Data Freighting across the Clouds (Part 3)

25. Nov, 2009 0 Comments

Identity and Security Management

One of the big challenges sharing data between companies—for example, from your enterprise to an external cloud provider—is security management (authorization, access, and identity management).

In a traditional, campus-wide IT network, security rules and roles are relatively straightforward when tied to a directory service such as Active Directory or LDAP. In a single domain model (what Microsoft now calls an Active Directory Forest), the directory service provides semantics and tools to authorize and delegate access to remote sites and sub-domains; location semantics for managing remote sites and remote access are also provided. Albeit, some companies employ a custom, public key-enabled remote access system for managing network access, VPNs, and user access.

For example, if my local enterprise defines security rules and roles using Active Directory (AD), ideally our remote site would be managed the same way, and map those identities. Most large companies struggle mapping identities across AD and UNIX (LDAP) security domains, not to mention 3 rd-party companies.

However, the tools provided with Active Directory and other directories are really designed for use within a company; sure some firms have extended directory services to reach across companies, through extranets and internal-to-external trust relationships, in support of acquisitions, mergers, and large company extranets. But it ain’t easy.

In a private cloud model, you may want to use a single domain (built on a common directory service) or integrate two (ideally similar) security models together. In Active Directory, this could be as basic as establishing trust relationships across domains. Or it could be as complicated as mapping identities from Active Directory to LDAP, or vice versa, through tools like Microsoft’s Services for UNIX.

The most challenging and risky scenario: integrating a large enterprise with a public external cloud, through a directory services scheme. Unless your enterprise owns both ends of the cloud, there will likely be a different delegation scheme on the external cloud.

When using a public, external cloud provider, you will likely want to keep the security domains completely separate (unless you know something I don’t). That means treating the public cloud provider either like (a) a remote web ecommerce or banking site (it provides its own security mechanisms, which you either trust or do not) or (b) as an extranet partner site. In this case, you may have some flexibility about the security management systems used remotely.

But does that mean you’re enterprise should approve of any user downloading and running applications locally instead of remotely?

For a use case example, let’s take file transfers. Do you provide all users with a file transfer account? Managing user accounts and permissions separately for FTP or another file transfer scheme, through an ad hoc security manager or directory, becomes a logistical and security nightmare at scale. But guess what: a lot of companies do this anyhow!

Most enterprises likely do not want all users to be able to transfer sensitive application data to and from various cloud providers. In these cases, your company may be able to use tools and technologies either built into your directory service or identity management system to delegate roles and rules concerning file transfers.

Instead, you might define a group or role in Active Directory that permits some users or groups to transfer files. The file transfer solution will then need to support integrating with LDAP, Active Directory, or another directory service you might be using.

On the provider side, the accounts also need to be created/enabled for FTP or another mechanism. This could be as basic as mapping individual user accounts to a group or as complicated as deploying a separate directory system. Each cloud provider will likely have some best practices on how to enable this, or use an out-of-the-box approach.

Thus, starting out, most companies will want to ensure users transferring files do so using minimal security privileges, and transfer the files into locked-down, demilitarized zones through VPNs or other means, where files can be scanned, quarantined, or staged in such a way that fits the security requirements of the end-customer’s business.

Internal IT organizations, consulting firms like GlassHouse, and service providers offering managed clouds are a great resource for offering security management techniques around this type of remote access for the enterprise.

– Jason Goodman