Cloud Identity and Security Best Practices

Fingerprint Biometric Lock

Image by Flick via Flickr

Central to developing our abilities to provide Government Cloud Computing is the best practice focus area of Cloud Identity and Security.

I group these two together, both “Cloud IdAM” (Identity and Access Management) and Cloud Security, because of how they are intrinsically linked – You can’t do justice to one without covering both.

These best practices are the keystone to a new marketing theme we’re launching called ‘Securing a Bridge to the Cloud‘.

More to come on that shortly.

Kantara Cloud Best Practices

One of the key technical workstreams that will develop these practices will be via a new partnership with the Kantara initiative to launch a working sub-group with them called ‘Kantara Cloud Security Best Practices.’

Kantara primarily has a focus on ‘Trust Frameworks‘ as enabled by the ever-evolving digital identity ecosystem, and so the objective of this group is to map this to Cloud computing.

We’re finalizing the process of creating a charter for launching this, which will likely take the next 2-3 weeks. Then we’ll become an active WG alongside the others, who provide the ideal context and explanation for where Kantara is innovating, and therefore the links to enterprise cloud services.

Examples of their working groups include:

  • eGov – Provides a “government view” into the initiative, acting as a forum to discuss best practices by government organizations on national, regional and municipal levels.
  • Telco – Implementing common identity across telco networks and multiple devices.

Combinations of these will provide great solutions – For example enabling government agencies to more easily adopt secure, mobile payment systems. With common ID’s across telco networks and devices like Blackberries et al, then it’s easier to offer better interconnected application services.

Cloud Security Best Practices

This work will underpin and enable our consulting services to help design and implement Cloud Security Best Practices, based on the recommended principles from the Cloud Security Alliance, and also of NIST and

Furthermore this is combined with ongoing analysis of relevant real-world implementation case studies.

For example in this RFP from early 2011 the Government of Canada has identified they plan to implement a managed service for a branded ICAM (Identity, Credentialing and Access Management) system.

This will evolve them from their ePass Service of today, to a Cyber-Auth Service of the future. This will enable ‘My GC Services’ single authentication across multiple Gov apps. It is based on the Kantara eGov 2.0 initiative but does not require full compliance with it, and on SAML2 as the core foundation. (The Government of Canada standard for Identity Authentication systems is ITSG-31 here.)

Managed Services

Cloud Security Best Practices will also enable development and delivery of Managed Services. Cloud Providers will be able to offer implementation of these services, to tailor hosting services they can offer you.

A simple example is security itself – In their RFP the Government of Canada state that the ICAM solution can also be Cloud-based, as an alternative to being sold directly to them and implemented on-site. This would be called IDaaS – Identity-as-a-Service.

The next main opportunity area is making existing and new Cloud environments compliant with these standards and IDaaS mechanisms, expanding ‘My GC Services’ to include third-party Cloud providers too . With government workers issued with a single Identity ePass, then if that can grant them access to your Cloud applications too (assuming they’re commercially empowered to do so); obviously this will smooth more sales uptake, as well as provide users a more streamlined and also more secure experience.

There are numerous project opportunities for these capabilities. For example Ottawa Hospital issued their own RFP for an IdAM solution, and Ontario Health have plans for ‘ONE-ID‘.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.