Programming4us
         
 
 
Programming

Identity and Access Management : Trust Boundaries and IAM

11/28/2010 3:13:00 PM
In a typical organization where applications are deployed within the organization’s perimeter the “trust boundary” is mostly static and is monitored and controlled by the IT department. In that traditional model, the trust boundary encompasses the network, systems, and applications hosted in a private data center managed by the IT department (sometimes third-party providers under IT supervision). And access to the network, systems, and applications is secured via network security controls including virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and multifactor authentication.

With the adoption of cloud services, the organization’s trust boundary will become dynamic and will move beyond the control of IT. With cloud computing, the network, system, and application boundary of an organization will extend into the service provider domain. (This may already be the case for most large enterprises engaged in e-commerce, supply chain management, outsourcing, and collaboration with partners and communities.) This loss of control continues to challenge the established trusted governance and control model (including the trusted source of information for employees and contractors), and, if not managed properly, will impede cloud service adoption within an organization.

To compensate for the loss of network control and to strengthen risk assurance, organizations will be forced to rely on other higher-level software controls, such as application security and user access controls. These controls manifest as strong authentication, authorization based on role or claims, trusted sources with accurate attributes, identity federation, single sign-on (SSO), user activity monitoring, and auditing. In particular, organizations need to pay attention to the identity federation architecture and processes, as they can strengthen the controls and trust between organizations and cloud service providers (CSPs).

Identity federation is an emerging industry best practice for dealing with the heterogeneous, dynamic, loosely coupled trust relationships that characterize an organization’s external and internal supply chains and collaboration model. Federation enables the interaction of systems and applications separated by an organization’s trust boundary, e.g., a sales person interacting with Salesforce.com from a corporate network. Since federation coupled with good IAM practice can enable strong authentication by way of delegation, web single sign-on, and entitlement management via centralized access control services, it will play a central role in accelerating cloud computing adoption within organizations.

In some cases, the practice of IAM within an organization may suffer due to a lack of central governance and identity information architecture. More often than not, identity storage is managed via manual entry by multiple administrators, and user provisioning processes are not well orchestrated. This process is not only inefficient, but it will also propagate existing bad practice to the cloud services. In such cases, the weak access model will extend excess privileges for unauthorized users to cloud services.

IAM is a two-way street. CSPs need to support IAM standards (e.g., SAML) and practices such as federation for customers to take advantage of and extend their practice to maintain compliance with internal policies and standards. Cloud services that support IAM features such as federation will accelerate the migration of traditional IT applications from trusted corporate networks into a trusted cloud service model. For customers, well-implemented user IAM practices and processes will help protect the confidentiality and integrity and manage compliance of the information stored in the cloud. Cloud services that support IAM standards such as SAML can accelerate the adoption of new cloud services and migration of IT applications from trusted corporate networks into a trusted cloud service model.

Other -----------------
- Parallel Programming with Microsoft .Net : Parallel Tasks - The Default Task Scheduler
- Parallel Programming with Microsoft .Net : Parallel Tasks - Design Notes
- Parallel Programming with Microsoft .Net : Parallel Tasks - Anti-Patterns
- Parallel Programming with Microsoft .Net : Parallel Tasks - Variations (part 2)
- Parallel Programming with Microsoft .Net : Parallel Tasks - Variations (part 1)
- Parallel Programming with Microsoft .Net : Parallel Tasks - An Example
- Parallel Programming with Microsoft .Net : Parallel Tasks - The Basics
- jQuery 1.3 : The jQuery UI plugin library
- jQuery 1.3 : The Form plugin
- jQuery 1.3 : How to use a plugin
- jQuery 1.3 : Sharing a plugin with the world
- Auditing an Existing Site to Identify SEO Problems (part 3) - Fixing an Internal Linking Problem
- Auditing an Existing Site to Identify SEO Problems (part 2) - The Importance of Keyword Reviews
- Auditing an Existing Site to Identify SEO Problems (part 1 - Elements of an Audit
- First Stages of SEO : Defining Your Site’s Information Architecture
- First Stages of SEO : The Major Elements of Planning
- Understanding Your Audience and Finding Your Niche
- Developing an SEO Plan Prior to Site Development
- Setting SEO Goals and Objectives
- jQuery 1.3 : Developing plugins - Adding a selector expression
 
 
Most View
- Coding JavaScript for Mobile Browsers (part 6)
- Enable the Global Audit Policy by Using the Command Line
- Understanding Service Broker Constructs (part 3)
- Windows 7 : Customizing Windows 7’s Open With List
- Configuring a Microsoft Exchange Server 2003 Infrastructure : Administrative and Routing Groups
- Windows 7 : Configuring Hardware (part 2) - Installing and Updating Device Drivers & Driver Signing
- SharePoint 2010 : Restore an Earlier Version of a File or List Item
- SharePoint 2010 : Using Data Connection Libraries (part 1) - Restricting Data Connection Types & Adding Connections to Data Connection Libraries
- Active Directory Domain Services 2008: Disable the Directory Service Changes Auditing Subcategory
- Windows 7 : Working at the Command Line (part 1)
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS