by Gerry Gebel for DZone.com
If you are in the process of moving to the cloud or still in the planning stages, the need to address complex access control cases for cloud-based resources is a must.
The migration from on-premise infrastructure to the cloud is underway. Many organizations are actively adopting a cloud-first approach and are now either in the process or in the planning stages of migrating their entire infrastructure to the cloud.
As this trend toward “cloud everything” continues, new roadblocks and challenges emerge. One major concern is how to secure and share critical information assets in an open cloud environment while still meeting rigorous security requirements.
Cloud providers primarily focus on strengthening data and network security and include built-in security features such as identity and access management (IAM). However, these services are aimed at addressing common requirements for lower risk workloads. Many of these services don’t offer the level of control and security needed to utilize data systems in the cloud and keep critical data secure.
This has signaled yet another new priority – the move to cloud-native security products and capabilities that have fine-grained access control to extend what the cloud platform is offering that may be available out-of-the-box. These services are more advanced in access control, and this awareness of how the data is shared means organizations can easily take steps to control access to sensitive information as business objectives or regulatory requirements evolve.
Securing the Cloud
In this article, securing the cloud focuses on the access control capability, which can have multiple dimensions. First, the access control system is installed and operated with cloud-native functionality (well-defined interfaces, REST/JSON supported APIs, fault tolerance, stateless, bounded context, etc.). Next, the access control system should easily integrate with the environment in order to protect cloud-hosted applications, APIs, and data. This includes out-of-the-box integrations with API gateways, cloud data services, and applications.
Third, access control can be applied to the cloud infrastructure itself. A common security/access model is very valuable as workloads are spread across multiple cloud platforms and automated via orchestration tools. Now you can control who can start, stop, or delete workloads with a centrally managed, policy-based system instead of applying proprietary security controls within each cloud platform.
Access control is best done with externalized dynamic authorization delivered with an Attribute Based Access Control (ABAC) model. The fine-grained capabilities of an ABAC approach allow for the consideration of the identity of the user but also additional context-aware attributes, such as the resource, environment and the relationship between all three values when performing an access control decision. This allows for a much finer-grained access control that wouldn’t be possible if only the identity was considered and is essential when handling sensitive or regulated digital assets.
With an ABAC model deployed in the cloud, organizations can realize a wide range of benefits, from fine-grained access control to centralized digital policy management.