Digital transformation is a key priority for enterprises all over the world, but most IT decision makers have not completed technology deployments to address the initiatives that are critical to digital business. Digital transformation at its core is about improving the customer experience by modernising tools and processes within an organisation.One common digital transformation initiative is moving identity management infrastructure to the cloud.
Moving this infrastructure to the cloud has many benefits, including elastic scalability, reduction in Total Cost of Ownership, and co-location with cloud-based applications. Every day, more and more enterprises of all sizes are finding value in moving to a cloud-based infrastructure, especially to help development teams collaborate on solving complex challenges.
But before you move your entire infrastructure to the cloud you will have to make sure it is secure. Obviously, you will put in place firewalls, data encryption data and monitor data to ensure it is secure, but you’re skipping the first step. So, what is the first step?
Deploying the Access Control Layer in the Cloud
One key benefit that cloud has brought to the industry is the ability to self-provision capacity, and access control is no different. Using the one-click experience for images on the Amazon Web Services (AWS) Marketplace, one can get started with dynamic policy management in minutes.
[easy-tweet tweet=”Access control services must be as fault tolerant or better than the services they protect” hashtags=”Cloud, Security”]
Moving to an operating expense model for budgeting lowers risk from what has traditionally been a capital expense world with on-premise software deployments. Rather than having to put all of the investment up front with little predictability on what services and integration will cost, an organisation can model their policies and integrations in the cloud and only pay for what they use on a development scale.
Access control services must be as fault tolerant or better than the services they protect. One can leverage the infrastructure or platform as a service provider’s capabilities to provide auto-scaling and elasticity for access control. When the demand for your access control service exceeds your current capacity or your Service Level Agreement, add additional nodes seamlessly.
Attribute-Based Access Control (ABAC)
Identity and access management technology, like Attribute-Based Access Control (ABAC), is a key enabler of a secure cloud experiences.
ABAC helps enterprises deliver more personal, convenient and trusted mobile experiences to customers, employee and partners while enabling secure access to apps and data in the cloud.
Axiomatics’ dynamic authorization solution provides a Policy Administration Point that features a multi-tenant capability that can be leveraged in your private cloud to service multiple departments independently and consolidate global policies where appropriate. Axiomatics also delivers a stateless Policy Decision Point (PDP) that can scale predictably and be deployed in a hybrid model where some PDPs can be on-premise to service legacy while cloud hosted PDPs can service anything from Infrastructure (IaaS) to Software (SaaS).
It is not a coincidence that the emergence of APIs and microservices as the building blocks for application development have emerged alongside Cloud. To leverage the flexible deployment benefits of cloud models, one should have loose coupling and high cohesion of autonomous, domain-specific services. Access control is no different. Externalizing token issuance, policy decision, multi-factor authentication, user profile and risk defeat the tyranny of the layered architecture and the monolith. Axiomatics provides a lightweight REST/JSON protocol for accessing its decision services.
Establishing the access control services and the governance and training for using them is a key first step to moving to the cloud.
Securing Cloud Services
Standards play a key role in the fabric of trust between cloud providers. To trust these services for your core business functions, the contracts with the consumer must be maintained. SCIM, OpenID Connect, and XACML form some of the important identity, and access formats and definitions that cloud providers are relying on to implement externalisation of these key services allowing access control vendors to innovate without worrying about redefining how the services are to be consumed with each version.
Not every organisation wants to model its access control policies the same way. Axiomatics provides the flexibility to use Attribute-Based (ABAC), Role-Based (RBAC) or Risk-Based (RiBAC) Access Control models, usually in conjunction. Leveraging contextual data and comparing characteristics of the protected resources with the attributes of the identity will make your policies more resilient and keep the number of roles and groups from exploding.
Enforcement of this dynamic policy often happens at the API Gateway that virtualizes the services from the cloud provider. The Gateway is strategically placed to incorporate the attributes of the client and the identity of the consumer with metadata of the resource being accessed to formulate the question:”Can the consumer perform this operation on this resource under these conditions?” The Policy Decision Point can perform additional lookups as needed to formulate an access decision or an expression to determine which data should be returned to the client and which data should be filtered, masked or redacted.
An example of a gateway would be Amazon API Gateway – or Apigee API Gateway.
There are key drivers to organisations move to cloud deployment:
● Digital Transformation
● Sharing data outside of organisational boundaries
● Tiered subscription and personalization
● Privacy and protection of sensitive data
One of the key first steps in achieving the nimble and robust capabilities of cloud deployment is to establish the access control services required to support these drivers. Dynamic authorization is critical to leveraging contextual attributes for real-time policy decisions.
API Gateways provide high cohesion of policy enforcement of your business services deployed in cloud providers.
As more organisations migrate to the cloud, the need to address complex authorization use cases for cloud-based resources is only going to grow. ABAC can help provide real- time dynamic authorization to the cloud, all while providing optional tools for auditing, reporting and policy testing.