When it comes to the secure hybrid cloud, Identity has many different definitions from a device a user is using to the combination device, location, password, and other multi-factor authentication means. Even with all the technology there is still the question of where the identity store lives (the bits that contain the identity for all users, devices, etc.) as well as how do you prove identity once the user goes somewhere within the cloud which is outside your control?
There are three parts to our secure hybrid cloud that are of interest:
- Transition – The transitional component of a secure hybrid cloud contains all those items that either allow access to or move data between multiple cloud instances, between those clouds and a data center or centers, and between the end user computing device and clouds and data centers. The transitional component is fairly fluid.
- Cloud – The Cloud includes all those places outside our immediate control where data could end up or be taken from. In some cases even used to further our transitional goals.
- Data Center – The data center is generally with in our control and could be a private cloud or just a collection of virtual and physical machines, the data center may transfer data between multiple data centers or back and forth to the cloud.
Identity Stores for the Secure Hybrid Cloud
The Cloud Security Alliance (CSA) has had an identity project for the cloud for many years. The goal of which is a way to ensure the identity of users and devices within the cloud in such a way that the identity can be shared between the cloud and the data center. The goal is to allow one store of identity to work for all aspects of the secure hybrid cloud. To that end several products and projects exist.
- RSA Cloud Trust Authority is an architecture that uses SAML to transfer identity to all participating cloud entities (and the data center) using a common identity store usually in the cloud it self. The Cloud Trust Authority is more of a reference architecture that was proposed to the entire CSA.
- McAfee Cloud Single Sign On is an implementation of the Cloud Trust Authority reference architecture that uses Salesforce as the identity store.
Many people have suggested using Google, Facebook, Twitter, Salesforce, and others and tools like OpenID do just that. There are also programming APIs that can be used to make use of these cloud based systems as their identity store.
Controlled use of Identity Stores
The use of cloud based identity stores leaves the control of those identity stores within the hands of the cloud administrators. However, there is a way to gain control of your identity stores and that is to use tools that provide an organization a way to control access to cloud and internal services. VMware Horizon App Manager (HAM) and other similar services from other companies provide a way to control this access by requiring users and devices to log into a portal which then maintains the relationship and identities with the allowed cloud services.
This approach provides a central location to handle identity, maintain identity, and disallow access based on identity to the cloud services. Specifically, the users only use their identity provided by the organization. Then the organization maintains the relationship with the clouds. This combination provides control over the identity, the identity store, and the ability to determine who did what when where and how.
The use of a common identity store is crucial to controlling who and what you allow into all aspects of your secure hybrid cloud. The who is the people and the what are the applications and devices in use by the people. Identity has to include not only the people but the devices in use by the people. Given that the entry point to the secure hybrid cloud is the end user computing device, that device and the location of that device is one aspect of identity that needs to be maintained. As we control access into cloud services, we gain the ability to manage identity at different layers, back into our control and not necessarily spread throughout the secure hybrid cloud.
How do you provide identity for your clouds?