16. Identification and Authorization Module Introduction
We know that if we implement cloud technologies properly we can actually improve the security posture of our organization, but this does not come automatically. As a matter of fact, we need to attend to identifying those individuals that wanna interact with our cloud resources and we need to authorize those individuals to do what they intend to do against our cloud resources. This is a much varied discussion. There’s lots of different approaches that can be taken to identity and authorization in the cloud. We’ve got a lot to cover, so let’s get started.
17. Directory Services
Just like it is in the typical organization, directory services are often going to be the key when it comes to a cloud identity model. A directory service is going to define: users, groups of users, and typically, permissions that are going to be available inside of the cloud service. Let’s take a look at Microsoft’s Azure. I can’t resist, as it is an example of a cloud service, a cloud organization that provides many different options when it comes to directory services.
So, Microsoft is very typical for a public cloud service. In fact, I would say they go to the extreme when it comes to directory services. You see, they have Azure Active Directory available to us right at our fingertips. Now, this is not the famous Active Directory of Windows. No, this is something different. This is a version of Active Directory that Microsoft has created for their cloud service Azure. So, do not equate it one to one with the Active Directory that you might build inside of an organization.
Now, guess what? If you want to connect the Active Directory that you have inside your organization to the Microsoft Azure Active Directory, there is a tool for doing this, and it’s called Azure Active Directory Connect. So yes, we can bring in the existing Active Directory directory service we might be utilizing, and we can connect that information into the Azure Active Directory.
Now keep in mind, inside of Microsoft Azure, we of course have virtual machine resources. And one of the things that we might choose to create inside of Azure is an Azure virtual machine. And one of the types of Azure virtual machines you could create, of course, would be to go in and build a server for domain controller functionality. So, do you see another option for building a directory service inside of Azure is sure enough to build the Windows server resources that you need in the cloud, and then build your own Active Directory? So, think about all the options here. There’s Azure Active Directory, then there’s connecting our standard Active Directory with the Azure AD Connect tool. But then if we wanted to, we could create our own traditional Active Directory cloud based inside of Azure.
Now I certainly don’t wanna overwhelm you with the choices here, but let me just emphasize to you that there is going to be a lot of them. We’ve discussed several already. But if you look in Azure and you look at all of the services, notice if we scroll down, that one of the major categories here, 23 services in the category of identity. So, notice there’s going to be plenty of tools that you can utilize to ensure that you can identify the users of your cloud solution, and you can authorize them.
Notice there are tools that will allow us to easily connect external identities. So, we can do things like federation, where users can be securely authenticated using some other system, and then they can come in and access ours. So lots of options when it comes to identity and authorization in a typical cloud solution.
18. Single Sign On (SSO)
Single Sign-On is so often referred to as its acronym of SSO that we can sometimes forget what even SSO stands for. We just see it and we think, ‘Oh yeah, Single Sign-On.’ We just, we kind of immediately intuitively think about what it brings to us. Now, I do wanna point out that SSO is an acronym that is actually shared in technology. That is sometimes what’s called Stateful Switchover in high availability designs where two systems share state information with each other so that if one of the systems fails the other system is aware of state information. So you do sometimes have to explore, okay, wait a minute which technology are we talking about? But Single Sign On is all around us today. Don’t believe me? Well, let me demonstrate it for you right now.
So, are you ready for a demonstration of Single Sign-On? I don’t have to work that hard. Here you can see that I have just logged into a Windows desktop and I’m gonna go down and I am going to launch. I know you can’t see the exact search I was doing there but you can see that I clearly just did a search for none other than Word. And look at this, we have a situation where I am just seamlessly logged into my OneDrive account with Microsoft as well as my Office 365 account. Yeah, look at this. So this is a real remarkable example of the Single Sign-On. I signed on initially with the underlying operating system, in this case it was Windows 10. I then launched Office, which triggered a sign-on seamlessly with those same credentials to the OneDrive Cloud storage service. And you can see resources that have been accessing in there. And then you can clearly see that I am also logged into Office 365. So, if I wanna go ahead and access other Office 365 components, it’s going to be a very similar seamless sign-in process. And Single Sign-On is a huge advantage for End users because of the ease of operation that it brings when we’re dealing with operating systems and applications.
Not only is public cloud systems and private cloud systems going to shoot to support things like Single Sign-On. Think about it. You’re doing it all the time when you’re interacting with the public cloud service, for example. So, when I go in and I am accessing the S3 storage service in AWS, think about it, what I’m doing here is I am being single sign-on to that service, if you will. So, I signed in to AWS and then the appropriate credentials were passed to the Amazon S3 storage service. And you can see I have some buckets here, some storage buckets, with files in them that I am storing in the cloud. And there was single sign-on going on for this access to occur.
Of course, in inside of AWS, there’s going to be a ton of identity services in the identity and security and compliance category, and they’re going to help you achieve things like Single Sign-On. How about that? An AWS service that I was not aware of. So this must be a fairly new service and it’s none other than the AWS Single Sign-On service. So this allows access as we can see to a bunch of applications through a Single Sign-On process, pretty nifty. And cloud makes great user features like this an easy reality.
19. PKI
There’s simply no denying it. The public key infrastructure, or PKI, is one of the most important inventions for the proliferation and success of the Internet. Let me explain why.
Let’s break down the miracle that is the public key infrastructure. So here is our company, we are ABC Company. And sure enough, we have our wonderful private cloud that we are offering for our company. And this private cloud, by the way, does have some resources that it makes available to the public. So there is just a wee bit of information that is made publicly available. All right, so ABC Company wants to make sure that it can offer these mainly private cloud but some public cloud services to the masses. And it wants to ensure this is done securely. So what it does is it generates the public key. So what it does is it generates the public key. And this public key is something that can be shared publicly and it is often shared via a public certificate authority. So this is where digital certificates get into this story because they can make sure that we are getting information from a validated source. So, ABC Company says, all right, we’re gonna create our public key and we’re gonna make this available with these public certificate authorities, these trusted entities, for distributing this information.
So now, sure enough, a customer of ours that wants to interact with us securely on the web, gets this public key from anywhere, really, it can get it from anywhere. Because notice, it’s gonna be able to verify it with the third party certificate authority. Okay, so now this machine has the verified public key and now this machine can send data to our ABC Company. And it is going to send this data encrypted using that public key. And when the data gets to ABC Company, they will use the corresponding private key in order to decrypt the encrypted data that was sent. So isn’t this amazing? This structure allows all these secured communications that we see on the Internet. When you sign onto the Internet and you go to to your bank of money, you go to your bank of money on the Internet, you are communicating with them, of course, securely back and forth. And this is all because of this PKI that I described. And notice the magic of this. There is a public key and a private key that are related mathematically.
And then the public key, as its name implies, can be shared publicly and it can be used to encrypt. In order to decrypt, someone has to have the private key. And, of course, the only person that has the private key is within ABC Company. So, it really is some math magic, and it ends up being very, very beneficial for all of us using the Internet today. And cloud services play into this beautifully because the cloud services can help certificate authority works. Imagine that, we can create our own certificate authority and host it in the cloud, and we can make sure that people can get these digital certificates that they need, that have the private key information attached or the public key information attached, excuse me, for accommodating these secured transactions. Very-very cool stuff.
20. Other Identity Topics
Well, I’m sure you realize that there must be other identity topics that we need to tackle, and we certainly do. This is a big-big topic when it comes to cloud computing, because of course, security. And our desire to strengthen security, by all means, in the cloud, is gonna hinge on support for a wide variety of identity features. Now get ready to get, you know, insulated. Insulate yourself right now against acronym fatigue, because, boy oh boy, when it comes to identity and cloud, there’s a whole bunch of acronyms that we need to have mastered. Let’s go through them right now.
So the first acronym that I want you to not be intimidated by at all is IAM. This is Identity Access Management. And IAM in fact is exactly the name of the service that AWS used. So this is an industry standard term, and AWS said, you know what? We’re just gonna go ahead and call our service for identity and access management, the IAM service. So, identity and access management often comes down to you defining users in the system, you taking those users and organizing them into groups, and then you assigning permissions and privileges to those groups. And that’s exactly what we have in a situation like AWS. We’re gonna be creating users and groups, and we’re gonna be assigning permissions and privileges. AWS also uses something, by the way, the Cloud+ exam would never get into a detail like this, I don’t believe. But just so you know, AWS uses the concept of roles in addition to users and groups, and what roles are about is the ability to allow services to access maybe other services. So yeah, there’s this neat concept of a role, which is giving service access.
Another acronym that I want you to be familiar with, if you’re not already, is triple A. And no, I’m not talking about the Automobile Association of America, although I am a member. No, not that triple A. It’s Authorization, Accounting, and Authentication. So, let me just kind of abbreviate those. Authentication. It’s authorization. And it’s accounting. So, this is very important, and we have many-many network devices that offer triple A services, and therefore many cloud services offer it as well. And what triple A is all about is again, making sure that the person is who they say they are. So have they authenticated, and are they the genuine person, that is, you know, that we want to access the cloud based system? And then notice, what are they authorized to do? So once we make sure it’s them, we go in and we find out what privileges and what permissions they can carry out. And then, guess what? We have accounting of what they’re doing. Isn’t this important? Because we want to come along potentially and do auditing of what these individuals are doing against our cloud services. So, triple A is a great way to provide security around identity.
And I told you folks we had a lot to cover here as far as acronyms go. So, bear with me. We are still not done. We have multifactor authentication of course, and this is commonplace in logging into cloud systems today. So maybe you are the administrator of your shiny Azure Cloud implementation, and you want it so that when you go to log in to your admin account that you have inside of Azure… Notice only that account! When you go to log in using that special account, you want a code sent to your cell phone, right? Your smart phone. And you wanna be able to press a button that says yes it’s me, and here’s the password. So, notice we are adding something that you know, the password, to something you have, your smartphone. So that’s what we mean by multifactor authentication.
Another famous type of multifactor authentication that was beloved for the longest time, of course, was the fingerprint, right? My best friend laments every day the move by Apple to facial recognition with his phone. And he desperately wants to go back to the day of his thumbprint getting him in the phone. And these are all different types of multifactor authentication. And let’s not forget, when you are talking about things that are on your body, this is biometrics. And this is one way to do multifactor authentication, is to use something like your fingerprint or a retinal scan. And those are very-very sophisticated biometric technologies, of course.
Another acronym that we should be familiar with is SAML. This is a security markup language. So this is how Single Sign-On, that topic that we did a video on earlier, this is how single sign-on is often accomplished, using this SAML language to transmit the authentication credential information securely from one system to another.
There’s LDAP, and this is the Lightweight Directory Access Protocol. That is what Microsoft Active Directory is compliant with. So any time you see literature saying we work great with LDAP based sources, what they are often really talking about is Microsoft Active Directory.
And finally, there is something I wanted to talk to you about called federation. I mentioned this I think in an earlier video, but cloud-based systems are all about supporting this these days. And what we do with federation is we allow access from one authentication system to another. In other words, you’ve done this probably I’m sure, where you show up at some cloud-based solution, and there is a button that says, like, “Log in using your Google account.’ And you go, ‘Oh, beautiful. So, I can just log in and do the authentication with Google like I always do. And then thanks to the federation setup, I’ll be brought right into the cloud based solution.’ So, federation is really another way to do Single Sign-On, isn’t it? And it’s involving two different entities though. We authenticate with Google, and then that is trusted by the AWS solution that we’re using.
So, I hope that wasn’t too painful, you know. Many-many acronyms in the world of identity. But I hope these are all simple for you to understand now because they really are all simple concepts once we break them down. Thanks so much for watching.
