UNIT - V

Architecture of Identity Access Management in Cloud Computing

●
●

Identity Access Management is used by the root user (administrator) of the organization. The
users represent one person within the organization, and the users can be grouped in that all
the users will have the same privileges to the services.

Shared Responsibility Model for Identity Access Management

Cloud Service Provider (CSP)
● Infrastructure (Global Security of the Network)
● Configuration and Vulnerability Analysis
● Compliance Validation
Customer
● Users, Groups, Roles, Policies Management and Monitoring
● Use IAM tools to apply for appropriate permissions.
● Analyze access patterns and review permissions.

The Architecture of Identity Access Management

User Management:- It consists of activities for the control and management over the identity
life cycles.
Authentication Management:- It consists of activities for effectively controlling and
managing the processes for determining which user is trying to access the services and
whether those services are relevant to him or not.
Authorization Management:- It consists of activities for effectively controlling and
managing the processes for determining which services are allowed to access according to the
policies made by the administrator of the organization.
Access Management:- It is used in response to a request made by the user wanting to access
the resources with the organization.
Data Management and Provisioning:- The authorization of data and identity are carried
towards the IT resource through automated or manual processes.
Monitoring and Auditing:- Based on the defined policies the monitoring, auditing, and
reporting are done by the users regarding their access to resources within the organization.
Operational Activities of IAM:- In this process, we onboard the new users on the
organization’s system and application and provide them with necessary access to the services
and data. Deprovisioning works completely opposite in that we delete or deactivate the
identity of the user and de-relinquish all the privileges of the user.
Credential and Attribute Management:- Credentials are bound to an individual user and
are verified during the authentication process. These processes generally include allotment of
username, static or dynamic password, handling the password expiration, encryption
management, and access policies of the user.
Entitlement Management:- These are also known as authorization policies in which we
address the provisioning and de-provisioning of the privileges provided to the user for
accessing the databases, applications, and systems. We provide only the required privileges to
the users according to their roles. It can also be used for security purposes.
Identity Federation Management:- In this process, we manage the relationships beyond the
internal networks of the organization that is among the different organizations. The
federations are the associate of the organization that came together for exchanging
information about the user’s resources to enable collaboration and transactions.
Centralization of Authentication and Authorization:- It needs to be developed in order to
build custom authentication and authorization features into their application, it also promotes
the loose coupling architecture.
Top Challenges of Identity and Access Management and Solutions to Address them
Decentralized Identity Management
As companies transition from on-premises data to cloud-hosted data, centralized on-prem can
become decentralized. This gives more autonomy to different departments, but also increases
risk when it comes to IAM. In a centralized system, a single user identity is used across the
entire organization. This gives admins control of user access to company data, but it also
means they are responsible for user identity management. This means they are also
responsible for user identity management. This means they must store and manage user
credentials, user profiles, and user identification (ID) attributes. As you decentralize data,
decentralized identity management may become necessary. In decentralized identity
management, each department has its own user identity system. Each user’s identity and
access privileges are controlled by that department, and they are not shared with other
departments. This means that centralized admin responsibilities are distributed to each
department. This can make IAM more challenging, but it can also open up autonomy in
certain departments.
Cloud Data Management
Cloud data is the data that is hosted in a remote data center and accessed over the Internet. It
is a common practice for organizations to store their data in the cloud because it is much
cheaper than on-premise data storage. It’s also more scalable and easily accessible from
anywhere. But with this convenience comes a few challenges for IAM professionals. A major
issue with cloud data is that it could be hosted by a service provider with whom your
company doesn’t have a contract. This means there may be little control over how data is
protected and maintained. You’ll also need to ensure that you can securely transfer data to
and from the cloud, which can be a challenge in its own right. If the data is sensitive or
regulated, the challenges associated with securing cloud data increase even further.
Data Security
Data security is crucial when considering any IAM implementation. While many
organizations still prefer to store their data on-premise, many others have moved their data to
the cloud. In both cases, when it comes to data security, admins will need to determine the
best method for protecting their data from malicious attacks. There are several ways to
protect data from malicious attacks, including: – Strong access control – Cryptography – Data
minimization – Strong monitoring and alerting – Data obfuscation Strong access control and
cryptography are effective ways to protect data from unauthorized users and potential attacks.
Data minimization and data obfuscation are less common security measures. They aim to
minimize the data collected, which reduces the overall risk. These methods are helpful for
compliance and regulatory requirements like GDPR.
User Authentication and Authorization
Authentication is the process of confirming the identity of a user by verifying their
credentials. This ensures that only authorized users can access your data. Authentication is
usually a one-time process. Authorization, on the other hand, is the process of granting users
access to specific data or resources. Both are often executed together, but they should be
separate processes. Authentication is based on identity, while authorization is based on
privilege. An example of this is logging into a computer or website. When you log in, your
credentials are authenticated, but they don’t indicate your level of authority or what you can
do on the platform. Authentication and authorization work together to ensure that only
authorized individuals have access to sensitive data.
Organizational Change Management
Organizational change management is focused on the people aspect of IAM. Part of this
change is cultural, as employees already have a set of expectations and methods for managing
their data. Adding new levels of security and access privileges complicates this process.
Organizational change management can be addressed by involving stakeholders in the design,
implementation, and rollout stages of IAM. By involving key stakeholders, you can get a
better idea of how the system will work in the real world. You can then identify and address
any issues that could arise as the system is implemented. Organizational change management
requires open and frequent communication between stakeholders. This helps to identify
potential issues before they become major problems.

Managing Access for Remote Work

IT departments must facilitate access across multiple devices and platforms without
compromising security—a difficult feat with existing IAM systems.

Keeping Application Integrations Up to Date

In the cloud, apps change over time. A good cloud- based IAM solution should keep up with
these changes and ensure that the application integration, and thus your access, is always up
to date and functional. Your IAM service should mediate all the different integration
technologies and approaches, making these challenges transparent for IT. And as the various
services’ APIs change and multiply, the cloud IAM provider should manage these
programmatic interfaces, offloading the technological heavy-lifting away from your IT
department, so they no longer have to track dependencies between connectors and application
versions.

Different Administration Models for Different Applications

As cloud applications become easier and less expensive to get up and running, companies are
adopting more point SaaS solutions every day. These solutions are often managed by the
corresponding functional area in a company, such as the Sales Operations group in the case of
Salesforce.com. This can benefit IT because it leaves application administration to others and
frees up time, but it can also create a new problem because there is no central place to
manage users and applications, or provide reports and analytics.

A cloud IAM service should provide IT with central administration, reporting, and user and
access management across cloud and on-prem applications. In addition, the service should
include a built-in security model to provide the right level of access to your individual
application administrators, so they can manage their specific users and applications within the
same IAM system.

Data and Storage security

Since all data is transferred using the Internet, data security in the cloud is a major concern.
Here are the key mechanisms to protect the data.
 o access control
o audit trail
o certification
o authority
The service model should include security mechanisms working in all of the above areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need to have a
mechanism to isolate the data and protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In this approach,
two services are created:

1. A broker has full access to the storage but does not have access to the client.
2. A proxy does not have access to storage but has access to both the client and the
broker.
3. Working on a Brocade cloud storage access system
4. When the client issues a request to access data:
5. The client data request goes to the external service interface of the proxy.
6. The proxy forwards the request to the broker.
7. The broker requests the data from the cloud storage system.
8. The cloud storage system returns the data to the broker.
9. The broker returns the data to the proxy.
10. Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encoding

Encryption helps to protect the data from being hacked. It protects the data being transferred
and the data stored in the cloud. Although encryption helps protect data from unauthorized
access, it does not prevent data loss.