Cloud computing provides a shared network, computing capacity, memory, and storage on demand for a vast set of concurrent consumers. Concurrent access to shared resources has increased security loopholes and threats to the services running on cloud resources. Hence, identity and access management (IAM) is an imperative requirement in cloud computing. A cloud engineer should impose high application-level and network-level security compared to archaic approaches to avoid threats such as phishing attacks, denial-of service attacks, and man-in the-middle attacks. This article describes popular IAM patterns used in cloud computing.
Cloud-based clusters are primarily categorized into public clouds, private clouds, and hybrid clouds. Public clouds are offered by third party providers over the public internet, making them available to any interested parties. Private clouds are isolated from public clouds and are operated on more secure private networks. Hybrid clouds combine private and public clouds. Furthermore, cloud-based clusters are exposed through different models, such as infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and serverless.
Nowadays, a wide variety of free and commercial applications use IaaS, PaaS, SaaS, and serverless models.For instance, science gateways have been devel‐ oped to enable research communities to easily manage and run their experiments on high-performance computing (HPC) systems. Those gateways are integrated into middleware that connects to the HPC cluster and manages experiments on behalf of gateway users. This multitenant middleware should be capable of providing seamless access to HPC resources for end users. HPC clusters are widely deployed on private clouds with high security privileges. Hence, accessing HPC resources requires specific SSH keys, certificates, and password credentials. Thus, credential management, authentication and authorization, resource sharing, and access control are trivial requirements.
Furthermore, consider an application development platform that exposes APIs to develop retail support applications such as online shopping and data analytics apps. This platform should connect to Salesforce services, Shopify services, Google services, and Facebook services. End users create accounts on the platform and don’t know of the existence of backend cloud services. Hence, the middleware should be able to successfully orchestrate cloud services, manage access credentials, and handle API authorization for cloud services.
By considering the aforementioned use cases and widely used industry practices, we can identify the basic elements of IAM as identities and groups, relationships, credentials, and entitlements. User accounts, user groups, user claims, user attributes, and user roles are amalgamated as identities and groups. Relationships describe the dependencies between identities, groups, attributes, and roles. Credentials represent the access keys of users and resources. Entitlements describe the access policies for users, groups, credentials, and relationships. Role-based access control, group-based access control, attribute-based access control, and policy-based access control are widely used access control principles.
IAM patterns are articulated from the aforementioned IAM elements. Delegated identity management (DIM), federated identity management (FIM), sharing, and synchronization are the most popular IAM patterns. The DIM pattern employs identity brokers to connect with external identity providers(IdPs), and identity brokers are responsible for just-in-time (JIT) provisioning. FIM agrees to trust different domains to allow applications to consume services across domains via a single user identity. Identity federation is categorized into inbound identity federation and outbound identity federation. Inbound identity federation allows external users to consume internal services, while outbound identity federation allows internal users to consume external applications. Sharing enables the common use of elements of IAM for services and applications. However, sharing may have limitations if user stores and applications reside in different domains. Synchronization is used to replicate data stores and application stores among different services.
Numerous technologies and protocols are used to implement the aforementioned IAM patterns. OAuth 2.0 is an industry-standard protocol for authorization. This simplifies client development and integration with identity servers. OAuth 2.0 is built on elements such as scopes, grant types, and client types. Scopes limit access to user identities for applications. Grant types are OAuth flows of user authentication; widely used grant types include Authorization Code, Client Credentials, Resource Owner Password, and Refresh Token. OpenID Authentication 2.0 is an authentication federation protocol that relying parties can use to obtain verified identities from IdPs.OpenID Connect is an extension of OAuth 2.0 that is used by clients to obtain users’ account attributes via claims. The System for Cross-domain Identity Management (SCIM) protocol is used to synchronize user stores residing in different domains.
Using IAM elements, IAM patterns, and integration protocols, numerous IAM cloud solutions are developed and consumed by a wide range of services and applications. Single sign-on (SSO), shared logins, service accounts, multifactor authentication, and identity linking are the most popular identity solutions provided by vendors in the security industry.