printer friendly version

Identity and access governance, a future in the cloud

Change is a given, especially in the technology landscape. There are two aspects of change that businesses need to consider when it comes to identity and access governance.

First, businesses must manage their internal systems within ever growing and changing complexities. There are more things to connect, more people to connect with more data than ever before. How is change and complexity causing you to rethink your approach to identity, security and governance? Do you have the necessary tools to meet those challenges? Do you have the processes in place to take your organisation forward into the rapidly evolving world that lies ahead?

Second, organisations are consuming software-as-a-service (SaaS) applications at an exponential rate. While the advantages of SaaS applications are great, so are the potential pitfalls of unauthorised access.

There are several areas to consider when planning for the future. An affordable, manageable solution that oversees and controls user access to SaaS-hosted information becomes more crucial. Security, compliance reporting and ease of access are all issues at the top of the list of concerns, and organisations must handle these correctly. Identity and access governance (IAG) solutions may seem like a burden brought on by increasing regulation and compliance issues, but when used effectively, IAG solutions become the catalyst to meet the challenges of a complex and changing world.

Connie Grobler

Introducing identity changes

The general trends transforming business also transform identity and access management: in a few years, even the meaning of the terms we use are different. While in recent past technology vendors, consultancies and businesses tended to see identity and access management as a minor complement to other security programmes, it is now becoming evident that what we do with identities is at the heart of any initiative both for business and IT. With no real control over who does what when in your environment, there is hardly any chance of being effective at managing your business or security environments.

Due to government and industry oversight, as well as increased requirements for internal controls. IAG has become a vital part of all organisations, be it automated or manual. The drivers that move IAG needs are nearly always external to the company. IT and business managers must respond to the pressures of change and complexity in today’s business environment, security concerns, advancing technologies, and increased regulation and compliance issues. But as needs and pressures increase, budgets are on the decline. Managing change and complexity through governance can be a great opportunity if done correctly. The key is having not only the correct tools, but the processes in place to meet these ever growing needs.

The IT industry has seen an onslaught of new technologies over the past decade, but one of the most pervasive and transformative is cloud computing. According to market analysts, the software-as-a-service (SaaS) market will continue its rapid growth through 2015. Businesses are getting over their cloud aversions and now often look to the cloud first when they need a solution to solve their long-term or tactical need. A recent Gartner survey indicates that cloud computing is on a trajectory to become the dominant infrastructure for enterprise computing – this decade.

One of the major challenges for organisations adopting cloud-computing services is the secure and timely management of on-boarding (provisioning) and off-boarding (de-provisioning) of users in the cloud. Further, enterprises that have invested in user management processes within an enterprise will seek to extend those processes to cloud services.

Definitions

Identity management

Identity management concerns lie within the IT realm. These deal with provisioning hardware and software as well as managing the identity of those using company resources, and the identity of the resources and devices themselves.

* A person’s identity may include the following attributes:

* Who are you? – name, location, contact info, etc.

* Roles – title, manager, etc.

* Relationships – employee, contractor, vendor, etc.

Once an identity is established, the next step is to determine the appropriate scope of each individual’s access by creating relationships with resources. This includes: applications, systems, data, groups, physical facilities and other company resources.

Access governance

Clearly understanding access is the key to governance. It is ultimately the responsibility of business management, rather than IT management. The tools in this area are designed to meet business needs with straightforward, user-friendly interfaces, for those who may be less technically inclined.

Identity and access governance

IAG is the convergence of both identity management and access governance. Effective IAG solutions should seamlessly integrate both disciplines to meet overall company objectives.

The challenges for executives

The digital world is creating shifts in the way business gets done, resulting in both exciting but often troubling times for executives. What was once an intimate corporate network is now a globally connected web of people and devices. More employees work remotely, carrying sensitive data on notebooks and PDAs. Partners and suppliers are invited inside the corporate walls to interconnect their own systems and share information. Vendors and contractors are trusted with access to sensitive data.

Many C-level executives may not know for certain that their information is secure – that only the right people are gaining access to the appropriate applications, networks, and data. And now with the introduction of cloud-based services, mobile devices, and remote users, there are even more connections to critical data and applications both inside and outside of the enterprise.

IAG is the security discipline that authorises users to access corporate systems and information. It helps prevent fraudulent access and use of data that could potentially impact the business, its partners, or even worse, its customers. The majority of organisations have not been able to realise the full promise of IAG – to secure the enterprise information in a cost effective and compliant manner. Many have implemented components of IAG, some even accomplishing the elusive ‘single sign-on,’ but often fall short in other areas.

At the core of an enterprise’s security and compliance concerns is the ability to control who has access to what, and to make sure this access is appropriate at all times.

Equally important is the ability to report on who has been given access, how they use those resources and who granted access at any given time. However, as applications extend from physical to virtual to cloud environments, answering these questions accurately and consistently becomes challenging – especially at the very end of that progression: the cloud.

Keeping up in a changing world

While the cloud can mean many things, the National Institute of Standards and Technology (NIST) defines it as “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)". As software applications are delivered in a SaaS model, keeping company data secure is an increasing problem. How is data secured in the cloud? How do companies ensure that sensitive materials are not being accessed by those without proper authentication or authorisation?

The increasing adoption of SaaS and other cloud-hosted applications is introducing a new level of complexity and risk. These challenges are not just technical, but also pose a challenge from a procedural and policy point of view, and while they vary from application to application. Some of the common ones are as follows:

Omnipresence

Ironically one of the benefits of the cloud paradigm – they are accessible from anywhere, is also one of the toughest challenges to bringing them under governance. There is no intranet or extranet anymore, it is all the same. Moreover, the advent of mobile devices and smartphones as enterprise computing platforms pushes ubiquity even further. Users have a multitude of access paths to cloud applications, and in some cases, these paths provide inconsistent security levels.

Extensiveness

When business owners rush to use SaaS apps for e-mail, expense management, and more, they sometimes skip over the normal application deployment lifecycle and security assessment a typical, internally deployed application would follow, leaving security pros out of the conversation. This makes it difficult for the organisation to proactively assess and manage these types of risk, and change their posture from proactive to reactive. IT security is often engaged after the fact to try and fix gaping security holes pointed out by auditors.

Inefficient security

Security is often an afterthought where convenience and usability take precedence over security. From an authorisation perspective, the access control model for each application often is very proprietary; some rely on a few roles to manage access while others provide finer granularity. Some companies synchronise user accounts to external apps on a relatively infrequent schedule through insecure file transfer protocol (FTP) or relying entirely on ‘front-door’ authentication for access to wide swaths of app functionality.

For cloud applications deemed sensitive, organisations should also be concerned with knowing how the information is protected within the application, its back ends, when the data is at rest, and when it is backed up, and how it is segmented from other organisations’ data [due to multi-tenancy of the application]. The challenge here is SaaS vendors do not disclose all of this information voluntarily, and at best, will share an IT security assessment report on their security mechanisms and practices.

Inadequate IAG integration options

While some mature standards exist (ie, SAML, SPML, WS-Federation) to allow organisations to integrate their IAG infrastructure with cloud applications, these are inconsistently adopted by SaaS vendors, if at all, turning the integration landscape into a collection of one-offs. Many cloud vendors claim to support identity federation standards, but they either support it for limited use cases (mainly authentication) or the breath of the integration is limited compared to what they offer when using their proprietary APIs. In many cases, organisations have no choice but to implement custom integration solutions to integrate Cloud applications with their IAG infrastructure.

What can be done?

Industry participation

In this cutting edge area of IT, it is important to get involved with peers in the industry, participating in industry forums, and reading information in the blog space. The work coming out of the Cloud Security Alliance (CSA) is very insightful. The CSA is a member-driven organisation, chartered with promoting the use of best practices for providing security assurance within Cloud Computing.

Identity and access governance

Whether you are managing cloud applications or on-premise applications or both, you need to meet basic access control and governance standards. Being proactive in defining policies for how cloud applications are to be dealt with from a governance perspective will help the process of actually bringing them into the fold.

As a baseline, this includes granting, changing, and removing user access to applications and providing a single view of users and their access privileges in order to answer the critical question around “who does have access to what?” In order to meet compliance requirements, access controls should ensure that users are only granted access privileges to cloud applications that are appropriate for their job functions and that the access privileges of all cloud users are reviewed on a regular basis to ensure they are correct.

An effective IAG solution monitors access to all company resources, including those in the cloud. Cloud resources may be off-site, but they are not out of mind. Not only does an IAG solution monitor the appropriate access and usage of cloud-based resources, it also ensures that you are using only as much as you need, keeping usage fees to a minimum, and helping you maintain proper control.

Control access to resources that you do not control.

To ensure that customer and corporate data is secure, you must extend access management beyond corporate boundaries. IT needs to take control of user access in the cloud the same way it has evolved its processes for your internal applications. And because employees are increasingly using their personal mobile devices to conduct business, IT’s access management reach needs to include these devices as well.

The key to keeping your corporate credentials safe is to keep them within your control and protection – never in the cloud. Solutions that replicate user credentials off-premises increase the risk to your information and ultimately to your business. Similarly, the most secure solutions will not let users put corporate credentials in the cloud.

Extend your internally automated processes out into the cloud

IT has spent many years developing the right processes for managing your environment. For example, today it is common for organisations to have a set of policies and processes in place for their enterprise directories, which are frequently Active Directory implementations. From there, IT may have connections to other identity stores within the business that control access to resources and applications based on the employee’s role within the organisation. These connections are synchronisation points that automate access control.

IT’s processes for controlling access to cloud-hosted applications need to be just as automated as its internal access processes. The most secure approach to controlling authorised access to SaaS applications is to extend IT’s existing processes to include cloud-hosted applications. This approach also preserves IT’s current investment.

Use standards for IAG interfaces

There is good news on the horizon regarding standards-based provisioning of cloud applications. A group of leading SaaS vendors and identity management providers are working together to define a Simple Cloud Identity Management (SCIM) interface for provisioning. The first specification is already available and many IdM vendors are beginning to productise the standard. The SCIM standard will create a uniform management interface for automated provisioning to cloud applications and should make provisioning to cloud applications widespread and usable, out-of-the-box.

It is important to use global standards that define well-accepted and loosely coupled messaging around IAG functions.

Keep workarounds at bay

Unless you extend your single sign-on capabilities out to your SaaS applications, you will find insecure authentication practices creeping back into your organisation. Once again, users will store their passwords on notepads or Post-it notes, or in unsecured text files. Keeping passwords centralised in your secure identity vault is just as important as keeping your credentials out of the cloud. Single sign-on is the key. It ensures that the user authentication process is simple and does not require users to remember additional sets of passwords. Security is maintained, and the user experience is enhanced as well.

Single sign-on solutions done right do not simply pass the user’s credentials out to the cloud; rather, credentials are kept on the premises and in your control. Not only are secret credentials secret, but the solution controls users’ access behaviour by requiring them to access the cloud through the gateway.

Report and audit

Depending on the type of applications and information your organisation is keeping in the cloud, you may need the same level of auditing and reporting for your SaaS environments that you have for your internal applications. Key metrics to track include who has access privileges, who has actually accessed the applications, and when they did so. For regulated information, demonstrating compliance is as important as compliance itself.

Summary

Changes in the marketplace are creating more urgency for CIOs and CSOs to implement a better IAG strategy – one that aligns with specific business needs without significantly increasing costs or risk. It is a difficult challenge and one that will not be solved overnight. However, it cannot be put on the bottom of the IT project list just because the company has limited resources and budget. Nothing is a higher priority than protecting sensitive company and customer data.

The advent of standards, particularly in security and IAM, as well as the adoption of common interfaces will ultimately prevail, but it will take some time before this happens. In the meantime, adoption of cloud applications will continue to push the envelope of the organisation’s IT security tolerance and agility.

While the cloud does present new security and compliance challenges, a governance-based approach to identity management can help organisations smoothly make the transition to mission-critical cloud computing. By taking a proactive approach to governing cloud users and their access privileges, IT organisations can eliminate potential gaps in control and help facilitate the safe adoption of cloud computing. Over the next two years, identity management processes and tools will continue to evolve to better support the cloud, providing new levels of agility and convenience that business users require to take advantage of the cost savings and business efficiencies promised by the cloud.

Share this article:

Further reading: