Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resourcesBefore Amazon Virtual Private Cloud, Amazon EC2 instances outside the firewall were not under the control of internal network management systems. They were the equivalent of remote workers, cut loose from corporate infrastructure management:
http://stvrly.wordpress.com/2009/09/08/what-can-you-do-with-amazon-virtual-private-cloud/
With Amazon Virtual Private Cloud, the Amazon EC2 images can be assigned IP addresses from a range selected by the owner organization. Thus they can be brought into the control of that organization's network management systems, as diagrammed below:
This is definitely a step in the right direction. The clear next steps are:
1) Other Cloud services besides Amazon EC2.
What about the connections to Force.com, or Google Apps? Not to mention other Amazon Web Services services such as Amazon SQS.
2) Governance, including Identity and Access Management.
Network Management defines which computers can talk to other computers. But identity and access management defines which users can use which applications, and how they can use them. This is the realm of products such as Microsoft Active Directory, CA SiteMinder, and LDAP products such as Novell eDirectory. If an organizations wishes to bring their identity management infrastructure to bear on their usage of Cloud services, how can they do this?
To illustrate this, look at the diagram below. We see that network management of the Amazon EC2 service is taken care of by Amazon Virtual Private Cloud. This is now controlled by an organization's on-premises network management infrastructure. But identity and access management of the Cloud services requires a link to the organization's existing on-premises identity and access management infrastructure. Also, while the Amazon EC2 service is within the Amazon Virtual Private Cloud, the other Cloud Services, which are accessed at the API level by API Keys and OAuth, are not:
This means that the organization's on-premises policy-based control is not being applied to all their Cloud-based services. Diving down to the technology, the conundrum is how to translate from the identity tokens used on the network (Kerberos for Windows networking, plus SAML for Web Services) up to the API keys and OAuth used at the Cloud level. This is what would allow existing on-premises identity management infrastructure to control access to Cloud services on a fine-grained level.
The solution is to use a Cloud Gateway. The Cloud Gateway Bridges the connection from the on-premises identity management infrastructure up to the Cloud services. This allows users who access applications locally (or just simply sign on to their PC's) to access Cloud Services, all the time governed under the umbrella of an identity management infrastructure. Rules applied to internal applications, governing who can access which applications and how they can use it, can now be applied in the same way to Cloud-based applications.
The Cloud Gateway allows on-premises Identity and Access Management to govern Cloud usage. This is analogous to how, at a network level, the Amazon Virtual Private Cloud allows on-premises Network Management to manage Cloud connections. Thus a Cloud Gateway compliments and extends the Amazon Virtual Private Cloud. It allows single sign-on from on-premises applications up to Cloud-based applications, and allows an organization's identity and access management infrastructure to be brought to bear on that organization's usage of Cloud services.
0 comments:
Post a Comment