Today, it is imperative for businesses to increase scalability and enable collaboration among development teams to help solve complex challenges, all while cutting down on IT business costs. To accomplish this daunting task, more and more organizations are shifting their entire IT infrastructure to the cloud and adopting a “cloud everything” approach.
The benefits of moving to a cloud infrastructure cannot be understated, but just like any other business initiative, there will be challenges along the way. One of the most common challenges organizations face is cloud security. Cloud services typically provide built-in security features like Identity and Access Management (IAM) to help control access to infrastructure and Platform as a service (PaaS) services, but often times the security of transactions and data handled in the cloud are overlooked.
Cloud Services Require Additional Security
Cloud providers generally don’t offer the level of control and security needed to leverage data in the cloud while also keeping critical data secure. Security products that have emerged to protect the cloud tend to focus on the security of the infrastructure and containers rather than the security of the transactions or, in this case, the data. Companies like Amazon and Google both have an “IAM” strategy that is all about authorizing administrators to spin up/down servers, databases, containers, etc., but they tend to focus on the infrastructure rather than the data or information consumers store inside, and they use the same legacy identity/role/group-based approach to authorization, which is too coarse-grained.
Organizations require more advanced security measures than what’s provided “out of the box” by most cloud services. The security measures must be a direct reflection of regulations and rules to facilitate compliance. To enact the proper security measures, organizations need cloud-native security products to extend access control beyond the cloud offering.
Access Control for Cloud Hosted Data
The built-in IAM features that are provided in cloud offerings simply don’t offer the security and control required to leverage data in the cloud while keeping critical data secure. The built-in mechanisms suffer from the same drawbacks existing Role based Access Control (RBAC) systems on-premise have. However, organizations can extend access control beyond the cloud service with externalized dynamic authorization delivered with Attribute Based Access Control (ABAC). Dynamic authorization in the cloud works the same way it does on-premise. At the very core of ABAC lay access control and business policies that dictate what can and cannot happen. Policies are easy to understand and are a direct reflection of business requirements or compliance rules.
With this approach organizations can define their policies once and apply them consistently and coherently on-premise, in-cloud, across multiple layers and vendors to protect applications, data, APIs and microservices. This way organizations are not tied to any particular technology or stack. Using policies in lieu of code or proprietary configuration makes ABAC the tool of choice to increase visibility and efficiency.
As more organizations migrate their infrastructure to the cloud, the need to address complex authorization use cases for cloud-based resources is only going to grow. A policy-driven ABAC model can help provide real-time dynamic authorization to the cloud, ultimately enabling secure access to administration of cloud implementations, as well as the critical assets such as applications and data, that are now stored within the cloud.
About the Author
David Brossard, Vice President of Customer Relations at Axiomatics, directs pre-sales, post-sales, and support teams. Prior this role, he served as product manager and worked as a Solutions Architect, specializing in IAM and focusing on customer solutions design and implementation, and was a senior researcher at BT (British Telecom) in the Security Architectures Center. David earned his master’s degree in engineering from the National Institute of Applied Sciences in France. He is an active member of the OASIS XACML Technical Committee and Trust Elevation Technical Committee. He is also a Sun Certified Architect and a Certified Ethical Hacker (Certified Security Testing Professional).