DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. The Journey Toward Securing the Cloud

The Journey Toward Securing the Cloud

If you are in the process of moving to the cloud or still in the planning stages, the need to address complex access control cases for cloud-based resources is a must.

Gerry Gebel user avatar by
Gerry Gebel
·
Jun. 07, 18 · Opinion
Like (4)
Save
Tweet
Share
3.34K Views

Join the DZone community and get the full member experience.

Join For Free

The migration from on-premise infrastructure to the cloud is underway. Many organizations are actively adopting a cloud-first approach and are now either in the process or in the planning stages of migrating their entire infrastructure to the cloud.

As this trend toward “cloud everything” continues, new roadblocks and challenges emerge. One major concern is how to secure and share critical information assets in an open cloud environment while still meeting rigorous security requirements.

Cloud providers primarily focus on strengthening data and network security and include built-in security features such as identity and access management (IAM). However, these services are aimed at addressing common requirements for lower risk workloads. Many of these services don’t offer the level of control and security needed to utilize data systems in the cloud and keep critical data secure.

This has signaled yet another new priority - the move to cloud-native security products and capabilities that have fine-grained access control to extend what the cloud platform is offering that may be available out-of-the-box. These services are more advanced in access control, and this awareness of how the data is shared means organizations can easily take steps to control access to sensitive information as business objectives or regulatory requirements evolve.

Securing the Cloud

In this article, securing the cloud focuses on the access control capability, which can have multiple dimensions. First, the access control system is installed and operated with cloud-native functionality (well-defined interfaces, REST/JSON supported APIs, fault tolerance, stateless, bounded context, etc.). Next, the access control system should easily integrate with the environment in order to protect cloud-hosted applications, APIs, and data. This includes out-of-the-box integrations with API gateways, cloud data services, and applications.

Third, access control can be applied to the cloud infrastructure itself. A common security/access model is very valuable as workloads are spread across multiple cloud platforms and automated via orchestration tools. Now you can control who can start, stop, or delete workloads with a centrally managed, policy-based system instead of applying proprietary security controls within each cloud platform.

Access control is best done with externalized dynamic authorization delivered with an Attribute Based Access Control (ABAC) model. The fine-grained capabilities of an ABAC approach allow for the consideration of the identity of the user but also additional context-aware attributes, such as the resource, environment and the relationship between all three values when performing an access control decision. This allows for a much finer-grained access control that wouldn’t be possible if only the identity was considered and is essential when handling sensitive or regulated digital assets.

With an ABAC model deployed in the cloud, organizations can realize a wide range of benefits, from fine-grained access control to centralized digital policy management.

Realizing the Benefits of ABAC in the Cloud

By implementing an ABAC model, organizations extend their existing cloud-based capabilities to provide dynamic and fine-grained access control. By using ABAC to enhance a secure cloud infrastructure, organizations can deliver more personal, convenient, and trusted mobile experiences to customers, employees, and partners while enabling secure access to applications and data in the cloud.

Among the primary benefits of ABAC in the Cloud are:

  • Running your access control service in the cloud alongside your protected applications and data provides optimal system performance and allows you to operate the security infrastructure in the same way that applications are managed. The modularity and flexibility of ABAC systems are also well-designed for hybrid deployments, which are expected to be very common over the next several years. For example, the ABAC system management functions are deployed as services that are separate from the runtime decision engine, which are separate from the enforcement component. This flexibility allows enterprises to make deployment configuration choices based on their individual requirements for high availability, system capacity, peak load automation, and other operational preferences.
  • ABAC in the cloud enables developers to avoid bad security practices in the past. Developers don’t need to be burdened with adding security logic to their APIs/microservices. Instead, they can easily call another microservice (in this case ABAC) to process access decisions. Therefore, developer time is saved, if application development adheres to the microservice principle of bounded context and calls external services for security functions.
  • Application maintenance costs can be greatly reduced by separating security logic from the application itself. In one customer example, they estimated that more than 80% of application changes were to access control code. By shifting this function to a dedicated service, access policy changes can be implemented independent of the business logic code - freeing up developer time and making access policy changes a much simpler/faster process.
  • A dedicated ABAC service can react faster to policy change requests because code changes are virtually eliminated. Instead, policy changes are made in the authorization service via configuration and distributed to the runtime services - after going through the necessary development-test-QA-production process.

Whether you are in the process of moving to the cloud or still in the planning stages, the need to address complex access control cases for cloud-based resources will arise - securing the cloud, the administration of the cloud, and providing authorization as a cloud service.

Cloud security mobile app microservice Data (computing)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Building a Scalable Search Architecture
  • Tech Layoffs [Comic]
  • How Do the Docker Client and Docker Servers Work?
  • Remote Debugging Dangers and Pitfalls

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: