by Jackie Gilbert
The IT industry has seen an onslaught of new technologies over the past decade, but one of the most pervasive and transformative is cloud computing. A recent Gartner survey indicates that cloud computing is on a trajectory to become the dominant infrastructure for enterprise computing – this decade. In the survey, 83 percent of surveyed CIOs predicted that more than 50 percent of mission-critical business transactions would be completed on cloud applications by the year 2020. That is a significant shift!
Enterprises are in the process of making this move to reap the benefits of cloud computing – to reduce costs while meeting changing business demands with speed and agility. But at the same time, organizations leading the movement to adopt the cloud should take caution. While the cloud offers significant benefits, it also exposes organizations to new security threats and compliance issues.
The Cloud Wild West
One of the most interesting aspects of enterprise migration to the cloud is that in many cases, business units, not IT, are leading the migration. Line-of-business managers are embracing software-as-a-service (SaaS) applications such as Salesforce and Workday because they are easy to license and can be deployed without IT’s assistance. But therein lies the rub: When applications are purchased and deployed without involving IT, there is usually very little governance or policy enforcement over these applications. Depending on the application, it’s likely that sensitive, mission-critical data resides in cloud applications without proper access control or governance, ultimately exposing the organization to risk.
In addition to the security risk, many enterprises also need to be concerned about regulatory risk. IT auditors are beginning to pay attention to the cloud due to the increased use of cloud applications for financial, payroll, and other sensitive data and transactions. As more cloud applications are deployed to support mission-critical parts of the business, auditors will increase the scope of their audits to include more cloud-based applications and verification of more controls, such as access certifications, separation-of-duty (SoD) policy enforcement and management of privileged users within SaaS applications.
Responsibility for Cloud
With many line-of-business managers driving cloud application adoption, it’s imperative that organizations plan for and assign responsibility for identity and access governance; failure to do so will expose the enterprise to security and compliance risks. Accountability for access control and user administration of cloud applications falls on the enterprise – not the service provider - so it is critical that organizations proactively assign management and governance responsibility. In most cases, because the IT department already manages access control and policy enforcement for on-premise applications, systems, and data, it makes sense for IT to also own identity and access governance for cloud applications.
In general, organizations should not deploy ad hoc approaches to cloud identity management sponsored by individual departments or lines of business. These groups lack expertise and experience with identity management tools, and perhaps worse still, this approach creates “silos” of management. A centralized approach that spans cloud and enterprise applications is more efficient and allows consistent enforcement of corporate policy, with enterprise-wide visibility into the users and their access privileges. The key is to apply these controls and oversight in a lightweight manner that facilitates business agility while maintaining the security and compliance standards the business requires.
Lightweight Identity Management
for the Cloud
Whether you’re managing cloud applications or on-premise applications or both, you need to meet basic access control and governance standards. As a baseline, this includes granting, changing, and removing user access to applications and providing a single view of users and their access privileges in order to answer the critical question around “who does have access to what?” In order to meet compliance requirements, access controls should ensure that users are only granted access privileges to cloud applications that are appropriate for their job functions and that the access privileges of all cloud users are reviewed on a regular basis to ensure they are correct.
One important fact to bear in mind: Identity management of cloud applications comes with new service level implications. Business units are moving to the cloud to gain agility and rapidly deploy new services. IT organizations will not be successful in implementing an identity management solution that is perceived to slow down or impede their progress. In a nutshell, identity management of cloud applications must be lightweight and viewed as a facilitator for getting the business up and running.
Automating the process for provisioning and deprovisioning users (and taking this burden off of the business unit) is an attractive feature. This approach applies centralized policies and controls for all “joiner/mover/leaver” events and removes the burden of administration from the line of business. Automated provisioning can also help business units save money. Many SaaS application providers invoice clients based on the number of active user accounts, so organizations need to rigorously manage application usage and rapidly de-provision unused accounts.
Again, it’s important to balance simplicity and agility with the need for management and governance. One of the areas where organizations frequently get bogged down is building connectors to applications that need to be governed and provisioned. To ensure that SaaS applications don’t fall into this trap, identity management vendors and SaaS application vendors must work together to provide lightweight out-of-the box connectors for provisioning SaaS applications, making it easy to onboard new cloud-based applications as they are deployed.
There is good news on the horizon regarding standards-based provisioning of cloud applications. A group of leading SaaS vendors and identity management providers are working together to define a Simple Cloud Identity Management (SCIM) interface for provisioning. The first specification is already available and many IdM vendors are beginning to productize the standard. The SCIM standard will create a uniform management interface for automated provisioning to cloud applications and should make provisioning to cloud applications widespread and usable, out-of-the-box.
While the cloud does present new security and compliance challenges, a governance-based approach to identity management can help organizations smoothly make the transition to mission-critical cloud computing. By taking a proactive approach to governing cloud users and their access privileges, IT organizations can eliminate potential gaps in control and help facilitate the safe adoption of cloud computing. Over the next two years, identity management processes and tools will continue to evolve to better support the cloud, providing new levels of agility and convenience that business users require to take advantage of the cost savings and business efficiencies promised by the cloud.
Jackie Gilbert is the co-founder, vice president and general manager of SailPoint’s Cloud Identity Business Unit (Austin, TX). www.sailpoint.com