If you take a look at what 'Security' and 'the Cloud' actually mean, I guess you can boil it down to 3 things: Data Security, Identity Management and Secure Connectivity to the Cloud. There is of course, security of the Azure platform itself, from the physical to its very design but I'll look at that later. Of my 3 main buckets, Identity Management is perhaps the greatest challenge. To many people, Security and Identity will become synonymous with each other.
It is in the Identity space that Windows Azure AppFabric will play a crucial role, and in particular the Access Control Service (ACS).
To understand the advantages ACS brings, you have to go back to when life was simple and application developers wrote applications that sat entirely within a single company. Identity was then effectively managed by the local IT department, the OS handled authentication and life was good. Then along came the cloud and if you wanted to put an application in there, you had to find a way of extending out the reach of your authentication repository or choosing a different method of authentication. ADFS was an obvious candidate if you were using AD but it may not be available to you. Developers then had to look at understanding and handling identity themselves:
All of a sudden, developing applications was much more complex and the cost of getting this wrong was massive. Indeed, the problem was compounded by increasingly mobile users and the industry itself not helping by changing the authentication protocol of choice.
Wouldn't it be great if we could have a layer of extraction between the application and the various identity providers?
That's what ACS is there for. Application developers who write applications that will sit in the Cloud, can utilise the Windows Identity Framework within their application and this integrates cleanly with ACS. ACS is a middleware service that resides in the Cloud and brokers the claims made by a number of Identity Providers, including Google, Yahoo, Facebook, LiveID and ADFS v2. ACS validates the incoming token, passes it through a rules-based claims transformation engine that enables mapping input claims to output claims, and then returns a signed SAML1.1, SAML2.0 or SWT token to the application in the cloud.
Version 2.0 just released supports OAuth 2.0 (draft 13), OpenID, WS-Fed so it can secure REST web services and it also supports WS-Trust so it can be used for SOAP web services.
Even better is the news that ACSv2 is free until at least January 2012, so have a look!
For further information, have a look at the excellent video http://channel9.msdn.com/Shows/Identity/Justin-Smith-on-the-Release-of-Access-Control-Service-20 which this blog has summarised and also the material under http://claimsid.codeplex.com/. All great stuff.