The Journey Toward Securing the Cloud
If you are in the process of moving to the cloud or still in the planning stages, the need to address complex access control cases for cloud-based resources is a must.
Join the DZone community and get the full member experience.Join For Free
The migration from on-premise infrastructure to the cloud is underway. Many organizations are actively adopting a cloud-first approach and are now either in the process or in the planning stages of migrating their entire infrastructure to the cloud.
As this trend toward “cloud everything” continues, new roadblocks and challenges emerge. One major concern is how to secure and share critical information assets in an open cloud environment while still meeting rigorous security requirements.
Cloud providers primarily focus on strengthening data and network security and include built-in security features such as identity and access management (IAM). However, these services are aimed at addressing common requirements for lower risk workloads. Many of these services don’t offer the level of control and security needed to utilize data systems in the cloud and keep critical data secure.
This has signaled yet another new priority - the move to cloud-native security products and capabilities that have fine-grained access control to extend what the cloud platform is offering that may be available out-of-the-box. These services are more advanced in access control, and this awareness of how the data is shared means organizations can easily take steps to control access to sensitive information as business objectives or regulatory requirements evolve.
Securing the Cloud
In this article, securing the cloud focuses on the access control capability, which can have multiple dimensions. First, the access control system is installed and operated with cloud-native functionality (well-defined interfaces, REST/JSON supported APIs, fault tolerance, stateless, bounded context, etc.). Next, the access control system should easily integrate with the environment in order to protect cloud-hosted applications, APIs, and data. This includes out-of-the-box integrations with API gateways, cloud data services, and applications.
Third, access control can be applied to the cloud infrastructure itself. A common security/access model is very valuable as workloads are spread across multiple cloud platforms and automated via orchestration tools. Now you can control who can start, stop, or delete workloads with a centrally managed, policy-based system instead of applying proprietary security controls within each cloud platform.
Access control is best done with externalized dynamic authorization delivered with an Attribute Based Access Control (ABAC) model. The fine-grained capabilities of an ABAC approach allow for the consideration of the identity of the user but also additional context-aware attributes, such as the resource, environment and the relationship between all three values when performing an access control decision. This allows for a much finer-grained access control that wouldn’t be possible if only the identity was considered and is essential when handling sensitive or regulated digital assets.
With an ABAC model deployed in the cloud, organizations can realize a wide range of benefits, from fine-grained access control to centralized digital policy management.
Realizing the Benefits of ABAC in the Cloud
By implementing an ABAC model, organizations extend their existing cloud-based capabilities to provide dynamic and fine-grained access control. By using ABAC to enhance a secure cloud infrastructure, organizations can deliver more personal, convenient, and trusted mobile experiences to customers, employees, and partners while enabling secure access to applications and data in the cloud.
Among the primary benefits of ABAC in the Cloud are:
- Running your access control service in the cloud alongside your protected applications and data provides optimal system performance and allows you to operate the security infrastructure in the same way that applications are managed. The modularity and flexibility of ABAC systems are also well-designed for hybrid deployments, which are expected to be very common over the next several years. For example, the ABAC system management functions are deployed as services that are separate from the runtime decision engine, which are separate from the enforcement component. This flexibility allows enterprises to make deployment configuration choices based on their individual requirements for high availability, system capacity, peak load automation, and other operational preferences.
- ABAC in the cloud enables developers to avoid bad security practices in the past. Developers don’t need to be burdened with adding security logic to their APIs/microservices. Instead, they can easily call another microservice (in this case ABAC) to process access decisions. Therefore, developer time is saved, if application development adheres to the microservice principle of bounded context and calls external services for security functions.
- Application maintenance costs can be greatly reduced by separating security logic from the application itself. In one customer example, they estimated that more than 80% of application changes were to access control code. By shifting this function to a dedicated service, access policy changes can be implemented independent of the business logic code - freeing up developer time and making access policy changes a much simpler/faster process.
- A dedicated ABAC service can react faster to policy change requests because code changes are virtually eliminated. Instead, policy changes are made in the authorization service via configuration and distributed to the runtime services - after going through the necessary development-test-QA-production process.
Whether you are in the process of moving to the cloud or still in the planning stages, the need to address complex access control cases for cloud-based resources will arise - securing the cloud, the administration of the cloud, and providing authorization as a cloud service.
Opinions expressed by DZone contributors are their own.