come to be prevalent model on the cloud.
The growth of clouds, social media and enterprise 2.0 have changed the paradigm around security. The earlier paradigm around security was to create boundaries to protect resources that needed protection, an adaptation of protection paradigm in real world. In real or physical world, it is very much considered a norm to create physical barriers, and thus protect valuable from access from entities who did not have the authority to access them. The historical castles that are found around the globe, shows that this was a very valid global practice was very prevalent during the past and had survived unchallenged for a very long time.
Like all things in life, except change, nothing is constant. The challenge to fortifications happened by the invention of gun powder, this was made worse over time. The outcome of air superiority has now resulted in change in this, anything that is static would stands a very little chance against, laser guided bunker busting munitions, Saddam’s bunkers in latest Iraq would serve an example for this. The new concept of defence was more around stealth, reducing your attack surface or reducing your visibility and mobility. The world has moved on from the more regular conventional warfare to more towards unconventional warfare. The world of media in virtual world moved in a similar direction from content being provided by content providers to user generated content.
Social media and enterprise 2.0 has resulted in similar paradigm shift in terms of “perimeterisation”. The challenge now is to provide security while removing walls or barriers. The concept in general is called de-perimeterisation, it does have a wide following. The paradigm shift in terms of access control described above has had some impact on how identity was verified. As with all things, life of most things virtual starts from things in virtual world. The concept of identity though philosophical could be seen throughout history, various methods were employed for verification of identity. In general this was based on something that you are or you own or you know. When society was in its early stages, this seemed a very good idea and served its purpose. Anyone from the village would be able to verify any other person from the village using these well proven methods. As nation states evolved, it was harder for one person to know everyone else and hence specialisation occurred. This pattern was very much followed in security as well. In the initial phases security was considered a part of the application, then as applications grew or multiple applications got together ( read SOA etc) this moved towards specialisation, security was made a service.
As nations moved along the concept of passports evolved, this was only possible due to various innovation that went ahead of this, such as paper, printing etc. The creation of passports assumes an underlying framework, a framework of international legal agreements. This had taken a long while to develop in the real world.
In virtual world, this came about in a much faster manner, the effect of the third revolution, time is being compressed. In general passports needed some well known formats and languages which over time have reduced to a few depending on which colonial power had ruled the country. There was also the question of tampering of passports that needed to be addressed, there have been new technologies that have come out, the fraudsters try to over come them, the proverbial cat and mouse game continues. In the virtual world this was made easier by an invention in the late 70’s by three folks by the name of Rivest, Shamir and Adleman, they called it RSA. The concept was called Public Key Cryptography. It allowed people to share of verify keys without having ever have to meet the entity directly. The validation of documents send across in virtual world was done using public key cryptography.
The question of language still lingered on, finally folks in virtual world decided to use SAML. In allowed passports to be created virtually, this time they called it “assertions”. In real terms passport is an “assertion” which states that the person identity created by issuer of passport, which is generally a government.
This has created the possibility of doing Federated authentication. When users wanted to consume a resource, they would present the “assertion” which is valid to the resource provider. Assuming that the resource provider has an existing agreement with Identity provider, similar the case of travel. A traveller at the point of entry to country would present a “passport” assuming there is an existing agreement between the two governments in question, the “issuer” who issues the passport and “resource provider” who is the government of the country which traveller intents to visit.
The various protocols that are prevalent in the federated world include SAML1.0, WS-Fed and Liberty
- Enhances current/new business relationships via dynamic trust
- Reduces administrative overhead of managing user identities
- Improves user experience by delivering transparent access to partner applications.
In this model external parties who are participating in this must be trusted to:
- Vet identities before issuing credentials
- Properly handle authentication of those identities
- Provide identity and role information at time of access
- Maintain the integrity of identity information throughout their system
- Revoke identities properly
- Input building trust
In many ways the case of passport still remains a very useful one. The issuing government acts as the registration authority, one who validates the user and makes sure he/she is he or she claims to be. So in real world the issuing government acts both as the IdP (Identity Provider) and RA ( Registration Authority).
Clouds in many ways is an interesting evolution of computing paradigm, and in ways represents the real world. The federation in clouds would allow users to move across multiple applications or multiple clouds. The other key challenge in terms of security in clouds is access control. It is more akin to having your own space while in a public space.
The Cathedral model on the cloud , is represented by an IdP which has a very large number of users and allowing other application providers to act as SP’s or service providers. One such provider is Facebook, with over 400 million users, having the ability to act as global identity provider would be a good driver for adoption. The downside of this approach would be that of putting all the eggs in one basket, and that of the strength of the basket. Given 100 million user identity details were revealed by a white hat.
The Bazaar model could be represented by OpenID, here would have a number of Identity providers, who are providing this service to all service providers who are willing to accept the users at their own risk. The upside is that, this represents the successful model found on the cloud, the model of open source. Here the community trust would be good enough for providing various services, this might extend to authentication as well. Not all data is worth the same, some is worth more than the others. The data which requires low levels of sensitivity lends itself very well to cloud computing. The key challenges in cloud computing include missing support for existing standards, and then there is the issue of missing standards. The future of security in clouds might depend on “de perimeterisation” of management of authentication and authorization as well as externalized/deperimeterisation of auditing.
