Master Identity Access Controls WP

7/31/2019 Master Identity Access Controls WP

http://slidepdf.com/reader/full/master-identity-access-controls-wp 1/8

Identity and Access Management or the CloudWhat You Need to Know About Managing Access to Your Clouds

Identity & Access Management

Copyright © 2012 enStratus Networks, Inc.



One o the biggest challenges in inormation securityis Identity and Access Management (IdM). How doyou control who has access to what systems andtechnology within your enterprise?

Operating systems and applications all havedierent ways o managing this. As a result, the moreapplications you use, the more challenging it is tosaely and securely manage your users.

This problem becomes even more dicult in thepublic cloud. The ability to control the technology

is limited and it’s dicult to leverage tools such assingle sign on/ederation products.

This paper provides best-practices or overcomingthe challenges involved with saely and securelymanaging your users within public clouds, as well asyour private clouds.

Identity & Access Management Page 1Copyright © 2012 enStratus Networks, Inc.



Access Control and the CloudAccess control can be divided into two categories—authentication andauthorization.

Authentication = Successully and Accurately

Identiying UsersAuthentication has become easier over the past ew years, as moreoperating systems and applications now support technologies such asActive Directory (AD), LDAP and single sign on/ederation. However, itstill can be problematic, especially or password management.

Authorization = Mapping the Actions that a User is

Allowed to TakeExamples o actions you might want to control include the ability to create

other users, remove users, start or stop compute instances or make changesto dierent sorts o data.

Authorization presents a larger issue than authentication, because mostapplications aren’t leveraging directory services. Rather, they have theirown built-in authorization systems. In the best cases, they can map roles toAD or LDAP groups.

Both authentication and authorization are problematic or largeenterprises. Users can end up in multiple directory servers at the sametime, and tracking and managing this situation becomes exponentially more dicult with each new server added to the environment.

IdM in the Public CloudWhile there are denitely issues with IdM in the enterprise, those issuespale by comparison to those in the public cloud. With enterprisessubscribing to more and more cloud services, successully managingauthentication is becoming increasingly dicult, i not impossible, withoutsome sort o centralized or ederated system to manage users’ identities.

Very ew cloud providers have support or third party authentication.

Tose that do are almost always ound in the more traditional SaaS(Soware as a Service) market, such as SalesForce.com. Tey are nottypically ound in the PaaS (Platorm as a Service) or IaaS (Inrastructureas a Service) markets. Tere are even ewer options i you eliminate non-enterprise riendly options, such as OpenID. Te providers that are leinvariably only support authentication—not authorization.

AuthenticationenStratus supports a variety o authentication methods.enStratus natively provides abuilt-in user directory as wellas an SMS-based multi-actorauthentication option.

enStratus also supports ederatedlogins via OpenID and SAML 2.0assertions. Customers who deploy enStratus on-premises have theoption to leverage LDAP orActive Directory synchronization.In all cases, users dened withinenStratus can be dynamically created on both Windows andUNIX-based guest VMs orinteractive logins.

Identity & Access Management Page 2




Challenges o AuthorizationIt is even more dicult or enterprises to manage authorization in thecloud. One o the benets o using a public cloud is that it exposes theinner workings o the inrastructure in ways that are usually limited tothe sta at a physical datacenter. Tis is very powerul because it gives

developers, and even regular users, the ability to sel-service and providesusers much more quickly with the resources they request. Unortunately,most cloud providers don’t limit who can do that. Tis means that once yougrant a user access, they have access to all inrastructure and applications.Although this makes access easy, it can be disastrous. Suddenly, you have acompany ull o sysadmins with the equivalent o root access.

Authorization Capabilities Difer Among

Cloud ProvidersEven the cloud providers who do provide authorization tend to do so ina way that is dierent or each service. For example, Amazon’s AWS hassome very granular access control mechanisms or services, such as S3,but when it comes to their fagship product, EC2, it’s an all-or-nothingscenario. What can be controlled with Access Control Rules variesdramatically rom one cloud provider to another. Tis makes consistentapplication o authorization even more dicult.

Some companies have attempted to solve this lack o authorization by creating separate accounts with their cloud provider(s) or each project.Tis way only the relevant developers are allowed access to the cloud

account. Anyone with access to the account could still do a lot o damageby mistake, but this limits the scope to just that one project. Tis workswhen only a ew accounts are being managed, but becomes extremely cumbersome as the number grows.

One Cloud Provider—Hundreds o AccountsSome companies have hundreds o accounts with the same cloud provider.Managing these accounts without authorization presents a number o challenges:

Time:• Managing the accounts individually becomes a ull-time job.

It’s even more time-consuming i the provider doesn’t have an optionor consolidating all o the billing into one monthly statement.

Reliability:• In many companies, some o their developers have accessto more than one account at a time. Tis is not only a huge headacheto manage, but also constantly switching accounts increases thechances o someone making a mistake.

UserManagement:• Working with a large number o accounts makes itnearly impossible to correctly handle authorization when someonechanges roles or leaves the company.

Real-World Example:

One company let all o their

senior developers have accessto an account that had been setup with their external cloudprovider. One developer, as parto soware testing, provisionedservers and terminated testinstances over the course o several days. Late one aernoon,he accidentally terminatedseveral key developmentdatabases, instead o his testinstances. Fortunately or both

the developer and the company,those databases were backed up.Although recovery was relatively simple, all development work was completely halted or severalhours until the databases could berecreated.





How Authorization Should Work When evaluating soware and services, it is vital to ensure that there is away to implement a robust role-based access control system that allowsadministrators to create ne-grained Access Control Lists (ACLs). Morespecically, it is necessary to control which users/groups can do what, or

every available action. In the case o cloud, providers are not making thisavailable today. Tis means that customers either need to build their ownsolution or engage with a third-party soware product.

Using a Proxy Between You and the Cloud ProviderEssentially, what is needed is a proxy between the consumer and the cloudprovider that allows users to create and maintain levels o authorizationand monitoring ar beyond what is currently available rom mostproviders. Once this proxy is in place, it is very easy to log every actionusers are taking. Having a user action log contributes to overall security,

potential recovery scenarios, and will help pass compliance audits as well.

Ways to Leverage Role-based Access ControlTere are various methods or incorporating role-based access controlinto public and private clouds. Each o these can be deployed individually,or together, to help companies meet their security requirements.

User-based:• Limit login access to specic users. More specically,limit admin access or all boxes to just the administrators groups.Further restrict users’ access to only the instance or group o instancesthat is necessary to perorm their job unctions. For example,

application developers are only allowed access to systems in theapplication tier and DBAs are only allowed access to the SQL tier.

Filters:• A well-designed system will allow the creation o rules thatcan be applied not only to the zone or network, but also based on themeta-data related to the instance. For example, in developmentgroups, it is oen useul to restrict the ability to terminate instances toonly the user who started that instance. Tis will help prevent a userrom accidentally terminating a database they are not working on.

GranularControls:• Te most complete access control method is toprovide a granular level o access to each component o the

inrastructure. As an example, a company can grant a person inrst tier support the ability to reboot instances but not start, stop orterminate them. Another example is allowing a person in QA access todevelopment systems but not to production systems.

No matter which o these access control mechanisms are utilized, it isimportant to incorporate logging and alerting into the operations o publicand private clouds. With the appropriately congured logging and alertingsystem in place, the operations team will be able to track all activity and benotied when specic actions ail.

Authorization

enStratus provides a robust role-based access control mechanism

that is very ne-grained. Accesscontrols are cloud independent,which allows or consistentdeployments regardless o provider. Access controls can beapplied to not only every actionperormed by an enStratus user,but also to every single resourcemanaged by the enStratussolution. Access rules can bemapped to individual users orassigned to groups. Users and

groups can be natively storedwithin enStratus, or i deployedon-site, can be synchronized romActive Directory or LDAP.

Logging/Alerting

With Access Controls by enStratus, it is much easier totrack user actions or compliancepurposes.

All actions taken by enStratus,whether via the console or theAPI, are logged. Alerts can becongured whenever certainactions happen (or ail to happen)and are sent via email, SMS orAPI calls to another application.

enStratus regularly polls the cloudproviders and will also create analert when it detects discrepancies

between what it thinks ishappening and what the cloudprovider believes its current stateto be. Tis is ideal or detectingwhen users are directly accessingthe cloud providers’ consoles,instead o using enStratus.





Beore:Once you grant a useraccess, they have completeaccess to all systems and canperorm any action.

Ater:With role-based accesscontrol, users are onlyallowed access to certainsystems, and can onlyperorm certain actionsbased on their defned role.

Example o Using Role-based Access Control

No Controls/Complete Access

Granular Controls

v i e w

f u l l c o

n t r o l

v i e w / a d d u s e r s

full control

f u l l co n t ro

l

f ull contr ol

v i e w

v i e w





What About Directory Services?

Access control in any application is important. As new applications areadded to the portolio, it is essential to minimize new parts that need to bemanaged.

User management should be approached with caution, especially withusers who have administrative responsibilities or similar levels o access tocritical data. Each additional system with uniquely created users increasesthe likelihood that access will not be removed or updated when a userchanges roles. Te number o places a user appears may scale linearly, butthe complexity o management scales exponentially. As a result, one o themost common security breaches is a user whose access wasn't properly adjusted or removed when he or she changed jobs or le the organization.

Using LDAP/AD or Role MaintenanceTe chosen solution should allow synchronization with Active Directory/LDAP to eliminate this issue. Tis way not only can users be authenticated,but also groups can be mapped to roles within the proxy. As a result,maintenance o roles will be minimal, once the initial setup is complete,because all changes happen within the directory server. LDAP and ActiveDirectory can be leveraged to dynamically create users within guest VMs.

Conclusion

Using enStratus to Improve IdMenStratus enables customers to signicantly improve your Identity andAccess Management strategy with their cloud deployments. enStratus usesthe existing tools rom cloud providers and expands that coverage withne-grained, role-based access control that is cloud independent. enStratussupports a variety o authentication methods to meet unique requirementso enterprises. Customers also gain auditing and logging o all useractions—something that cloud providers don’t make available. And,existing directories, such as Active Directory and LDAP, can be leveragedto minimize the complexity o deployments and maintain ewer points o

user management.

enStratus Provides Several

Options or LDAP/AD

integration:

SynchronizationSet up synchronization betweenLDAP/AD and enStratus.enStratus will sync a copy o the users and groups to its owndatabase. enStratus pushes theusers—with their keys—to theappropriate VM. Tis method isoptimal because it only requiresread-only access to LDAP/ADby enStratus. Guest VMs never

talk directly to your LDAP/ADinrastructure and thereore donot require you to expose yourdirectories to resources in publicclouds. When users are removedrom LDAP, enStratus willautomatically remove that userrom each relevant VM at its nextsynchronization.

ConfgurationManagementToolsLeverage our Che or Puppet

integration to congure guestVMs to authenticate directly against the LDAP servers. Tisrequires exposing your LDAP orAD inrastructure to your cloudprovider.

DelegatedAuthenticationInstead o enStratus storing theuser passwords in its database,in delegated authentication modeit points to the users DN inLDAP/AD.





Governance

Automation

Independence

Your Applications

O p e r a t i o

n s T o

o l s

e n S t

r a t u

s A P ID

a s e i n A P I

M o n i t o r i

n g , C o n

f g . M g m

t , B i l l i

n g , e t c

.

C l o u d S e r v i c e

s

P u b l i c / p

r i v a t e / h y b

r i d c l o

u d s , I a a S , P a a S

eEnterpriseCloudManagementSolution

enStratus™ helps you manage your cloud inrastructure.We support the provisioning, management and automation o applications in all leading public and private clouds.

We do this while retaining the ability or developers andapplication operators to choose the conguration management,monitoring and other operation tools that make the most senseor each application.

enStratus integrates into the leading operations tools and yourinternal systems to ensure your I policies and proceduresextend into the cloud.

enStratus is available as Soware as a Service, or ason-premises soware that enables you to control the cloud romwithin your own data centers. enStratus provides:

Governance - enStratus enables you to meet your governanceneeds with fexible access controls, logging, nancial controls andintegration into your internal management systems and accessdirectories.

Automation - enStratus helps you meet the economic andoperational advantages o cloud computing through a variety o automation tools including auto-provisioning, auto-scaling,automated backups, and more.

Independence- enStratus supports over 20 o the leadingpublic clouds and private cloud platorms.

Public compute:• AWS EC2, Bluelock, CloudSigma,GoGrid, Joyent Cloud, Rackspace, SoLayer, ataInstaCompute, erremark Public storage:• A& Synaptic Storage, Azure, Google,AWS S3Private compute:• Citrix CloudStack, Eucalyptus, JoyentCloud, Nimbula, OpenStack Nova, vCloud DirectorPrivate storage:• EMC Atmos, OpenStack Swi,Eucalyptus WalrusDirect virtualization:• vSphere

Across these clouds, enStratus enables enterprises to leverageleading conguration management solutions, such as Che andPuppet, as well as PaaS solutions, such as Cloud Foundry.

enStratus also provides ConsultingServices to assist youin your migration into the cloud. We can help you design adeployment to meet your target SLAs and address issues such asscaling parameters, security and compliance.

o learn more, visit http://www.enstratus.com.

About the enStratus Enterprise Cloud Management Solution

http://www.enstratus.com | 612.746.3091 | [email protected]

enStratus provides cloud governance, automation and independence or enterprises. Think o enStratus as the enterprise console to the world o cloud computing.



Master Identity Access Controls WP

Documents

Transcript of Master Identity Access Controls WP