From IAM to IaaS: How to Ensure Secure Deployments With the 4 A’s

This IDN guest post from David Gorton of Ping Identity illustrates how important the well-known ‘4As’ of access management [authentication, authorization, account management and auditing) are to ensuring that applications deployed into an IaaS will have the same level of security and functionality as apps left on-premises.

Tags: access management, authentication, authorization, audit, cloud security, IaaS, IAM, identity, Ping, security,

David Gorton
program manager

"One of the big barriers to moving and hosting apps securely in IaaS are identity and access management (IAM) systems"

The shift to hosting applications within Infrastructure as a Service (IaaS) in lieu of corporate datacenters started as a trickle several years ago. Today it is a deluge. However, even with this mass adoption, most companies are lacking clear knowledge of how to ensure that apps deployed in IaaS are secure and have the same level of controls as those left on-premises.


One of the big barriers to moving and hosting apps securely in IaaS are identity and access management (IAM) systems. With many traditional IAM systems, extending functionality and capabilities beyond the corporate datacenter and firewall is very difficult.


In this blog post, I want to show why IT, when evaluating IAM and IaaS security, should also consider the context of the well-known ‘4 As’

  • Authentication
  • Authorization
  • Account management
  • Auditing


Importantly, I will discuss each of these A’s in terms of the administrator and application end user, which will help to show how a new, ‘identity-centered’ solution will bridge the gaps between traditional IAM and a full and secure IaaS deployment.



Authentication is any process by which you identify that a user is who they claim to be. In the most traditional sense, this is done with a username and password. When such credentials are provided to an authentication system, the user is authenticated and moved forward in the security process.


In terms of administrator authentication, it is key that your IAM and IaaS solutions support federation. With federation, administrators can leverage both on-premises and corporate credentials to gain access to IaaS. This results in having only one username and password to access the on-premises applications that administrators have to manage, as well as having access to IaaS and the systems that reside there.


Another important aspect of administrator authentication is multi-factor authentication, which provides an additional layer of security to prevent malicious access into corporate IaaS resources. This can be done by either using one-time passwords or a token-based authentication scenario.For end users, application authentication in an enterprise environment can be difficult when deploying into IaaS. Users come in many forms, such as employees, customers and partners. Each of these identity types can be stored in an on-premises directory or made available to the application through a federated connection. To do this, the IAM system supporting the IaaS deployment needs to efficiently connect with on-premises directories and databases, support federation into customer and partner organizations and consume social identities for consumers.


It is important to note here that most traditional IAM systems have been architected for on-premises identities only. For these systems, extending authentication beyond on-premises requires complex upgrades and add-ons to support IaaS deployments, federation and social identities.


The most appropriate solution to ‘bridge the gap’ between traditional IAM systems and meeting today’s needs for things such as IaaS is a new model of IAM solution. This new solution provides full authentication functionality with on-premises resources that also support federation. It also utilizes modern identity standards to provide secure and efficient communication of identity information and alleviate the complexity of traditional IAM solutions.



Authorization is the process that establishes whether someone can access an application, resource or information. Typically, this process happens when a session cookie comes to the IAM component sitting in front of the application.


For administrators, most IaaS providers give the level of access or authorization control necessary for securing administrator access to corporate IaaS resources.


On the user side, application authorization control must extend from on-premises systems out to IaaS deployed applications. Traditional IAM systems are typically too complex and fragile to extend into IaaS and adequately secure IaaS deployed applications.


To meet authorization needs, the new model of an IAM solution provides full authorization capabilities along with centralized policy management. Modern identity standards and security protocols provide new flexibility to easily extend authorization into IaaS from on-premises IAM resources.


Account Management

Account management is the way that you create, delete and update users within your systems. When it comes to moving your applications from on-premises out into IaaS, account management is less of a concern. However, the functionality between IAM and IaaS is important in terms of administrator account management.


Account management should be administrator-focused. IAM systems ought to provide an automated way to create, disable and update users that are stored within an on-premises directory or user store and then propagate that information out to IaaS. Most traditional IAM systems have proprietary provisioning and user systems that can be integrated into IaaS providers. However, proprietary systems are fragile and difficult to maintain over time.


Alternatively, the new model of IAM provides a standards based provisioning system that is coupled with federation. The combination of standard provisioning and federation is very effective to secure systems from ‘zombie accounts,’ or accounts that are provisioned for users that should no longer have access.



Auditing is the official inspection of a user's access and activity. While auditing is usually performed by an independent organization, it is important to capture and record all of the administrative changes at the IaaS, as well as application end user activity within an application.


In terms of administrators, like authorization, most IaaS vendors offer complete auditing information related to administrator activity.


In terms of end users, application auditing needs to be available at each component of the IAM system. Traditional IAM typically records this information, but struggles to centralize and correlate log information across components.


To solve this lack of centralization and correlation, each component within the new model of IAM is designed to reliably capture and record information related to all authentication and authorization decisions made while a user interacts with an application. This information is correlated across all the involved components for effective auditing and reporting.



In conclusion, when planning IaaS deployments, it is important to evaluate IAM systems according to the 4 A's: authentication, authorization, account management and auditing, and how each applies to administrators and end users.


Traditional IAM solutions have been very effective at securing identities and applications in on-premises deployments. However, as applications migrate to IaaS, traditional IAM systems require costly add-ons and upgrades to provide the same level of security as on-premises applications.


In contrast, the new model of IAM embraces modern identity standards to meet the 4 A’s security requirements, either on-premises or in IaaS, for administrators and end users. Further, this modern solution offers a cost-effective way to bridge the gaps in traditional IAM systems to help IT fully meet the security and identity needs of IaaS and other modern-day technologies. With security concerns alleviated, companies can leverage technologies such as IaaS to save money and increase agility as they deploy applications where it makes the most business sense.


When evaluating IAM and IaaS security, look at the 4 A’s and how each applies to administrators and end users.


David Gorton is a program manager for infrastructure products for Ping Identity. He has been developing and delivering enterprise software into the market for more than 15 years in a variety of roles. He has been involved with identity and access management for six years with the focus of delivering high value products to Ping's customers.