Adapting to a changing IT landscape through the adoption of Cloud technologies
In this article Pirean Security Consultant Stephen Williams discusses how organizations can adapt to an IT service industry that is under enormous change through the usage of Federated Identity Management and Cloud technologies. Using these technologies organizations can adapt to new industry challenges and respond with smarter, more efficient and more personalized IT services.
Recent significant advances in virtualization technology have allowed organizations to make enormous efficiency, resource and cost savings, as well as reduce their carbon footprint. This coupled with an explosion in outsourced IT processes through the usage industry strength Cloud based SaaS offerings have contributed to a significant change in the IT service management and hosting landscape.
An increasingly global distributed user base coupled with social media offerings such as Twitter and Facebook have contributed to a change in the online user experience so that users now increasingly expect disparate services to be seamlessly 'joined-up' and personalized. At the same time the source and variety of security risks has increased exponentially due to the continued uptake of online services by the public and changes in the way these users consume online services. All these changes place massive demands on legacy IT infrastructures, as the days when the data center was king are now gone. Organizations will continue to struggle to meet these challenges without significant disruption and process reengineering. Coupled with the inability to rip up and replace legacy systems, the only recourse is to extend existing infrastructure in a secure and standards-based manner.
Achieving greater IT service flexibility and functionality whilst preserving existing investments and processes is obviously a non-trivial task. Coupled with the need to ensure that any (re)engineered services are still governed by an organizations' existing set of security controls and policies, requires a very different set of IT solutions. By extending, enriching and securing disparate systems in a standardized manner using Cloud technologies such as SAML, OAuth and XACML organizations can maximize their existing IT investments and gain increased service agility.
Security Assertion Markup Language (SAML) is a standard that allows a user population to securely access resources regardless of their location and HTTP domain. In 2005 SAML v2.0 became an OASIS standard, which is the convergence of SAML v1.x and Identity Federation Framework (ID-FF) v1.2. Since that time SAML has become the default protocol for Federated Identity Management (FIM) solutions and giving rise to other FIM related standards. Through the exchange of SAML tokens between Identity Providers (IdP) and Service Providers (SP) entities, users can seamlessly move between different parties within a Federation in a secure manner supported at all times by a predefined 'Circle of Trust'. Within the context of a business and its employees, SAML can be used to facilitate Single Sign On between a set of divorced systems, such as two Access Management vendor products within a single organization, or an existing in-house Access Management solution and a Cloud based SaaS offering. In this context it can be seen that the usage of SAML tokens would allow an organization to preserve their existing Identity and Access Management processes and extend these to encapsulate an outsourced service based in the Cloud.
By extending, enriching and securing disparate systems in a standardized manner using Cloud technologies such as SAML, OAuth and XACML organizations can maximize their existing IT investments and gain increased service agility.
Open Authorization (OAuth) is a standard that is used to increase data portability by facilitating the distribution of private user data between disparate IT systems through the exchange of tokens and not credentials. Published in April 2010 as the document RFC5849 and currently at v1.0a (with v2.0 in draft), OAuth is gaining increased popularity - most notably in 2010 when Twitter adopted it as its default mechanism for integrating with 3rd party applications. Although SAML tokens can be used to exchange user information (as 'attributes' or 'claims') in a trusted manner, the key advantage of OAuth is that it places consent in the hands of the user about whom the data describes. For organizations that store and use sensitive user data as part of an existing business service, OAuth can be used to easily and securely allow other consumer IT systems to request and reuse this user data in a user consent driven manner without the need for expensive application interface development. By increasing the distribution of user data between its IT systems, an organization could increase the richness and personalization of its user-centric systems whilst mitigating or reducing enterprise application integration costs.
Authorization policy management across an entire IT estate is traditionally a very resource intensive task as any change to a policy requires the modification (and testing) of a entire suite of applications. Externalizing authorization policy definition and decision making to an external entity, through the usage of eXternalised Access Control Markup Language (XACML) definitions can significantly increase the flexibility of an application portfolio, and also reduce the cost and effort required to make any future change. Originally published in 2001 and currently at v2.0, XACML support can be increasingly found in vendor product portfolios such as IBM's Tivoli Security Policy Manager (TSPM), ForgeRock's OpenFM and Axiomatics' Policy Server. Version 3.0 is currently in draft and will add critical new features such as Multiple Decision Profile, delegated administration and Obligation statements. In a business environment XACML definitions can be used to centrally define the policy governing what user entitlements are required to access a particular resource, thereby providing a single and auditable view of the security risk across the entire estate. If a new application resource is deployed or a new security risk is identified, the usage of a separate Policy Definition Point (PDP) an organization would simply be required to make the necessary XACML policy definition changes with immediate effect.
In summary, significant advances in Virtualization, the rise of Cloud services and the raft of new Federated Identity Management related standards have together had an enormous impact on the IT industry. These advances have given rise to a multitude of new opportunities such as Green IT through data center consolidation, smarter and richer IT services through increased user data portability and finally increased business agility through the federation of disparate services. Organizations that do not or cannot adopt standards such as SAML, OAuth and XACML will continue to experience great difficulty when attempting to adapt to their legacy systems to an ever changing IT service landscape.