With the current volcanic ash catastrophe for European travel unfolding this week there is a lot of cloud activity, however this article will focus on cloud computing and specifically identity in the cloud.
Cloud computing comprises infrastructure services built on data centres; businesses outsource their computing infrastructure needs, managed through Service Level Agreements (SLAs) and Quality of Service (QoS) criteria.
With all this outsourcing going on it is difficult to ascertain who is accountable and/or responsible for your data or indeed where your personal information is going and who has access to it. It is increasingly difficult to maintain online anonymity, but some apps carry their own methods Twitter's OAuth, Facebook Connect and OpenID.
There are many guides out there that have recommendations, both technical solutions such as disguising your IP address and less technical moves such as revealing less data on your website or blog. Indeed from the results of some searches it seems that maintaining online anonymity has an array of tools, forums and followers of its own with many companies offering internet privacy as its main product. Key considerations should include authorization issues around vendors partners and 3rd parties, right to audit, standards, assurance of security, vendor transparency and privileged user access and access segregation (vendor vs user access).
Then in relation to data and privacy, where does the data originate and reside, there will be a requirement for Data Monitoring (loss prevention) and storage segregation and management (includes data destruction practices, access controls on structured and unstructured data, access reporting). With Cloud Computing contrary to traditional infrastructure solutions each component of the data chain may reside in a different country and thus be under a different legal system, which adds further complexity but once acknowledged these challenges may be overcome.
Regulatory Compliance resides in the country of origin and business need to know their responsibilities, the Data Protection Commissioner’s website provides further information. Any regulatory compliance issues (international, local, regional) will be subject to rigorous inspection and follow-up.
Identity, defined in the dictionary as the condition of being oneself or itself, and not another. Unique is used to describe one’s identity, however we are all aware that one identity can play many roles often with diverse priorities, professional, consultant, movie addict, gambler, sport enthusiast, mother, armchair traveller where our online identities need to be segregated and the use of alias’s or other mechanisms to support these strands are devised.
I’m not really sure of the implications of cloud computing but as I’ve mentioned in this article the main challenges are that where infrastructure is outsourced, policy and control is replaced by SLAs and QoS policies and that is where the details of cloud computing identity and access management lie. There may be some skepticism that moving toward Amazon EC2 or Google holding the lions share of data centres that conflicting single sign on (SSO) solutions will jeopardize the current models and identity in the cloud will bring new challenges. Already there are products available to limit and mitigate risk for identity in the cloud and this paper from the Aspen Institute will provide some additional information on this topic and even more information on third-party login which is becoming the norm!
Back to the title of this article - who is guarding our identity - its you the user, citizen, employee. It is up to you to ensure that you are compliant and that you are confident of where your data is accessed, stored and that your identity or identities are safe. Happy reading!