by Matthew Gardiner

If you haven't downloaded the December 2009 version of the Cloud Security Alliance's publication, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, I encourage you to do so.  It is a worthwhile read and more importantly a good reference as you are called upon to provide security advice for your organization's cloud explorations.  The report is broken up into 13 specific security domains where different authors provide their commentary and recommendations.

For this blog entry I am going to focus my comments on Domain 12:  Identity and Access Management.  Overall this section made many good and important points, including:

• This statement: Extending an organization's identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services.  Yes - absolutely.  Identity is critical security "glue" no matter where applications, or portions of applications, are running. 
• Four key areas of IAM that organizations need to be concerned about when moving to the cloud are: Identity provisioning/deprovisioning, authentication, federation, and authorization. 
• Enterprise IAM services, such as identity provisioning, should connect and extend to with cloud services.   IT security services that are common within the enterprise, need to be equally common for cloud services.  Provisioning is one good example of this.

While I generally thought the IAM section was good, I have a number of comments which I hope are viewed as constructive and considered for the next version of this very useful paper.

• On the topic of federation, the paper more than once refers to the organization's chosen identity provider (IdP) as if it isn't the organization itself.  While I understand in theory organizations could have an external IdP - this is what federation is all about - in the context of the cloud today, the vast majority of enterprises will be their own IdP.  I am afraid this generalization, while accurate, might unnecessarily confuse most readers.
• In the section entitled, Identity Provisioning - Recommendations, while this advice is sound: customers should avoid proprietary solutions such as creating custom connectors unique to cloud providers and customers should leverage standard connectors...preferably built on SPML, this is the point where the report missed the opportunity to say that currently none (that I know of anyway) of the cloud providers support SPML.  So the advice currently is moot.  The point to be made here is that cloud service providers need to do a better job of supporting security standards, and it is important that cloud consumers push this point.
• I was surprised in the IaaS section that there was no mention of Web services and related Web services security standards, such as WS-Security and WS-Trust.  It seems clear that XML-based Web services are going to be the preferred approach for integrating services in and to the cloud, therefore some discussion of the recommended approach for providing standards-based security is warranted here.
• The discussion of federation gateways in the Federation Recommendations section also perplexed me.  On the face of it, the outsourcing of federation services makes no sense for at least the vast majority of enterprises.  With the release of Microsoft Geneva in ADFS as the most recent example, federation technologies such as SAML are going to be seriously approaching ubiquity.  Given the relative ease with which federation solutions interoperate, outsourcing federation services doesn't make sense.  The hard part of federation is establishing trust between two organizations, not implementing the protocols.  Why outsource the easy and keep the hard?