Access control (also known as Authorization Control) is a fundamental security concept that limits who can access user information through connections to computer networks and system files. There are several types of access control: Mandatory access control (MAC): Access rights regulated by a central authority; Discretionary access control (DAC): owners or administrators of data set the policies and define who is authorized to access, sometimes without centralized control; Role-based access control (RBAC): Access based on individuals or groups with defined business functions (e.g. executive level) rather than the identities of individual users; Rule-based access control: permits the system administrator to define the rules that govern access to data (e.g. time of day).
These first level access control methods apply to both conventional IT and cloud computing environments, can be used in various combinations, and should already be well established in a users conventional IT environment. They may be easier to oversee in a conventional IT environment because the user population is clearly defined as compared to a Cloud environment where the population is undefined. But in either environment, continued user vigilance of both the application of the types of access and the exercise of the security tools, is essential.
While many good access control practices in the cloud are no different from those in a conventional IT environment, it is the users responsibility to ensure that they are applied effectively and continuously. The user should consider how each of the following principles are addressed in a Cloud environment.
Maintain the principle of assigning the Least Privileges to user accounts. In the cloud privileged users (i.e. system administrators) accounts are attractive targets for hackers. The user is responsible for assigning user accesses and folder and file access privileges, which should be constrained by functional roles and by need-to-know , rather than by simply position within the company; examining on a regular basis logs of access attempts, changes to these accounts; analyzing their activities to detect anomalies; and creation of procedures and guidelines for employee departures to include removal of all account access.
Demand that users select, and change often, extremely secure passwords. This is no different than what is expected in a conventional IT environment and is not any easier to inforce in the cloud. A recent survey of cloud service providers reported that, for various reasons, it is an issue thats commonly overlooked because developers dont want to negatively impact user experience or it is at the bottom of the to-do list. In fact, of the of 133 providers surveyed, 31 allowed one character (any characters) passwords. It is therefore unquestionably the cloud service users responsibility to ensure that secure passwords are employed at all times.
Require the use of Multi-Factor Authentication (MFA). MFA is another common practice in conventional IT that is not necessarily required or enforced in a cloud service environment. If the cloud provider does not have biometric marker capability readily available, at the very least use security tokens, or something only the user knows. Users with admin privileges, in particular those with access to management systems or sensitive data, should absolutely be required to use the best MFA available.
Public Key Infrastructure (PKI) is the gold standard for highly secure and trusted authentication. Deploying a PKI solution in a conventional IT environment can be a complex and costly effort especially when considering the software licenses, training, policy development, and certificate management. A cloud environment can provide some of these capabilities at lower cost but, avoid any offer of completely free PKI capabilities. The most vital PKI process is the handling of the root certificates security and the certificate issuance process. The user must be responsible for the operation and maintenance of the key control process. There is a cost to this responsibility, but taking advantage of what is offered in the cloud environment may offset some costs while incurring only those associated with Key control. Best practices for organizations to reap true benefits of PKI in the cloud would include: host the key management server on the users IT system; key data leaving this server and entering the cloud server must be encrypted; when this data is no longer needed the user must revoke the keys.
Shared Identity Management (also known as Federated Identity Management) is a way to provide a many-to-one mapping for user single sign-on. In other words, a single, trusted identity service provides validated, secure user credentials to multiple domains and applications. This is a benefit in a cloud environment but for user security, the shared identity management server must be internally hosted and maintained. The decision authority for trusted user access to applications and data rests in the hands of the owner.