This article appeared on November 30, 2020, in IT Toolbox. Written by Gerry Gebel the Vice president of business development at Axiomatics.
As organizations shift more resources to the cloud, they require modern technologies to meet the security requirements of a multi-cloud approach. Here, Gerry Gebel, VP of Business Development at Axiomatics talks about the importance of a policy-based approach for securing cloud-based data resources.
Businesses are embarking on more data-driven projects as analytical technologies continue to advance. Impactful applications of data and analytics are already functioning across a variety of industries including healthcare, finance, manufacturing, retail and more, in the form of speech recognition, augmented reality and video applications.
In parallel, other data-driven initiatives include the transfer of data, applications and other IT components to the cloud. Enterprises realize the cloud is the ideal place to develop innovative data projects because cloud infrastructure saves IT costs, increases scalability, modernizes IT infrastructure, and enables collaboration within development teams to help resolve complex data problems.
The Benefits of Data in the Cloud
Cloud platforms offer a wide variety of benefits compared to on-premise relational databases, including both affordability and flexibility. This is especially important for testing new data projects. For example, the cloud’s pay-per-use model is ideal for intermittent workloads, whereas on-premise systems cost money, whether they are in use or not.
Cloud platforms also lower the barrier to embarking on data projects by making analytical capabilities accessible to users without requiring deep data science expertise. Enterprises can experiment with analytics projects in the cloud and scale up if a project is a success, or remove the project if it is a failure, without additional costs.
With a low bar to entry, many organizations are adopting a multi-cloud approach, where they utilize multiple, different cloud service providers to diversify their IT architecture. Every cloud platform includes different features and capabilities, including various analytics functionalities, pricing structures, and even security features.
While a diverse IT architecture and infrastructure provides certain advantages, enterprises must balance these advantages against potential risks or challenges. One common obstacle is the conflicting or overlapping cloud security components in individual cloud platforms.
Managing the Security Inconsistencies of Divergent Cloud Platforms
Depending on the service provider, each platform offers distinct security features. For example, some cloud providers are moving to a zero-trust approach, like Google Cloud’s BeyondCorp. Others, like Microsoft Azure, are utilizing role-based access control (RBAC) models. Managing each system’s security components to ensure unauthorized users can’t access information sources and applications is a strenuous task.
Furthermore, cloud platforms include features like orchestration, requiring a reexamination of new processes and security controls. It is crucial to centralize the security features of all cloud platforms to establish a consistent, high level of access control throughout a multi-cloud architecture.
While most cloud providers offer built-in access control features, there is no guarantee that those features will work across numerous individual cloud platforms. Businesses need to take additional steps to strengthen and centralize the security of cloud platforms.
By adopting security technologies that can implement access policies consistently across cloud platforms, businesses can address the regulatory requirements around the proper handling and sharing of sensitive customer information.
In addition, security capabilities must be built and deployed in the cloud as part of a continuous integration/continuous deployment (CI/CD) process. That way they can be managed alongside a DevSecOps approach.
One way businesses can unify cloud security capabilities and maintain a CI/CD model is with a fine-grained, policy-based approach to both secure and share data.
How Attribute Based Access Control Can Centralize Cloud Security
Attribute Based Access Control (ABAC) technologies can streamline and centralize access control capabilities across numerous cloud platforms. The method uses data and user characteristics to construct efficient fine-grained rules to ensure the dynamic administration of the right access control. These policies can be built on any attribute — be it user or data.
An ABAC policy for cloud-hosted data might include attributes that express additional context like risk score, device information, location, etc., when deciphering access decisions. Policies are a clear representation of business demands — what resources can be accessed by what individuals, and consistently apply access control based on any user and any attribute.
With ABAC, organizations can model simple and complex data access policies that eliminate settling on an “all or nothing” approach and solves the many pains of a role-based approach — such as management, scalability, and role explosion. Policies are managed independently of the cloud, applications, and data stores. These individual policies streamline policy management (write once, apply many) and can be administered consistently across both on-premise and cloud deployments.
The Advantages of Running ABAC in the Cloud
One benefit of operating an ABAC service in a multi-cloud environment is the amount of time it saves developers by extracting authorization code from individual APIs/microservices and managing it in a centralized, independent manner. With ABAC, organizations can utilize a microservice approach for application development by calling a separate microservice to administer access rights. ABAC requires no coding. Instead, policy changes are configured directly in the authorization service and sent to the runtime services. As a result, organizations can respond quickly to any policy modification requests.
An ABAC approach supplies enterprises with superior system performance since they can now operate the security infrastructure the same way they manage applications. In addition, by separating security logic from the application itself, organizations can significantly reduce application maintenance costs. When security logic is moved to a dedicated service, access policy changes are carried out separately from the business logic code.
As more businesses continue to take advantage of the power of the cloud for data and analytics projects, they will need to address more and more complicated access control use cases for cloud-based data. An ABAC framework is the best modern approach for securing the cloud and thereby facilitating innovation.
By using any user or data attribute to build robust policies that drive fine-grained access control that is consistently applied, centralized, scalable, and independent of application code, the internal benefits are many. This includes a reduction in cost for development and improved time to get access. Also, other benefits realized are larger business outcomes, such as speed to market, competitive advantage, and growth.