Identity Management Cloud Computing or: How I stopped worrying and learned to love the Cloud: Part I

PART 1:

I think I see a cloud ahead. How about you? If you’ve been reading the IT blogosphere, CNET or pretty much any IT related news site or magazine these days the go to buzz word is “cloud”. Similar to how companies are going “green” they now all seem to want to go “cloud”. The question we as a company seem to be getting often is how to do IDM in the cloud. This has quite a few advantages and risks at the same time to consider.

The cloud can be private (hosted within an organization’s firewall) or public (hosted on the Internet) or a hybrid thereof. So let’s delve into the clouds shall we?

The Public Cloud

First, let’s talk about exactly what a cloud is and what is the immediate advantage. The cloud is the internet. In other words it is the growth of interconnected networks online that offer you a more reliable, easy to use, high speed, huge capacity and larger storage set of resources all at fraction of the cost. Sounds pretty cool, no? My guess is you already use some of these cloud resources. Yahoo Mail? McAfee Antivirus? Go Daddy? Google Docs? It is much easier to simple sign up for these services than it is host your email, web server or buy a $150 copy of Microsoft Word and install it. The work is done for you and you never have to worry about your router going down. Now a days a third party will do it for you, and do it for cheap. They deal in bulk so the cost to you becomes negligible. It has also changed the paradigm for many of us. We no longer need to be “techies”, IT administrators, engineers or even developers in many cases. We just need to be all mighty consumers.

Now let’s digest this and talk about the disadvantages and risks associated with cloud computing. The services we discussed prior, Yahoo Mail, McAfee, Go Daddy and Google Docs all have terms of service. These terms basic lock you down to whatever rules the hosting company dictates. Take a look at the service statements online that you, um, read before you checked the “I Accept” box. Take Yahoo for example (and Google Mail, MS Live Mail, etc.). Their Terms of Service state they have the right to screen your email and give out your ID and password. They also state they can save your data on their servers out of country (and of course the myriad of copies of said data that implies). They can delete messages as they see fit for any reason (age, size, etc.) or without reason. They can also eliminate your account at any time and you waive any and all liability. Last, but certainly not least, Yahoo reserves the right to use your emails to generate advertising that is more specific to you and your interests.

But wait! There’s more! Let’s talk Go Daddy next. Or better yet Web Hosting companies in general. Have you ever used a hosting service that got bought, changed their business model or simply went out of business? Were you able to easily get your data back? You might have but not everyone has been so lucky. When a company goes bankrupt or the federal agents bust in with a warrant to take the servers you might find yourself on the poop end of stick.

Even those internet driven and updated Anti-Virus tools can get into the mix. McAfee, in April 2010, fired out a routine security update that took out tens of thousands of PCs and servers. Coles, an Australian supermarket chain, said 1,100 checkout terminals crashed because of the McAfee update, so it temporarily closed several stores in that country. An Intel spokesman in California acknowledged the problem at its headquarters was “significant.” Kentucky State Police lost use of their entire IT infrastructure, and hospitals in Rhode Island postponed elective surgeries. Anyone want to guess what the terms of service state about that little “flaw”?

I don’t want to leave out poor old Google though. What happens when your storage of documentation just so happens to get broken into? Think Google security will take of it? Well on April 20th, 2010 Goggle released some of the previously closely guarded secrets about the big hack they took from China. This, folks, is where we delve into what you came here to see, namely how exactly does Identity and Access Management fit into this whole equation? You see, in December 2009, Google’s password system that controls multiple accesses to almost all of its web services was hacked through a harmless message sent to a Google employee in China. The theft began with a message sent to a Google employee in China who was using MS Messenger. By clicking on a link and connecting to a “poisoned” website, the employee inadvertently permitted the intruders to gain access to his computer and then to the computers of a critical group of software developers at Google’s headquarters in California. The program, code named “Gaia” intended to enable multiple access to users and employees, who can sign in with their password just once to operate a range of services was attacked. Yes, Google’s Single Sign-On system opened the door to a hacker having access to pretty much everything they wanted. Cloud computing at its worst I am afraid.

Plain and simple, with a public cloud, the responsibility for application security, identity management and data protection is solely within the purview of the cloud provider. As a result you had better expect your provider to be transparent and the security second to none. Feeling the warm and fuzzies yet?

The Private Cloud

Companies always have the ability to create a private cloud in which they own the system as they have bought it, built it, installed it and manage it. Sounds more secure but it sort of defeats the purpose of cloud computing which primarily is low cost. There is a joint approach or “community” model that suggests sharing a private cloud with another organization. While this might work well for the government or a public sector group I doubt Wal-Mart and Target will be sharing a community cloud anytime soon.

COMING SOON IN PART II

Identity Management in the Cloud and associated advantages vs. issues

• Strong user authentication, Web Single Sign On, and Identity Federation for access control needs
• User provisioning, role management, and identity attestation for user life cycle management
• LDAP directory and virtual directory for identity repositories
• Database security and OS security for locking down access to critical operating environments