I have a new post over on the Cloud Access Security blog on Leveraging Enterprise Credentials to Connect with Cloud Applications, it begins:
Many pundits say that you must pick a Cloud Provider and trust them. I beg to differ. First off why should we trust the Cloud Provider? A Cloud Consumer wants to leverage the Cloud Provider’s capabilities for functionality and scale where it makes but why should this equate to blind naïve trust? And anyway, what specifically is the Cloud Consumer trusting the Cloud Provider? As the old country music song says, “In God, we trust, all others pay cash.”
Instead of blindly trusting the Cloud provider to do the right thing (and a glance at any recent news will show how hard this is in practice) it makes more sense for the Cloud Consumer, e.g. you, to limit how much control you choose to pass to the Cloud Provider. One technique for accomplishing this is to retain control of User Account Management at the Cloud Consumer site.When the Cloud Consumer retains the responsibility for User Account Management, the security architecture gains in several ways:
Read the whole thing
Gunnar,
Great point, and one that will work particularly well with the US government, enterprise and others. Particularly applications as a service and also for other service modes. Does the enterprise really want to outsource provisioning?
Cloud providers should pay more attention to incorporating existing identity, credential and access management schemes and their associated validation infrastructures than trying to re-invent the wheel. I find it very interesting the extent to which any cloud provider has (not) promoted an ability to adopt PIV or PIV-I credentials. Some of this results from the weakness of many existing IdPs but this is certainly not the case with the Fed. Its a use case waiting to be exploited.
If nothing else enterprise or other identity credentials could be used as breeder credentials linked to identifiers cloud service provides can then manage and synchronize with regards to status (e.g. valid/suspended/revoked).
Regards,
Sal
Posted by: IDmachines | June 20, 2011 at 10:22 AM