Cloud Security : Making the Distinction Between Consumer Identity and Enterprise Identity
Cloud Computing is reaching a mass adoption stage in the industry. Every company, irrespective of size and revenue, is affected by the cloud paradigm. In this article, I want to share some of my thoughts on Cloud Identity.
Consumer versus Enterprise Identity
With the advent of web 2.0 services and the proliferation of Web 2.0 style services that include Facebook, Twitter, Foursquare etc, there is an increasing usage of internet activity by users. In this paradigm, the users are consuming the various web 2.0 services using one or more identities. Typically, these identities (facebook login, gmail ID etc) are called Consumer Identities.
With the historic enterprise setup, employees/partners had an identitity that was relevant/confined to the boundaries set by the enteprise. These are typically driven by LDAP servers such as Active Directory or Databases (Human Resources, Partner Department). These identities are typically referred to as Enterprise Identities.
It is very important to understand the difference between these identities. In some situations, the enterprise identity can be the same as the consumer identity. We will take a look at those later in the article.
How do I incorporate Consumer Identity in your enterprise?
Now that we have understood consumer identities, it is time to look at some of the available choices.
There are many Web 2.0 services that provide authentication/login services.
The prominent ones are:
- Facebook Connect
- Google Authentication
There may be other similar cosumer identity services available.
You can use one of these services when you have use for identities in blogs, forums and community interaction. You can also use these services if you are a SMB (Small And Medium Size Business) who cannot have advanced Identity Management infrastructure and do not want to perform password maintenance.
The standards that you should look for are:
- OAuth v2.0
- OpenID Connect.
What should I use for Enterprise Identity?
The king of Enterprise Identity is going to be the Oasis SAML v2.0 Specification. You can obtain both commercial and open source solutions for Enterprise Identity. PicketLink is an open source project that I am currently leading.
When you have need for back channel integration - example, between servers, middleware services etc, then you should definitely go for a Security Token Server (STS) provided as part of the Oasis WS-Trust specifications. PicketLink provides an open source STS.
Within a single organization/enterprise, you can also use Kerberos for enterprise identity, provided you use a Kerberos Domain Controller such as MIT Kerberos Server, Microsoft Active Directory etc.
For many years, Kerberos has been the bedrock of enterprise identity with full support in enterprise operating systems such as Unix (various flavors), Linux and Microsoft Windows Server xxx. Within the enterprise domain, it provides cost effective means to achieve SSO.
Bridging Consumer and Enterprise Identities
As the corporate boundaries have suddenly widened to incorporate partner networks and social networks, the line between enterprise identities and consumer identities is blurring.
The guiding force should be the NIST 800-63 Levels of Assurance (LOA)
Some references to the LOA are:
Consumer Identities are typically at LOA 1 which give little to no assurance on the identity. If somebody logs in with username "ScottJones" via facebook or twitter, you cannot assure that it is infact a person named "Scott Jones". For a comment in the forum or your blog, it makes little impact. But you cannot use this identity in banking, healthcare or enterprise setup where higher levels of assurance for the identity is required.
Identity In the Cloud Use Cases (Use Cases and Definitions)