A traditional cloud-based environment offers a quick and cost-effective access to technology. Using browser to access technology brings agility to enterprises and improved satisfaction to end users, while lowering overall costs. By outsourcing technology to a service provider, including the infrastructure itself, business clients can realize valuable ROI.
Cloud Providers and Security Risk
However, by letting go of the infrastructure, managing security risk becomes an important task requiring a joint effort between the client and cloud provider. To help mitigate such risk, use of identity and access management solutions by cloud providers are a must.
Who is the user and what can a user do in a cloud environment must be monitored and also enforced diligently. A public cloud that offers on-demand services to a wide population of users must take relevant compliance mandates with utmost responsibility to ensure access control will not be compromised - or risk loss of business due to bad publicity and loss of trust.
Furthermore, public cloud providers have significant responsibility to ensure their multi-tenant platforms don't inadvertently expose customer data as a result of social engineering attacks or programming mistakes.
Identity Management to Help Manage Risk
Thus identity management technologies such as authentication, authorization, user management, compliance, and others are paramount:
- Users must be strongly authenticated to validate their identity
- Up to date access rights must be checked against cloud application's access control policies
- All user interactions must be logged to ensure non-repudiation
- User accounts must be de-provisioned in a timely manner
- Dormant accounts must be identified and removed quickly
- Access permissions must be certified on a continuous basis
Back to Security Silos
Let’s take a look at another dimension – public vs. private clouds. With a public cloud, the responsibility for application security in terms of identity management and data protection rests primarily with the cloud provider. Business clients of public clouds typically have less control over application security and must trust the cloud provider to have accounted for sufficient security measures.
To improve security and user satisfaction somewhat, some public cloud providers offer identity management features such as SSO (Single Sign-On) and limited user provisioning, however, the majority of security and identity controls is with the public cloud provider.
As a result, many mid to large enterprises consider the lack of integrated identity management a step back, since the public cloud provider represents a silo of identities, security policies and processes. In the end, the client finds a reasonable balance between the value of the cloud-based service, its cost, and the underlying risk.
Identity Management for Private Clouds
In those cases where security risks are too high business clients can turn to private cloud providers. Unlike a public cloud, a private cloud is an extension of the enterprise protected by a firewall. Such clouds can and should be integrated with client's identity management systems for SSO, user authentication, authorization, audit, provisioning, role management, and compliance.
Furthermore, private clouds offer dedicated storage or virtualized layering for data isolation and application partitioning - reducing the risk of data breach. Unlike a public cloud that is not expected (yet) to offer tight integration with enterprise identity management systems and/or data, private clouds will be expected to offer such capabilities. Thus private cloud providers must ensure they offer a robust set of identity management tools that clients can:
- Rely on for managing access to the cloud environment
- Integrate with enterprise identity and access systems
- Potentially use to manage security and identity in enterprise applications
To manage risk well, the typical "security and identity silo" present in public clouds must be eliminated in private clouds. This means private cloud providers must ensure seamless integration with client's infrastructure and information, including identity management. This places a burden on private cloud providers to offer standards-based, heterogeneous security- and identity-related services that span a broad range of enterprise systems and can be integrated with enterprise processes.
Benefits of Identity Management in Private vs. Public Clouds
The following table compares Identity Management benefits associated with public and private clouds.
| Public Cloud
| Private Cloud
|
Identity Management from Oracle
Given that such functionality is quite difficult to achieve on their own, private cloud providers can partner with Oracle for such capabilities as:
- Strong user authentication, Web Single Sign On, and Identity Federation for access control needs
- User provisioning, role management, and identity attestation for user lifecycle management
- LDAP directory and virtual directory for identity repositories
- Database security and OS security for locking down access to critical operating environments
Oracle provides a complete range of standards-based identity management capabilities across a wide range of enterprise systems. Both public and private cloud providers leveraging Fusion Middleware 11g will benefit from the built-in and fully integrated Identity Management to secure their clouds and integrate with client's infrastructure.
Finally, private cloud providers have a unique ability to offer Oracle’s comprehensive Identity Management services as a private Identity Management cloud - to both new and existing clients.
