This post discusses why cloud identity is such a difficult problem to resolve.
After a short hiatus I’m finally blogging again.
Some might think that I needed to recover from England’s unimaginative showing at the Euro’s and their inevitable exit on penalties in the quarter finals.
This is not true, I’ve been a busy working.
One of the things I’ve done is to get more familiar with the available open source cloud offerings, in particular looking at OpenStack, Eucalyptus and CloudStack.
I used Martin Loschwitz’s excellent instructions here for the installation of OpenStack on a Lenovo T5010 laptop running Ubuntu 12.04 Precise Pangolin.
A couple of things to note:
- Hardware virtualization must be turned on at the BIOS level otherwise the VM fails to start with spawning errors.
- There is only one NIC on this laptop so I created a virtual adapter for the second NIC.
- Don’t forget to create the LVM volume group called nova-volumes. This is mentioned at the end of step 1 but no instructions are given. For those who need them:
dd if=/dev/zero of=MY_FILE_PATH bs=100M count=10
losetup –show -f MY_FILE_PATH
apt-get install lvm2
vgcreate nova-volumes /dev/loop0
I also installed OpenStack on an ESXi virtual machine. There are lots of instructions for installing it on VirtualBox but very little for installing it on VMWare. The issue is the requirement for hardware virtualization support.
It seems that there may be a way around this with VMWare’s vSphere 5 but I didn’t want to start reconfiguring the company ESXi server so I created a Ubuntu 12.04 virtual machine and installed DevStack by following Sam Johnston’s instructions here. This is a documented shell script to build a complete OpenStack development environments from RackSpace Cloud Builders that installed in less that fifteen minutes.
I shall now get familiar with the APIs and try to determine how easy it is to integrate with Open Source provisioning software.
I briefly discussed cloud provisioning in a previous post and am now going to take a closer look at cloud computing and security.
What is cloud computing?
This is computing that leverages the internet as a tool to enable remote computers to share memory, processing, network capacity, software and other IT services on-demand. The cloud paradigm provides utility computing and allows businesses to pay for what they use.
The National Institute of Standards and Technology (NIST) defines cloud computing thus:
Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The basic architecture of the cloud can be described as a cloud pyramid which is composed of three segments: Cloud Infrastructure at the bottom, Cloud Platforms in the middle and Cloud Applications at the top.
At the application level of the cloud clients are served Software as a Service (SaaS) resources and acquire access to fully functioning standard computer software.
At the platform level clients are served Platform as a Service (PaaS) resources and pass the responsibility of the creation and maintenance of the computer platform to the service provider. However, clients have to create or install their own third-party applications.
At the infrastructure level clients are served Infrastructure as a Service (IaaS) resources and are responsible for building and maintaining their own platforms and applications.
All services provided by a cloud provider will fall into one of these three segments.
Public, Private, Community and Hybrid Clouds
When most people discuss cloud computing they generally mean the public cloud where a provider makes computing resources publicly available over the internet using a pay-as-you-use model with the resources being shared between all subscribers. However, there are also two other types of cloud models.
A private cloud is similar to a public cloud but the resources are used by one organization. This paradigm eliminates many of the cost-benefits of public cloud computing but allows for virtualization to simulate resource allocation while assuring a more secure operating environment.
A community cloud is similar to a public cloud but all the clients have shared concerns such as mission, security requirements or policy and compliance considerations. It may be managed by the organizations or a third-party and may exist on premise or off premise. This paradigm reduces the cost-benefits of public cloud because the costs are spread between fewer clients.
A hybrid cloud is a combination of a public and private cloud. This is becoming very popular and currently has two paradigms in use.
- All operations are run in a private cloud with the public cloud used to increase capacity for expected and unexpected spikes in demand.
- For the more security conscious organizations data stores containing sensitive and proprietary information are kept in the private cloud and everything else is stored in the public cloud.
There are currently no standards for cloud security. This has led to the creation of three competing organizations formed to develop security guidelines and protocols:
- Cloud Security Alliance
- Open Data Center Alliance
- Cloud Standards Customer Council
The Cloud Security Alliance is a not for profit organization that promotes the use of best practices for providing security assurance within cloud computing environments.
The Open Data Center Alliance is a consortium of large IT consumers intent on developing standards for interoperable Cloud Computing. The organization was initiated by Intel as a means to push its Cloud 2015 vision of which the Intel Expressway Cloud Access 360 (or McAfee Cloud Identity Manager) is its first product.
The Cloud Standards Customer Council is backed by IBM and CA and is focused on the standards, security and interoperability issues around moving to the cloud. IBM has entered the cloud identity field by releasing the Tivoli Federated Identity Manager (TFIM) and TFIM Business Gateway as their cloud identity and access management solution.
The two solutions use different approaches to identity and access management for the cloud.
The Intel approach is to use an SSO portal that allows an authenticated user to select a service with each cloud solution having its own connectors. It supports simple username/password authentication and strong authentication using one time passwords. Authentication can be done against the enterprise data store.
The IBM approach uses a federated trust model where the cloud applications grant user access based on their trust of the identity provider.
We work with both cloud service providers and clients to implement user authentication and provisioning services using industry best practices and open source software. Check out our website
A plan to create a standard protocol to ease provisioning of corporate users to cloud services should be approved as an IETF working group early next month.