User Identity Mapping In a Hybrid Environment, Part 1
A Guide to User and Resource Access
In any system, the access or denial of resources is determined by the identity of the entity that attempts to use the resource. Therefore, identity mapping plays a very crucial role in ensuring that access to resources is as broad as it needs to be, but is limited only to those who are authorized to have access and protecting resources from unauthorized access. In this blog, we will present the most effective way to map the identity of a user in a hybrid environment.
Background
With the advent of the cloud, the IT landscape has seen fast-paced changes in the evolution of enterprise environments. Organizations today can operate workloads on-premises, cloud(s), and hybrid environments:
- On-premises refers to all the IT infrastructure exclusively within the private datacenter or colocation of the company.
- In cloud environments, all the IT needs of an organization are served through a public cloud service provider like Amazon Web Services (AWS, Google Cloud Platform, or Microsoft Azure. In this model, the responsibility for data in the cloud is shared. For example, if all data suddenly gets deleted from the cloud or there is a cloud security breach, it is the cloud provider who is responsible. On the other hand, if the proper access rights are not provided and this results in a breach, it is the customer’s responsibility.
- Hybrid environments use a combination of on-premises and cloud resources to manage and transact data and workloads.
Most enterprises today are on various stages of their cloud journey and belong to the third category. The major challenge with a hybrid implementation is to effectively and efficiently identify and authorize people, resources, and data to access other people, resources, and data.
From the aspect of access to the systems, the process of securing the system can be divided into three areas collectively known as Authentication, Identity Management and Authorization (AIMA).
This two-part blog series explores the meaning of AIMA and the new proposed mechanisms featured in the evolution of the Egnyte platform. In this first part, we examine in detail what AIMA means and how it works with the current iteration of Egnyte. In the second part, we explore the proposed mechanism and some of the technical requirements that drive it.
Breaking Down AIMA
Authentication
Authentication is described as the process of verifying that an entity is what it claims to be. In the physical world, authentication takes multiple mechanisms, such as a passphrase or visual in-person verification of DLID (driving license ID)/passport. Many companies require more complex ways to access, including I authentication, fingerprints, and advanced key validation systems such as Kerberos and other mechanisms.
Identity mapping
In terms of IT systems, an authenticated entity is provided with an identifier or an identity. Photo-ID cards are a good example. This type of identification can be temporary (perhaps it requires regular renewals), or permanent (a social security number, for example). Temporary IDs like a session ID are limited to the duration of a session. Permanent ones such as Unix user ID or Windows SID have a different lifecycle and usually, they don’t change over the lifetime of the system.
Across the system boundaries, it is possible that the IDs repeat themselves. For example, on two different Linux machines, certain sets of users will have the same IDs. Here the boundary is the Linux machine. On the other hand, in an NIS/AD based system, the IDs transcend the boundary of the individual Linux machines. In this context, the cloud and on-premises systems are two disparate systems and each appliance is a system within itself.
Authorization
The access to resources is implemented through different mechanisms such as access control lists (ACLs) on windows, permission bits on a Unix based system, or through other forms.. Regardless of the type of system, the underlying mechanism is that there is a list of IDs associated with a resource. These IDs and the permissions assigned to them govern user access to a given resource and dictates what the user can or cannot do with that resource.
For example, consider a Unix file called a.txt, with permissions rw-r----- read/write for owning user, and read for others. Here the file a.txt is a resource and the permissions bits regulate the access.
If Jane, who is the owner of the file, has an ID of 123, then anybody with an ID of 123 on that system can read-write to the file. Thus, an imposter using that ID, irrespective of how he got it, can easily read-write that file.
For the reasons noted above, ID mapping forms an important component of the AIMA.
In the different systems described above, each system has its own notion of ID. Windows systems use SID's, Unix uses a Unix ID, there are IDs known as UUID's that are used in certain systems. Cloud providers have their own components, popularly known as IAM (Identity and Access Managers), to manage the identity of users and ultimately, the access to resources.
Requirements
Within the Egnyte Platform, hybrid appliances on the on-premises side and the Connect cloud form two disparate systems that use different identity mechanisms. Typically, Egnyte customers use Active Directory(AD) to manage users and access on-premises. Users access the files on-premise using the builtin SMB clients, and AD provides the security. This is the standard Windows Environment. Users may map a network drive on to their laptop/desktop through the SMB client and use File Explorer or Finder to navigate through the contents like they were local. Within the SMB protocol server of the Egnyte hybrid appliances, a component known as Winbind can be used to integrate with an ActiveDirectory instance in the Windows infrastructure.
User files can be accessed over the SMB share as mentioned above or directly from the Connect cloud via a variety of different clients. Therefore, it is essential that users have a common authorization model across all end-points to guarantee data security. As discussed earlier, the mechanism to secure access is the allocation of permissions to an ID. Thus we require a resilient, reliable, fast and scalable ID mapping scheme for the hybrid appliance to function correctly and efficiently.
In part two of this blog series, we will review a new mechanism for seamless ID mapping for hybrid devices that leverage SMB access, that will be featured in our upcoming hybrid products.