At midday, it is time for a little break in my smart card day, and go listen to an Oracle OpenWorld session. I might as well leverage today’s professional look to blend better into OOW’s suit-dominated crowds. The funny thing is that every OOW session I have seen ended up turning into a blatent advertising session for some Oracle product. No exception on that session, which was about Identity in the cloud. Here are a few highlights of that session (before the advertising part), provided about raw:
74% of people are worried about security in the cloud, in particular because of the loss of control that comes from moving your applications into Software-as-a-Service, or even only when you are only getting to Infrastructure-as-a-Service. But, the worries come from the classic security approach with perimeter defense: your security is based on high walls keeping people out.
Cloud computing introduces a disruption, but it only means that perimeter defnse has become obsolete, and that other things are required. Security now needs to be secured by policies, not only based on the topology of the network.
For an SME, the perceived risks (from ENISA) include vendor/service lock-in (am I stuck forever with Amazon?), malicious insiders (who is accessing my data?), management interface compromise (could someone impersonate my IT manager?), or legal risks (where is my data stored?). Another point is that shared services can be more attractive to hackers, because they can be granted access to several actors.
Of course, according to the speaker, identity is the solution. His main idea is to extend the (Oracle) identity management system used in the enterprise into the cloud. For instance, for federation, SAML-based federations can be used to get into the cloud.
Privileged account management is very important. Cloud services come with “superuser” accounts that have the ability to completely manage a service. These accounts should only be accessible through a mechanism that can track, monitor and control access.
For other accounts, account lifecycle management can be an extension of the standard enterprise system.
Something very interesting is to use claims-based identity. Claims-based provisioning can get the necessary identity information through a single SAML token, without having to directly connect to the enterprise systems. More importantly, identity assertions (such as attributes and roles) can be used for authorization purposes. However, this is not necessarily accepted by all cloud providers. When supported, XACML allows enterprises to export their internal policies to the cloud service provider.
Ultimately, the enterprise can become an Identity Services Provider, leveraging the IAM services available internally to cloud applications, or to partner applications outside of the enterprise. The objective is here to promote a loose coupling between the services and the low-level authentication.
Then, we get into Oracle advertising, reminding that identity management is part of Oracle’s offer, and provides all the services mentioned previously.