How identities work in the cloud.

User and machine identities have been a cornerstone of cybersecurity since the early minicomputer era of the 1960s, if not earlier. Access control has always been integral to network security. Protecting who and what has access to which data is what cybersecurity is all about.

Identities are the foundation of the implementation of cryptography. A key needs to be attached to an identity. Authentication is how a user or entity proves their identity, to acquire access to the key. Cybersecurity can seem like a really complicated field. But when you break matters down to how identities work in computer systems, everything else makes much more sense.

Second to the internet itself, the cloud computing revolution the internet has made possible may be the most revolutionary phenomenon to drive computing innovation in how companies do business, and how ordinary people experience the world. Enterprises spend a lot of effort and money on effective cloud migration and cloud operations. Meanwhile, some consumers may have no idea what the cloud is, and they’re just happy that their Netflix stream runs smoothly. (Unbeknownst to them, their favorite new sitcom is being streamed from an AWS datacenter.)

Windows its native Active Directory used to be the dominant platform in IAM (identity and access management). But as Linux in the enterprise and cloud migration grew rapidly, Active Directory lacked the cross-platform compatibility needed for identity management in hybrid cloud and multicloud environments. Now organizations are choosing to implement platform agnostic identity solutions in the cloud, even to serve the parts of their networks that may be on premises.

Needless to say, effective cloud identity management should be a focus for securing the world we live in now and in the years to come. So, let’s examine how it works.

How cloud identity management works

At risk of stating the obvious, the most significant difference between cloud identity management and identity management on premises is that the servers and infrastructure for the IAM functions operate in a cloud provider’s datacenter.

Compared to on premises IAM, an enterprise has less control on the cloud. The cloud provider will have their own IAM solution, and the enterprise customer can simply configure it according to their parameters. But cloud IAM also takes some burdens from the enterprise. They’re no longer responsible for the physical security and physical maintenance of their IAM system. They can focus on just configuring it and using it securely. Another major benefit of cloud IAM is immense scalability. If all of a sudden, they have a lot more users to manage, they don’t need to worry about buying more hardware and infrastructure.

Identity and authentication technologies differ in their technical specifics. For instance, Kerberos architecture is quite different from RADIUS architecture. But cloud IAM services across platforms generally have these components:

• Directory services to store identities.

• User management functions for provisioning, self-service, and delegation.

• Authorization services to handle rules, roles, attributes, and privileged access.

• Authentication services to handle session and token management, single-sign on, and multifactor authentication.

Single Sign-On

Single sign-on (SSO) is such a convenient method for users. Users strongly dislike having to manage a separate login for each and every service that they use. Through SSO, they can use one identity across multiple services and session management through their own endpoints means they only need to authenticate infrequently.

This is great for security when it works well. Because users will engage in less secure habits when authentication systems are made less convenient, and with more friction. They’ll reuse passwords, which makes them susceptible to credential stuffing attacks. They’ll leave sessions logged in on endpoints they cannot physically secure, such as on shared computers at work or at school. In cybersecurity, we talk about the conflict between usability and security, but making a system more usable will benefit security if you can make it function properly.

In a SSO authentication vector through a service provider (such as the login portal on their social media platforms and ecommerce sites), the service provider will send a token with the users identifying information (i.e. email address or username) to a shared central identity provider. If the user has already authenticated with the identity provider through a different service provider, the identity provider will return a token confirming successful authentication. If the user hasn’t authenticated yet, they’ll be prompted to do so with a password, or with passwordless methods such as a one-time passcode (OTP). The successful authentication token is validated according to the trust relationship that was set up between the service provider and the identity provider. If all works well, it’s smooth sailing from there.

Multifactor authentication

Cloud IAM platforms will almost always support multifactor authentication or passwordless authentication. It’s been common wisdom for many years now that completely depending on passwords for authentication is a terrible idea. Passwords are “something you know,” and are easily breachable.

Passwords plus multifactor authentication is a major improvement from the password-only authentication systems that were more common in the 1990s and 2000s. For consumers, it often manifests as a password plus being asked to enter a time sensitive OTP sent to their phone in the form of an SMS text message or email. Although using dedicated OTP apps is more effective at preventing man-in-the-middle attacks to a OTP. Biometrics are also built into all current iPhones and Android phones, so a user can authenticate with their fingerprint or their face.

The paradigm now is passwordless authentication. Passwordless authentication gets rid of risky passwords altogether, supplementing OTP and biometrics with user entity behavior analytics (UEBA). Does the user’s behavior fit with their usual behavior patterns?

Each major cloud platform has their own IAM service, such as AWS IAM and Google Cloud IAM. We now live in a multicloud and multiplatform world, so whichever the cloud IAM platform is, they will have all the features described in this blog and should be compatible with a wide range of tech vendors.

So that’s how identities work in the cloud. Your users will be happy if they don’t have to think too much about any of that stuff.