Controlled administration of users and authorisations in cloud computing

Initiation responsibility: IT Security Officer, Head of IT Implementation responsibility: Administrator, Specialists Responsible

A central identity management and a role-based authorisation management should be used for the users of the cloud service provider as well as for the users of the cloud service customer (cloud clients).

In general, it is not recommended to grant more access rights to data and information than are necessary for the task accomplishment of the application (Need to know and Least privilege principles).

In addition to the processes regarding the setting up of users and authorisations, controlled processes regarding the removal (de-provisioning) of users and authorisations must be set up as well. This can be accomplished by blocking or deletion. The cloud service provider must ensure that the accounts ("identities") and authorisations of cloud service users to be blocked or deleted must be removed from all involved levels of the cloud IT infrastructure. The rights can be reliably removed from all involved areas e.g. operating system accounts, storage areas (cloud storage), accounts in the self service portal, database using a central system for authorisation administration.

User accounts and authorisations should be verified on a regular basis (e.g. twice a year). In this context, it is necessary to check whether the created users are still registered as active users (otherwise, they must be blocked or deleted) and whether the roles and authorisations which they were assigned are still correct. Substitution arrangements must be observed.

Users of the cloud service provider and cloud service customer

The user administration (identity management) of the cloud service provider must be classified in two categories. On the one hand the staff of the cloud service provider and on the other hand the cloud service users of the cloud service customer (cloud clients). For the latter it is required to distinguish whether the administration of the cloud service users is accomplished by the cloud service provider, or whether the cloud service provider only provides the technical equipment (as for IaaS), and the cloud service users are administered by the cloud service customer.

For user administration, an identity management operating beyond the

organisational borders (Federated Identity Management, FIDM) can be

involved or associated, provided that well-established standards (e.g. Security

Assertion Mark-up Language SAML) and secure authentication procedures are

used.

The authorisation administration (authorisation management) has a similar structure as the user administration: You can distinguish between the authorisations of the cloud service provider staff on the one hand and the cloud service users of the cloud service customer on the other hand. The cloud

S 2.CM.17Controlled administration of users and authorisations in cloud computing

Users, roles and rights provided by the cloud service provider

Cloud service providers should organise the assignment of rights based on roles with each role including certain authorisations. The users are then granted certain rights by the assignment of certain roles.

In this context, for example, roles for the following areas might be helpful which can be assigned to persons or systems:

- cloud service profiles

- virtualisation hosts (starting, stopping and migrating virtual IT systems, assignment of physical resources)

- network

- storage system - self-service portal - billing

- reporting

- middleware (database, web server)

It must be possible for each person or each system to use several roles, depending on the task, in order to get the rights required to fulfil the task. For example the automatic process of provisioning a new cloud client must have several roles because it requires several rights. Super users which have all rights in all areas must be avoided.

Users, roles and rights provided by the cloud service customer

The roles for the use of SaaS and PaaS offers are defined by the cloud service provider and provided for the cloud service customer. They are adapted to the different offers of the cloud service provider which can be accessed by the cloud service users of the cloud service customer. In case of IaaS offers, the cloud service customers are completely free on the virtual machine and can/must establish their own administration for users, roles and authorisations. There are usually at least two different kind of roles: privileged and normal user.

- Privileged users administer the use of the cloud service through the staff (cloud service user) of the cloud service customer. They can usually add or delete new users, or assign or withdraw roles. If the cloud service provider provides the cloud service customer with different options of cloud services or different cloud services, the privileged user can enable these services or options for the normal users. To this end, the cloud service provider provides an interface (as web service or as web application in the self-service portal). Thus, user information is

S 2.CM.17Controlled administration of users and authorisations in cloud computing

possible for any normal user to change their own rights (and thus their access capabilities). In case of private users, who are not contemplated in this document, both the roles of privileged and normal users are combined in one person which, however, should be avoided for business applications. Otherwise, the cloud services might be used in an uncontrolled way.

If the cloud service provider assumes the authorisation administration for a cloud service customer, appropriate processes between both parties must be established. These processes must ensure that the cloud service provider acts verifiably for the purpose of the cloud service customer.

Separation of different cloud service customers

In some cases and in case of major cloud service customers, cloud service providers might be confronted with the requirement to allow only certain administrators to administer the offered cloud service. Then, the roles and rights management (authorisation administration) of the cloud service provider must also be multi-tenant in order to avoid the administration of the services of a client by unauthorised persons.

Access of cloud administrators to cloud service customer data

If possible, the administrators of the cloud service provider should neither be authorised to access the data and applications of cloud clients nor intervene in the authorisation administration of SaaS or PaaS applications if these are administered by privileged cloud service users.

For troubleshooting, however, it might be necessary that the administrators of the cloud service provider have access to the data of the cloud clients. To this end, technical safeguards must be established which restrict the access to the areas relevant for troubleshooting. Moreover, this authorisation should only be valid for a clearly defined period.

Documentation

The following information on the user and authorisation management must be systematically (history) documented:

- which function is equipped with which access rights taking the functional separation into account,

- which groups and/or profiles are set up, - who fulfils which functions,

- which access rights are assigned to whom within the scope of which role.

Review questions:

- Has a role-based authorisation concept for the administrators of the cloud service provider and the cloud service users of the cloud service customer been implemented?

- Have super users been avoided?