Posts Tagged 'access control service'

AWS Security: Identity and Access Management

For an organisation adopting Cloud Computing, one of the benefits is the self service nature of the cloud. If a developer requires a test machine for a short period of time, using an Amazon EC2 instance or Azure server instance is an obvious cheap solution. Not only is the machine only paid for the time it is being used, there is no capital investment required.

A question to be asked for organisations when working with a cloud provider such as Amazon is who will have responsibility for provisioning and releasing resources. One account with a credit card is created but ideally this would not be shared with all personel who require cloud access.

The solution for Amazon EC2 is Amazon Identity and Access Management (IAM). This welcome addition to the Amazon toolset allows the creation of multiple users on a single amazon account. Each user can be assigned permissions on the main account eliminating the need to share passwords or access keys. This enables fine grained security to be configured based on users. For example, an individual user could be allowed permission to start EC2 instances but not terminate them.

Currently IAM is available from the command line tools and the API interface. Plans for incorporating the toolset into the management console have also been announced. No new or extra work is required to use IAM with existing AWS API’s – the security is incorporated seamlessly.

In summary, Amazon have provided a cloud specific transparent security solution that enables a simple, yet elegant solution to enabling controlled multiple user access to AWS resources. Even better, there is no charge for this service – you just pay for the resources utilised as before.


Azure Platform AppFabric Access Control Service

The final component of the Azure Platform we will consider is the AppFabric Access Control Service (ACS).

Over the past several years Microsoft has been doing a lot of good work related to the issues of “identity” and “security”. The Access Control Service brings these technologies to the Azure cloud. By using the Access Control Service a developer, who is often not an expert in security, does not have to write complex, proprietary code to do authentication and authorization.

There are several use cases for ACS. These include single sign-on, federating identities across security realms and role-based access control. Here we will focus on implementing a simple claims-based identity model. In this model the client will authenticate with ACS. The ACS will provide the client with a “token”. This token is created according to rules established by the server. The client can then present the token to the server. Then, based solely on the token, the server can decide whether or not to grant access to the client and what the client can do. The server and the client need have no specific knowledge of each other’s implementation.

A simplistic analogy might be a “will call” ticket at a theater. A patron arrives at the will call window and presents identification. Often this is a driver’s license and the credit card used to purchase the ticket. The will call person gives the patron the ticket (i.e. token) which the patron can then use to enter the theater. The driver’s license and credit card are meaningless to the theater person granting entry to the patron.

Figure 1 Simple Access Control Service scenario

The steps in this scenario are:

  1. The Client authenticates with ACS
  2. ACS creates a token and returns it to the Client
  3. The Client passes the token to the Server
  4. The Server verifies the token and authorizes functionality

In the diagram the client and server applications are not shown running on the Azure cloud. In practice either one or both could be on Azure, on another cloud, inside an organization’s datacenter or in a third party’s datacenter (e.g. a customer or business partner). It does not matter as far as ACS is concerned.

The AppFabric SDK includes some excellent sample code for getting started with ACS. This screencast walks through the “ASPNET String Reverser” sample project found in the SDK.

This simple example just scratches the surface. There is a lot more that can be done with the Access Control Service. Consider attending Learning Tree’s Windows Azure Programming Course to get into more details of how you can use the Azure Platform AppFabric Access Control Service to simplify and standardize authentication and authorization for your organization’s applications both on-premises and in the cloud!

To recap, in this series of blog posts we have introduced the essential components of Microsoft’s Azure Platform.

These are:

  1. Windows Azure
    1. Compute Services
      1. Web Roles
      2. Worker Roles
    2. Storage Services
      1. Blobs
      2. Tables
      3. Queues
  2. SQL Azure
  3. AppFabric
    1. Service Bus
    2. Access Control Services

I hope you found some of them interesting or useful. Most of all, though, I hope your appetite has been whetted to learn more about Azure and how you can use Microsoft’s cloud to solve real business or technical problems that your organization may be facing!


Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 210 IT training and Management courses, including Cloud Computing training.

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 53 other followers

Follow Learning Tree on Twitter


Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog

%d bloggers like this: