When it comes to growth in IT systems, we usually think problems like identity management security and enterprise risk management compliance increase with technology advances. According to Gartner Analyst Guy Creese, however, despite 68% of U.S. companies and 80% of Asian companies saying they plan to expand their Software as a Service uses, identity management security and compliance problems appear to be dissipating, but not disappearing.
This is probably why Creese also notes that businesses continue to be extremely hesitant about storing data in the public cloud.
ZDNet contributing blogger John Fontana reported last week on comments Creese made at the recent Catalyst Conference about security for the public cloud. He writes that while Creese sees security for the cloud improving, it still lags behind the comfort and security of an enterprise system.
Nevertheless, Creese points out that factors such as cost and agility are driving SaaS growth, identity management security, and compliance solutions need to keep up with that growth. Since security measures have not come as far as SaaS technology has, companies find themselves needing to take certain steps to improve its handling, including:
- Encrypting Network Traffic: before any data goes over the network to the public cloud storage, it should be encrypted
- Employing Data-at-rest Encryption: yes, it’s bothersome, but encrypting all files adds a necessary layer of protection and if the file systems cannot be encrypted then all the files will need to be
- NOT Storing Decryption Keys in the Cloud: just like you really shouldn’t hide your house key under a fake rock by the front door, you shouldn’t leave the means to decrypt files stored in the public cloud in the public cloud.
- Ensuring Structural Quality of Applications and Systems: most security violations occur due to vulnerabilities in the software; if those holes are not available, the data is harder to breach
- Backup Early and Often: even if steps are taken to ensure data in the public cloud is secure, you still need to be sure they are replicated somewhere NOT in the cloud just in case the unthinkable happensNothing is Fool Proof
Even with these measures, there is still one issue Creese brought up that might usurp all measures, and it’s a problem that businesses have had since the dawn of the computer age.
Fontana reports on Creese’s discussion about what to do when employees leave companies. Obviously, the preference for identity management security and compliance would be to eliminate these employees from the system as soon as they depart. The connotation here is that companies do not have the ability to remove them with the rapidity necessary to ensure no harm is done by the "dead zone" of employee access — the time between the employee’s departure and when his or her access is formally revoked.
What Fontana does not say, but which should be noted, is that the reason most companies cannot remove departed employees in an expedient manner is because the process involved with removing them takes time — from a request being sent to the IT department, to it being approved and/or confirmed, to the IT Department finally removing the employee from the system. In the time it takes that to happen, an employee can conceivably access data without authorization.
However, if the company were to separate identity and access management into independent practices or process disciplines, it could distribute task initiation to both end users and team managers. This would increase accountability, while at the same time increasing efficiency and auditability. This not only hastens and eases a company’s ability to remove the access rights of former employees, but also allows IT to strengthen tools and technologies for cyber network identity management security measures for SaaS.
SaaS is definitely a "growth" industry, but like a maturing child, those closest to him or her should be the ones responsible for managing their discipline.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.
