Cloud Security and Access Management Concepts

Cloud computing has become popular ever since the concept was introduced. As more data and applications move to the cloud from traditional systems, it becomes paramount for businesses and their management to secure their data from threats and attacks as they store, process, and access their data in the cloud. Cloud security and access management concepts addressed in this article cover a set of technologies, rules, and regulations that collectively help businesses protect their data and customers’ private information.

Cloud security and access management concepts presented by Identity Management Institute

Brief History of Cloud Computing

Many would think that cloud computing was invented as part of the 21st century technological advancement. However, cloud computing foundation started more than 60 years ago. A computer scientist, J.C.R Licklider, invented a system of interconnected computers in the mid-1960s. This idea assisted Bob Taylor and Larry Roberts to develop the first network that allowed communication in interconnected yet separated and distant computers called ARPANET, Advanced Research Projects Agency Network, also known as the “predecessor of the Internet.”

As time passed and technology advanced, modern cloud computing emerged. For instance, IBM invented the Virtual Machine (VM), an operating system in 1972, and by 1996 cloud computing had become a growing resource for companies, educational institutions, and many more.

Benefits of Cloud Computing

Cloud computing has many advantages that serve businesses and their users. It enables the set up of a virtual office that allows flexible connections to the businesses anytime and anywhere. Some of the benefits of cloud computing include:

1. Flexibility of work activities: Cloud computing provides flexibility to workers in many ways. For example, easy access to data from anywhere: home, outside the country, or on another continent.
2. Security: This is one of the best advantages of cloud computing. It ensures that data files are available and secured in cases of local natural disasters, crisis, or damages to the servers.
3. Saves Cost: Cloud computing typically offers a pay-as-you-use pricing model. There is no excessive upfront capital investment in software or hardware, and there is no need for in-house trained personnel for maintenance.
4. Availability: There is an easy expansion of data storage at little cost, and cloud capabilities can be modified or expanded per requirements of the business.
5. Automation: Hosts can monitor, control, and report usage of cloud computing, which provides transparency in operation.
6. Easy Maintenance: Cloud computing systems are upgraded frequently, and this makes it compatible with newer technology. The servers are also maintained easily, and the probability of disruption is minimized. Businesses are also placed at an advantage over competitors because they receive updates on information and applications quickly.
7. Accessibility: Users can easily and quickly access stored data with the use of an internet connected device such as phones, tablets, laptops, or workstations thus increasing productivity.

There are some disadvantages to cloud computing. For example, accidental third part access, the sharing of sensitive information with third-party cloud computing service providers, and the need for Internet connectivity to conduct business. However, the fact that cloud computing is widely used and accepted cannot be denied.

Types of Cloud Computing

Cloud computing has gained popularity because companies need massive amount of data storage space. Also, small and large businesses can benefit from advanced security and access management that cloud platform providers offer. A cloud environment may offer Private, Federated or Hybrid, and Public options.

Private Cloud

Gartner defines private cloud as “a form of computing that is used by only one organization or ensures that an organization is completely isolated from others.” It is designed to meet an organization’s essential needs. It offers flexibility, security, and many other benefits. It is usually based on a monthly lease.

Public Cloud

A public cloud computing system is scalable and elastic. IT capabilities are provided as a service to external customers using Internet technologies. The benefits of the Public Cloud include improved security systems, additional storage capabilities outside a traditional on-premise storage capabilities, and can save time and money.

Hybrid/Federated Cloud

Hybrid cloud is a computing environment that combines a public cloud and a private cloud by allowing data and applications to be shared between them. According to Gartner, it refers to the “policy-based and coordinated service provisioning, use and management across a mixture of internal and external cloud service.” The hybrid cloud gives businesses the needed agility for competitive advantage.

Models of Cloud Computing

Cloud computing is divided into three primary cloud service models, which are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS}.

Software as a Service – SaaS

This is one of the widely known models of cloud computing. This is a scenario where applications are hosted and made available for customers on the Internet. Users can access an application on the Internet instead of downloading, updating and running these applications locally.

Benefits of SaaS

Due to its easy accessibility, this model of software has become famous for different business applications. The subscription fee is paid monthly or annually.

One of the benefits of SaaS is that the model runs perfectly on all devices – from computer to mobile devices – and it also supports all major browsers. Furthermore, automatic updates are frequent on the system for SaaS customers.

Thus, they reduce the costs of buying new software releases when they are available. This is greatly beneficial for a company with limited IT staff. Besides, the SaaS platform also reduces the software licensing costs.

However, there are some challenges faced by SaaS customers. The user may face difficulties when moving large files from one software platform to another. This is especially true if the user or IT department decides to replace the SaaS software all together.

Also, SaaS users need connectivity to the Internet to access their files. SaaS applications, when compared to client or server applications, run at a slower speed.

The most suitable use cases of SaaS include:

• Newly established companies that desire to run e-commerce applications quickly
• Short term projects that need quick attention
• Applications like Turbo Tax software that are used during peak seasons

Platform as a Service – PaaS

This is a cloud computing model where a third-party provider handles hardware and software tools needed for application development for users over the Internet, both of which are hosted on its infrastructure.

They can be available through public, private, and hybrid clouds to deliver application hosting, and many of their products are directed towards software development. Payment is on a per-user basis model which eliminates expenses on hardware and software.

Infrastructure as a Service – IaaS

This is a model of cloud computing that presents virtual computing resources over the Internet. Also, it is a form of cloud computing that delivers vital resources to consumers on a pay-as-you-go basis.

Pros
• Saves time: There is lower infrastructure cost, and it is an economical choice for a new business.
• Flexibility: Workers can access and connect to the server for data retrieval quickly.
• Availability: It can run when the server is down with less chance of damage to the infrastructure.

Cons
• Security: Enterprises do not have control over cloud security.
• Accessibility: Technical problems may restrict access to applications and data while relying on a third party for resolution.

Identity and access management newsletter
Subscribe to Identity Management Journal

Cloud Identity Management

Cloud computing is a combination of various computing resources like servers, storage, applications, and services that make the provision of on-demand access to cloud users and customers.

The data stored in the cloud are maintained by Cloud Service Providers (CSP). Thus, Identity and Access Management is an important concern for cloud-based services because many cases of data leakage are due to poor identity and access management.

Identity and Access Management (IAM) is a way of building security and authentication gates into distributed resources since, wide distribution of resources (services, storage, etc.) cannot be avoided, and there is no single software to generally secure all the systems.

Identity and Cloud Access Management SaaS is expanding every day as many are migrating to cloud applications. The latest Identity and Access Management Market Report estimates that the IAM market as of 2019 is worth $18.3 billion.

Standards and Protocols for Identity Management

Physical Security Mechanisms

These include access cards and biometrics that secure access to cloud physical resources.

Chip and PIN

A chip-and-PIN card is a type of credit card that requires card holder to authorize a transaction by introducing the card and entering a personal identification number (PIN). The chip is square shaped which is visible on the card and stores information. The combination of chip and pin cards prevents fraud better than older types of credit cards.

Single Sign-On

SSO is an authentication service that allows the user to access multiple applications using one set of login credentials (e.g. name and password). They can be used by companies to avoid managing usernames and passwords for thousands of users and systems.

It is a Federated Identity Management (FIM) and the use of this system is called Identity Federation. Examples of this service are Kerberos and Security Assertion Markup Language (SAML).

Advantages

• Fewer passwords and usernames for each application
• Reduces complaints to IT about access issues

Disadvantages

• Users are locked out of multiple systems connected to Single Sign-On (SSO) mechanism when they can not access the network
• Unauthorized users can gain access to more than one application once they acces the system

OpenID

This is a decentralized authentication protocol based on OAuth 2.0 family of specifications which allows for user authentication to the resource provider with third party identity vendors. It supports SSO services, and users can easily login to websites that support the use of OpenID authentication. The latest version of OpenID is OpenID Connect (OIDC). It allows authentication for native and mobile applications and gives a link for communication between participants.

Zero Trust

Zero Trust was created in 2010 by John Kindervag, and is based on the belief that organizations need to thoroughly verify and scrutinize any user whether internal or external or anything that wants to gain access to their systems before it is allowed.

Zero Day

Zero day vulnerability management prevents a cyber-attack on the same day a weakness is found in the software. When software issues and updates are detected, reports are sent to companies to patch the software immediately.

LightWeight Directory Access Protocol

LDAP allows users to find data and information about organizations and individuals either on a public or corporate network. It can be used in different applications or services to authenticate users.

Content Security Policy (CSP)

Content Security Policy is a security layer that mitigates certain security risks related to Cross Site Scripting (XSS) and data injection attacks. These types of attacks are used to gain unauthorized access, steal data, insert malware, and deface a website.

Challenge Handshake Authentication Protocol

CHAP is a security protocol used for authenticating a user to access a network entity like any server or Internet Service Provider (ISP).

Authentication Mechanisms

Authentication is an identity validation process of a person or device based on something they have, know, or are such as passwords, hand wave or gesture, voice, etc.

Entitlement

This is a method for allowing or rejecting access to a specific resource based on the authenticated user’s entitlement or rights. The process determines what the user can do once they are inside the system.

Sometimes, these authorization rights are given by third-party vendors and the applications can access certain private information of the business or individual. Authorization in cloud computing is gained by either access control policies or access right delegations.

Mandatory Access Control

MAC is a mechanism used to define the accessibility right of users. It gives access permissions through the operating system and controls the ability of data owners to allow or deny access rights for clients into the file system. Clients have no rights to change these access rights, although, it needs careful planning and frequent monitoring.

Discretionary Access Control

DAC is a control mechanism that controls access permissions through data owners. It provides more flexibility than Mandatory Access Control (MAC). However, Discretionary Access Control is less secure and could be an access threat.

The Requirements of Regulatory Bodies

HIPPA

Health-Insurance Portability and Accountability Act of 1996 or HIPAA, also known as Kennedy-Kassehaun Act, was signed by President Bill Clinton in 1996. It was established to bring in a new flow of healthcare information, and it stipulates how personal information maintained by healthcare should be protected from fraud or theft.
HIPAA states that physicians and healthcare professionals can use mobile devices to access medical data in the cloud, as long as physical and administrative measures are in place to protect confidentiality and availability of medical data on the device used. Also, if a cloud service provider experiences a data security breach, reports must be made to covered entity and business associates.

FedRAMP

Federal Risk and Authorization Management Program is a government establishment that provides a standard approach to security assessment, authorization, and continuous mentoring for cloud products and services. Included in this program are provisions for a cloud system that provides extra security to protect and encrypt government information.

Gramm-Leach-Biley Act

Financial Modernization Act, also known as the Gramm-Leach-Biley Act, is a United States Federal law that expects financial institutions to enumerate how they share and protect their clients’ private information.

Financial institutions must discuss with their clients how they share sensitive data, and the company must also explain the opt-out option for clients when they are not satisfied.

The role of the act is to ensure financial institutions protect the confidentiality and security of their customers’ private information like bank account numbers, addresses, phone numbers, credit income, and history.

GLBA requires financial institutions or CSP holding financial data to:

• Create a written Information Security Plan.
• Design and implement a safeguards program to be monitored and tested regularly.
• Adjust their services according to the pressing challenges and circumstances.

FIPS 200

This is a second standard signed by the Information Technology Management Reform Act of 1996 that enumerates minimum security requirements for federal data and information systems. The act states that federal agencies must meet certain minimum requirements in these seventeen areas:

• Access Control
• Awareness and Training
• Audit and accountability
• Certification, accreditation and Security Assessments
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical and Environmental Protection
• Planning
• Personnel Security
• Risk Assessment
• System and Service Acquisition
• Systems and Communication Protection
• System and Information integrity

The Future of Cloud Computing

The era of the 21st century has experienced great technological advancement and cloud computing growth. The future of cloud computing has been a debated topic among many technology scientists and researchers.

By 2045, it is estimated that the world’s population will increase to 9 billion, and cloud computing will provide a digital infrastructure for future cities. Furthermore, elevators, drone taxis, and self-driving cars will be better managed through cloud computing.

The cloud will be a transformative tool for companies, especially small and medium-sized companies. Artificial intelligence and other cloud computing aspects will be part of the services rendered.

The cloud will also help the society adapt to a growing volume of data. There will be an invention and advancement of in-car technology. Thus, people will use driverless cars which will come with sensors and cameras that generate much data. Cloud computing will support emerging technologies like artificial intelligence by assisting them to adapt to new mobile platforms and devices.

Conclusion

Cloud computing will expand to make resources, applications, and data available at anytime and anywhere, regardless of location and distance. Security threats will increase and new cloud security technologies will emerge to protect and secure vast amount of data.

The three models of cloud computing, IaaS, SaaS, PaaS, are essential aspects of cloud computing, and they all have significant contributions to business operations while they offer unique challenges and risks. The features and benefits of cloud computing are inexhaustible: accessibility, cost saving, and simple maintenance.

Cloud security best practices, standards, and protocols include identification, authentication, and authorization controls to limit exposure to threats.

Cloud security and access management concepts and mechanisms include OAuth, OpenID, LightWeight Directory Access Protocol (LDAP), Zero Trust, Zero Day, and Content Security Policy (CSP). Although various regulations provide guidance for data protection, they also pose a risk to organizations that fail to comply and may be liable to regulators and consumers for security incidents.

Identity and access management certifications

The future for cloud computing is exciting which will bring a new area of technological advancement. The need to formulate robust cloud security policies and solutions that can eradicate hacking threats and access to data without permission is important. It is time to prepare for the advanced technological endeavors that will propel humanity to a digital and robotic future.