Information Technology Reference
In-Depth Information
example of a system where user identities are managed across a number of
separate systems. The user signs in with their account, and they are automat-
ically authorized to access business processes that they have been granted
permission for. Behind the scenes, this needs a role-based permission system
so that access rights can be quickly assembled, maintained, and revoked, for
individuals and en masse.
An additional benefit is that all users of the services benefit from the sim-
plification of SSO, which in an service-oriented environment (SOE) setting
means the suppliers as well. The IT department also finds that SSO assists
the management of user profiles in that, firstly, they won't have to manage
individual accounts on a per-service basis (a lot of work) and, secondly, much
of the account maintenance can be automated. For example, a default set of
identities can be created for a number of job functions, which can be automat-
ically provisioned for new users. These may either be suitable already or can
be augmented with other capabilities quickly. This of course, reinforces the
need to have a comprehensive understanding of a service-based architecture,
in relation to the business that is being conducted. Once an identity manage-
ment mechanism is in place, account migration to the cloud is simplified.
19.3.2 Network Security
Network security is of course an important concern for any corporate, dis-
tributed system. The one issue that a move to a cloud brings is the fact that an
enterprise's application network traffic is transported along with every other
application's network traffic. This means that packets that are exchanged
between secure access points are mingling with packets that are exchanged
between less secure applications. While cloud providers appear to segregate
network traffic by utilizing virtual local area networks (VLAN), the separa-
tion is virtual (as the name implies), and therefore, at packet level, the traffic
is still mixed and shares the same cable. So, the sensitive accounts data for
payroll is present on the network, along with the (relatively) less sensitive
sales figures for the last quarter.
These data can't be accessed without the correct permissions, but it does
mean that an employee with network administration rights could, with a bit
of work, have sight of the confidential information, even though they would
not have any operational need to do so. The traditional model of security in
this case has relied on trust, but in the context of a cloud environment (where
the network administrator is not directly on your payroll), there is a need to
actively control exactly who has access to what.
Since cloud adoption means that an enterprise has devolved all respon-
sibility for the infrastructure, it is not possible to build a private, physical
network, nor is it good practice to trust the honesty of a VLAN administra-
tor. The solution in this case is to provide end-to-end encryption of data
packets, between authorized applications. The fear of packets coexisting
with other packets has much greater ramifications when the owner of the
Search WWH ::
Custom Search