Cloud Identity and Security Best Practices
Central to developing our abilities to provide Government Cloud Computing is the best practice focus area of Cloud Identity and Security.
I group these two together, both “Cloud IdAM” (Identity and Access Management) and Cloud Security, because of how they are intrinsically linked – You can’t do justice to one without covering both.
These best practices are the keystone to a new marketing theme we’re launching called ‘Securing a Bridge to the Cloud‘.
More to come on that shortly.
Kantara Cloud Best Practices
One of the key technical workstreams that will develop these practices will be via a new partnership with the Kantara initiative to launch a working sub-group with them called ‘Kantara Cloud Security Best Practices.’
We’re finalizing the process of creating a charter for launching this, which will likely take the next 2-3 weeks. Then we’ll become an active WG alongside the others, who provide the ideal context and explanation for where Kantara is innovating, and therefore the links to enterprise cloud services.
Examples of their working groups include:
- Trust Frameworks – Defines the core models.
- eGov – Provides a “government view” into the initiative, acting as a forum to discuss best practices by government organizations on national, regional and municipal levels.
- Telco – Implementing common identity across telco networks and multiple devices.
Combinations of these will provide great solutions – For example enabling government agencies to more easily adopt secure, mobile payment systems. With common ID’s across telco networks and devices like Blackberries et al, then it’s easier to offer better interconnected application services.
Cloud Security Best Practices
This work will underpin and enable our consulting services to help design and implement Cloud Security Best Practices, based on the recommended principles from the Cloud Security Alliance, and also of NIST and IDmanagement.gov.
Furthermore this is combined with ongoing analysis of relevant real-world implementation case studies.
For example in this RFP from early 2011 the Government of Canada has identified they plan to implement a managed service for a branded ICAM (Identity, Credentialing and Access Management) system.
This will evolve them from their ePass Service of today, to a Cyber-Auth Service of the future. This will enable ‘My GC Services’ single authentication across multiple Gov apps. It is based on the Kantara eGov 2.0 initiative but does not require full compliance with it, and on SAML2 as the core foundation. (The Government of Canada standard for Identity Authentication systems is ITSG-31 here.)
Cloud Security Best Practices will also enable development and delivery of Managed Services. Cloud Providers will be able to offer implementation of these services, to tailor hosting services they can offer you.
A simple example is security itself – In their RFP the Government of Canada state that the ICAM solution can also be Cloud-based, as an alternative to being sold directly to them and implemented on-site. This would be called IDaaS – Identity-as-a-Service.
The next main opportunity area is making existing and new Cloud environments compliant with these standards and IDaaS mechanisms, expanding ‘My GC Services’ to include third-party Cloud providers too . With government workers issued with a single Identity ePass, then if that can grant them access to your Cloud applications too (assuming they’re commercially empowered to do so); obviously this will smooth more sales uptake, as well as provide users a more streamlined and also more secure experience.
- » Pentagon to ‘reconsider certain aspects’ of JEDI Microsoft cloud contract award
- » Lloyds Banking Group signs up to Google Cloud in five-year partnership
- » Realising the impact of unsecured container deployments: A guide
- » Microsoft to acquire Affirmed Networks to get onto AWS’ wavelength
- » Marriott reported another data breach: Why cyber risk assessment is important