Cloud Security: The Federated Identity Factor

By Patrick Harding and Gunnar Peterson

November 9, 2010

The Web has experienced remarkable innovation during the last two decades. Web application pioneers have given the world the ability to share more data in more dynamic fashion with greater and greater levels of structure and reliability, yet the digital security mechanisms that protect the data being served have remained remarkably static.  We have finally reached the point where traditional web security can no longer protect our interests, as our corporate data now moves and rests between a web of physical and network locations, many of which are only indirectly controlled and protected by the primary data owner.

How have web applications evolved to de-emphasize security, and why has greater security become critical today?  The answer comes by exploring common practices and comparing them to the best practices that are becoming the heir to throne of web application security: Federated Identity. 

A Brief History of Web Applications

Commercial use of the World Wide Web began in the early 1990’s with the debut of the browser. The browser made the Web accessible to the masses, and businesses began aggressively populating the Web with a wealth of static HyperText Markup Language (HTML) content.  

Recognizing the untapped potential of a worldwide data network, software vendors began to innovate.  By the mid-1990’s, dynamic functionality became available via scripting languages like the Common Gateway Interface (CGI) and Perl. ”Front-end” Web applications accessed data stored on “back-end” servers and mainframes. The security practice of “armoring” servers and connections began here, by building firewalls to protect servers and networks, and creating SSL (Secure Sockets Layer) to protect connections on the wire.

The Web continued to grow in sophistication: Active Server Pages (ASP) and JavaServer Pages (JSP) allowed applications to become substantially more sophisticated.  Purpose-built, transaction-oriented Web application servers emerged next, like Enterprise JavaBeans (EJB) and the Distributed Component Object Model (DCOM), making it easier to integrate data from multiple sources.  The need to structure data became strong and protocols like Simple Object Access Protocol (SOAP) and the eXtensible Markup Language (XML) emerged in 1999. 

From 2001 to present, services evolved as a delivery model that de-emphasized the physical proximity of servers to clients, and instead emphasized loosely coupled interfaces.  Services-Oriented Architecture (SOA) and the Representational State Transfer (REST) architectures both allow interaction between servers, businesses and domains, and combined with advances in latency and performance that accompanied the Web 2.0 movement, the foundation was laid.

These innovations have all helped enable the “cloud.” The concept of a cloud has long been used to depict the Internet, but this cloud is different.  It embodies the ability of an organization to outsource both virtual and physical needs.  Applications that once ran entirely on internal servers are now provided via Software-as-a-Service (SaaS).  Platforms and Infrastructure are now also available as PaaS and IaaS offerings, respectively. 

During all of these advances, one aspect of the Web has remained relatively static:  the layers of security provided by firewalls, and the Secure Socket Layer (SSL).  To be sure, there have been advances in Web security.  Firewalls have become far more sophisticated with Deep Packet Inspection and intrusion detection/prevention capabilities, and SSL has evolved into Transport Layer Security (TLS) with support for the Advanced Encryption Standard.  But are these modest advances sufficient to secure today’s cloud? 

Year
Web Application Software
Web Security Provisions
1995
CGI/Perl
Firewall & SSL
1997
JSP/ASP
Firewall & SSL
1998
EJB/DCOM
Firewall & SSL
1999
SOAP/XML
Firewall & SSL
2001
SOA/REST
Firewall & SSL
2003
Web 2.0
Firewall & SSL
2009
Cloud
???

This table summarizes the tremendous innovation that has taken place in Web application software over the years while relatively little innovation occurred in Web security. 

The Web’s “security status quo” is well understood by those advancing the state-of-the-art in Web applications.  For example, SOAP was designed to be a firewall-friendly protocol.  But as Bruce Schneier, the internationally renowned security technologist, observed, “Calling SOAP a firewall-friendly protocol is like having a skull-friendly bullet.” 

Schneier’s tongue-in-cheek comment highlights a serious problem. While firewalls, NAT and SSL/TLS are necessary for securing the Web, they are no longer sufficient for securing cloud-based applications.  This lack of innovation forces SaaS and other service providers to rely on the so-called “strong password” for security.  “Strong” password may be great in theory, but they can create serious problems in practice. 

The Problem with Passwords

For the sake of discussion here, a “strong” password is defined as one consisting of a combination of numbers and letters (with some capitalized) that does not spell any word or contain any discernable sequence.  How many strong passwords  is a mere mortal expected to memorize, given that writing down or otherwise recording passwords defeats the idea of a shared secret?

The average enterprise employee used 12 UserID/password pairs for accessing the many applications required to perform his or her job (Osterman Research 2009).  It is unreasonable to expect anyone to create, regularly change (also a prudent security practice) and memorize a dozen passwords, but is considered today to be a common practice.  Users are forced to take short-cuts, such as using the same UserID and password for all applications, or writing down their many strong passwords on Post-It notes or, even worse, in a file on their desktop or smartphone. 

Even if most users could memorize several strong passwords, there remains risk to the organization when passwords are used to access services externally (beyond the firewall) where they can be phished, intercepted or otherwise stolen.  The underlying problem with passwords is that they work well only in “small” spaces; that is, in environments that have other means to mitigate risk.  Consider as an analogy the bank vault.  Its combination is the equivalent of a strong password, and is capable of adequately protecting the vault’s contents if, and only if, there are other layers of security at the bank. 

Such other layers of security also exist within the enterprise in the form of locked doors, receptionists, ID badges, security guards, video surveillance, etc.  These layers of security explain why losing a laptop PC in a public place can be a real problem (and why vaults are never located outside of banks!). 

Ideally, these same layers of internal security could also be put to use securing access to external cloud-based applications.  Also ideally, users could then be asked to remember only one strong password (like the bank vault combination), or use just one method of multi-factor authentication.  And ideally, the IT department could administer user access controls for all internal and external applications centrally via a common directory (and no longer be burdened by constant calls to the Help Desk from users trying to recall so many different passwords). 

One innovation in Internet security makes this ideal a practical reality:  federated identity. 

Federated Identity Secures the Cloud

Parsing “federated identity” into its two constituent words reveals the power behind this approach to securing the cloud.  The identity is of an individual user, which is the basis for both authentication (the credentials for establishing the user is who he/she claims to be) and authorization (the applications permitted for use by specific users).  Federation involves a set of standards that allows identity-related information to be shared securely between parties, in this case:  the enterprise and cloud-based service providers. 

The major advantage of federated identity is that it enables the enterprise to maintain full and centralized control over access to all applications, whether internal or external. The IT department also controls how users authenticate, including whatever credentials may be required.  A related advantage is that, with all access control provisions fully centralized, “on-boarding” (adding new employees) and “off-boarding” (terminating employees) become at once more secure and substantially easier to perform. 

Identity-related information is shared between the enterprise and cloud-based providers through security tokens; not the physical kind, but as cryptographically encoded and digitally signed documents (e.g. XML-based SAML tokens) that contain data about a user.  Under this trust model, the good guys have good documents (security tokens) from a trusted source; the bad guys never do.  For this reason, both the enterprise and the service providers are protected. 

To ensure integrity while also affording sufficient flexibility, the security tokens are quite extensive.  For example, the Security Association Markup Language (SAML) standard includes the following elements in its security token:  Issuer (e.g. the enterprise); One-time Use Password; Validity Window (time period when valid); Subject (the user); Context (how the user authenticated); Claims (attributes about the user); and Integrity (digital signature with encryption for confidentiality).  The Claims section is like a “scribble pad” for specifying a wide variety of user attributes that can be used by the application for different purposes such as authorization, personalization or even provisioning a new account.  Indeed, some believe that identity-related Attributes are so significant for Cloud security, that they should become a fourth “A” in AAA systems. 

Two Basic Roles

In the cloud, there are always (at a minimum) two parties.  In fact, “two” serves as the theme for the remainder of this section that explains what federated identity is and how it works. 

The two basic roles are the Identity Provider (IdP) and the Relying Party (RP).  The Identity Provider is the authoritative source of the identity information contained in the security tokens; in this case:  the enterprise.  The Relying Parties (the service providers) establish relationships with one or more Identity Providers and  accept the security tokens containing the assertions needed to govern access control. 

The authoritative nature of and the structured relationship between the two parties is fundamental to federated identity.  Based on the trust established between the Relying Parties and the Identity Providers, the Relying Parties have full confidence in the security tokens issued.  This is not unlike the trust the public places in a driver’s license issued by the Department of Motor Vehicles.

The First and Last Mile

These two distinct IdP and RP roles have led some to refer to the first and last “miles” in federated identity.  The “First Mile” is where the process originates:  at the enterprise as the Identity Provider.  It is in this First Mile where the Authentication Service is integrated with the Security Token Service.  The “Last Mile” is at the receiving end:  at the Relying Party or service provider where the data contained in the security token is integrated with the target application infrastructure (particularly its access control provisions). 

Two Basic Operations

Federated identity has two basic operations:  Issuing and validating the security tokens.  Based on an input or request, the Identity Provider issues a security token.  For example, a UserID/password could generate a cookie, or a Kerberos Ticket could generate a SAML Token.  The Relying Party then validates the security token to ensure it is issued by a trusted authority, properly signed, still in effect (not expired), intended for the right audience, etc. 

Two Methods of Exchange

Security tokens can be exchanged in two different ways:  passive and active.  Passive exchanges are those initiated from a browser, which becomes the “passive” client.  Common mechanisms for passive exchanges include SAML (the protocol) via Browser POST, Redirect or Artifact Binding.  Active exchanges, as the name implies, require the client to play a more active role and can  initiate web service requests.  Normally this done through an Application Programming Interface (API) specified in standards like WS-Trust or OAuth. 

The actual exchange, whether passive or active, is performed using standard protocols.  In addition to the obvious send and receive functions, these protocols can also request a token, request a response, and even transform tokens in various ways.  Examples of such standards include SAML, WS-Federation, WS-Trust, OAuth and OpenID.  With so many options, it is not uncommon for a Security Token Service to support multiple protocols and multiple endpoints, and for a single security token to pass through multiple STS endpoints and be transformed multiple times. 

Two Base Use Cases

The two most common use cases for federated identity are Single Sign-On (SSO) and API Security.  As the name implies, SSO allows users to sign on once (with a strong password or other credentials), then access all authorized applications (internal and external) via a portal or other convenient means of navigation.  Because it is browser-based, SSO generally employs SAML or WS-Federation with passive exchange redirects to the Security Token Service. 

API Security requires an active client or server that directly contacts the STS via Web services.  The popular standards include WS-Trust, OAuth and REST.  As with SSO, the claims asserted in the security token can be used to set up a session and/or provision an account.  Unlike with SSO, the claims can also be used for server-to-server applications, or by a service acting as (or on behalf of) a user. 

In Conclusion

As the popularity of cloud-based applications continues to grow, IT departments will increasingly turn to federated identity as the preferred means for managing access control.  With federated identity, users and the IT staff both benefit from greater convenience and productivity.  Users log in only once, remembering only one strong password, to access all authorized applications.  The IT staff gains full, centralized control over all access privileges for both internal and external applications, and is no longer burdened with constant calls to the Help Desk from users forgetting their passwords. 

The most important aspect of federated identity is not its ease of use, however; it is the enhanced security.  Standards like SAML and WS-Federation were purpose-built to provide robust security in the cloud.  They keep authentication strong and securely within the enterprise firewall.  They eliminate the need to maintain sensitive access control information external to the organization.  They enable successful on- and off-boarding of all employees on a common directory server.  They make it easier to pass security audits by giving full visibility into user access.  They afford the flexibility needed to accommodate special or unusual needs.  And they scale without adding significant cost or increased complexity. 

About the Authors

Patrick Harding, CTO, Ping Identity

Harding brings more than 20 years of experience in software development, networking infrastructure and information security to the role of Chief Technology Officer for Ping Identity. Harding is responsible for Ping Identity’s technology strategy. Previously, Harding was a vice president and security architect at Fidelity Investments where he was responsible for aligning identity management and security technologies with the strategic goals of the business. Harding was integrally involved with the implementation of federated identity technologies at Fidelity — from “napkin” to production. An active leader in the Identity Security space, Harding is a Founding Board Member for the Information Card Foundation, a member of the Cloud Security Alliance Board of Advisors, on the steering committee for OASIS and actively involved in the Kantara Initiative and Project Concordia. He is a regular speaker at RSA, Digital ID World, SaaS Summit, Burton Catalyst and other conferences. Harding holds a BS Degree in Computer Science from the University of New South Wales in Sydney, Australia.

*Arctec Group Managing Principal Gunnar Peterson also contributed to the content of this article. 

To learn more about Identity’s role in Cloud Security, see the Cloud Security Institute’s “Cloud Security:  The Identity Factor” Webinar.

 

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

AWS Embraces FPGAs, ‘Elastic’ GPUs

December 2, 2016

A new instance type rolled out this week by Amazon Web Services is based on customizable field programmable gate arrays that promise to strike a balance between performance and cost as emerging workloads create requirements often unmet by general-purpose processors. Read more…

By George Leopold

AWS Launches Massive 100 Petabyte ‘Sneakernet’

December 1, 2016

Amazon Web Services now offers a way to move data into its cloud by the truckload. Read more…

By Tiffany Trader

Weekly Twitter Roundup (Dec. 1, 2016)

December 1, 2016

Here at HPCwire, we aim to keep the HPC community apprised of the most relevant and interesting news items that get tweeted throughout the week. Read more…

By Thomas Ayres

HPC Career Notes (Dec. 2016)

December 1, 2016

In this monthly feature, we’ll keep you up-to-date on the latest career developments for individuals in the high performance computing community. Read more…

By Thomas Ayres

Lighting up Aurora: Behind the Scenes at the Creation of the DOE’s Upcoming 200 Petaflops Supercomputer

December 1, 2016

In April 2015, U.S. Department of Energy Undersecretary Franklin Orr announced that Intel would be the prime contractor for Aurora: Read more…

By Jan Rowell

IBM and NSF Computing Pioneer Erich Bloch Dies at 91

November 30, 2016

Erich Bloch, a computational pioneer whose competitive zeal and commercial bent helped transform the National Science Foundation while he was its director, died last Friday at age 91. Bloch was a productive force to be reckoned. During his long stint at IBM prior to joining NSF Bloch spearheaded development of the “Stretch” supercomputer and IBM’s phenomenally successful System/360. Read more…

By John Russell

Pioneering Programmers Awarded Presidential Medal of Freedom

November 30, 2016

In an awards ceremony on November 22, President Barack Obama recognized 21 recipients with the Presidential Medal of Freedom, the Nation’s highest civilian honor. Read more…

By Tiffany Trader

Seagate-led SAGE Project Delivers Update on Exascale Goals

November 29, 2016

Roughly a year and a half after its launch, the SAGE exascale storage project led by Seagate has delivered a substantive interim report – Data Storage for Extreme Scale. Read more…

By John Russell

AWS Launches Massive 100 Petabyte ‘Sneakernet’

December 1, 2016

Amazon Web Services now offers a way to move data into its cloud by the truckload. Read more…

By Tiffany Trader

Lighting up Aurora: Behind the Scenes at the Creation of the DOE’s Upcoming 200 Petaflops Supercomputer

December 1, 2016

In April 2015, U.S. Department of Energy Undersecretary Franklin Orr announced that Intel would be the prime contractor for Aurora: Read more…

By Jan Rowell

Seagate-led SAGE Project Delivers Update on Exascale Goals

November 29, 2016

Roughly a year and a half after its launch, the SAGE exascale storage project led by Seagate has delivered a substantive interim report – Data Storage for Extreme Scale. Read more…

By John Russell

Nvidia Sees Bright Future for AI Supercomputing

November 23, 2016

Graphics chipmaker Nvidia made a strong showing at SC16 in Salt Lake City last week. Read more…

By Tiffany Trader

HPE-SGI to Tackle Exascale and Enterprise Targets

November 22, 2016

At first blush, and maybe second blush too, Hewlett Packard Enterprise’s (HPE) purchase of SGI seems like an unambiguous win-win. SGI’s advanced shared memory technology, its popular UV product line (Hanna), deep vertical market expertise, and services-led go-to-market capability all give HPE a leg up in its drive to remake itself. Bear in mind HPE came into existence just a year ago with the split of Hewlett-Packard. The computer landscape, including HPC, is shifting with still unclear consequences. One wonders who’s next on the deal block following Dell’s recent merger with EMC. Read more…

By John Russell

Intel Details AI Hardware Strategy for Post-GPU Age

November 21, 2016

Last week at SC16, Intel revealed its product roadmap for embedding its processors with key capabilities and attributes needed to take artificial intelligence (AI) to the next level. Read more…

By Alex Woodie

SC Says Farewell to Salt Lake City, See You in Denver

November 18, 2016

After an intense four-day flurry of activity (and a cold snap that brought some actual snow flurries), the SC16 show floor closed yesterday (Thursday) and the always-extensive technical program wound down today. Read more…

By Tiffany Trader

D-Wave SC16 Update: What’s Bo Ewald Saying These Days

November 18, 2016

Tucked in a back section of the SC16 exhibit hall, quantum computing pioneer D-Wave has been talking up its new 2000-qubit processor announced in September. Forget for a moment the criticism sometimes aimed at D-Wave. This small Canadian company has sold several machines including, for example, ones to Lockheed and NASA, and has worked with Google on mapping machine learning problems to quantum computing. In July Los Alamos National Laboratory took possession of a 1000-quibit D-Wave 2X system that LANL ordered a year ago around the time of SC15. Read more…

By John Russell

Why 2016 Is the Most Important Year in HPC in Over Two Decades

August 23, 2016

In 1994, two NASA employees connected 16 commodity workstations together using a standard Ethernet LAN and installed open-source message passing software that allowed their number-crunching scientific application to run on the whole “cluster” of machines as if it were a single entity. Read more…

By Vincent Natoli, Stone Ridge Technology

IBM Advances Against x86 with Power9

August 30, 2016

After offering OpenPower Summit attendees a limited preview in April, IBM is unveiling further details of its next-gen CPU, Power9, which the tech mainstay is counting on to regain market share ceded to rival Intel. Read more…

By Tiffany Trader

AWS Beats Azure to K80 General Availability

September 30, 2016

Amazon Web Services has seeded its cloud with Nvidia Tesla K80 GPUs to meet the growing demand for accelerated computing across an increasingly-diverse range of workloads. The P2 instance family is a welcome addition for compute- and data-focused users who were growing frustrated with the performance limitations of Amazon's G2 instances, which are backed by three-year-old Nvidia GRID K520 graphics cards. Read more…

By Tiffany Trader

Think Fast – Is Neuromorphic Computing Set to Leap Forward?

August 15, 2016

Steadily advancing neuromorphic computing technology has created high expectations for this fundamentally different approach to computing. Read more…

By John Russell

The Exascale Computing Project Awards $39.8M to 22 Projects

September 7, 2016

The Department of Energy’s Exascale Computing Project (ECP) hit an important milestone today with the announcement of its first round of funding, moving the nation closer to its goal of reaching capable exascale computing by 2023. Read more…

By Tiffany Trader

HPE Gobbles SGI for Larger Slice of $11B HPC Pie

August 11, 2016

Hewlett Packard Enterprise (HPE) announced today that it will acquire rival HPC server maker SGI for $7.75 per share, or about $275 million, inclusive of cash and debt. The deal ends the seven-year reprieve that kept the SGI banner flying after Rackable Systems purchased the bankrupt Silicon Graphics Inc. for $25 million in 2009 and assumed the SGI brand. Bringing SGI into its fold bolsters HPE's high-performance computing and data analytics capabilities and expands its position... Read more…

By Tiffany Trader

ARM Unveils Scalable Vector Extension for HPC at Hot Chips

August 22, 2016

ARM and Fujitsu today announced a scalable vector extension (SVE) to the ARMv8-A architecture intended to enhance ARM capabilities in HPC workloads. Fujitsu is the lead silicon partner in the effort (so far) and will use ARM with SVE technology in its post K computer, Japan’s next flagship supercomputer planned for the 2020 timeframe. This is an important incremental step for ARM, which seeks to push more aggressively into mainstream and HPC server markets. Read more…

By John Russell

IBM Debuts Power8 Chip with NVLink and Three New Systems

September 8, 2016

Not long after revealing more details about its next-gen Power9 chip due in 2017, IBM today rolled out three new Power8-based Linux servers and a new version of its Power8 chip featuring Nvidia’s NVLink interconnect. Read more…

By John Russell

Leading Solution Providers

Vectors: How the Old Became New Again in Supercomputing

September 26, 2016

Vector instructions, once a powerful performance innovation of supercomputing in the 1970s and 1980s became an obsolete technology in the 1990s. But like the mythical phoenix bird, vector instructions have arisen from the ashes. Here is the history of a technology that went from new to old then back to new. Read more…

By Lynd Stringer

US, China Vie for Supercomputing Supremacy

November 14, 2016

The 48th edition of the TOP500 list is fresh off the presses and while there is no new number one system, as previously teased by China, there are a number of notable entrants from the US and around the world and significant trends to report on. Read more…

By Tiffany Trader

Intel Launches Silicon Photonics Chip, Previews Next-Gen Phi for AI

August 18, 2016

At the Intel Developer Forum, held in San Francisco this week, Intel Senior Vice President and General Manager Diane Bryant announced the launch of Intel's Silicon Photonics product line and teased a brand-new Phi product, codenamed "Knights Mill," aimed at machine learning workloads. Read more…

By Tiffany Trader

CPU Benchmarking: Haswell Versus POWER8

June 2, 2015

With OpenPOWER activity ramping up and IBM’s prominent role in the upcoming DOE machines Summit and Sierra, it’s a good time to look at how the IBM POWER CPU stacks up against the x86 Xeon Haswell CPU from Intel. Read more…

By Tiffany Trader

Beyond von Neumann, Neuromorphic Computing Steadily Advances

March 21, 2016

Neuromorphic computing – brain inspired computing – has long been a tantalizing goal. The human brain does with around 20 watts what supercomputers do with megawatts. And power consumption isn’t the only difference. Fundamentally, brains ‘think differently’ than the von Neumann architecture-based computers. While neuromorphic computing progress has been intriguing, it has still not proven very practical. Read more…

By John Russell

Dell EMC Engineers Strategy to Democratize HPC

September 29, 2016

The freshly minted Dell EMC division of Dell Technologies is on a mission to take HPC mainstream with a strategy that hinges on engineered solutions, beginning with a focus on three industry verticals: manufacturing, research and life sciences. "Unlike traditional HPC where everybody bought parts, assembled parts and ran the workloads and did iterative engineering, we want folks to focus on time to innovation and let us worry about the infrastructure," said Jim Ganthier, senior vice president, validated solutions organization at Dell EMC Converged Platforms Solution Division. Read more…

By Tiffany Trader

Container App ‘Singularity’ Eases Scientific Computing

October 20, 2016

HPC container platform Singularity is just six months out from its 1.0 release but already is making inroads across the HPC research landscape. It's in use at Lawrence Berkeley National Laboratory (LBNL), where Singularity founder Gregory Kurtzer has worked in the High Performance Computing Services (HPCS) group for 16 years. Read more…

By Tiffany Trader

Micron, Intel Prepare to Launch 3D XPoint Memory

August 16, 2016

Micron Technology used last week’s Flash Memory Summit to roll out its new line of 3D XPoint memory technology jointly developed with Intel while demonstrating the technology in solid-state drives. Micron claimed its Quantx line delivers PCI Express (PCIe) SSD performance with read latencies at less than 10 microseconds and writes at less than 20 microseconds. Read more…

By George Leopold

  • arrow
  • Click Here for More Headlines
  • arrow
Share This