Cloud security continues to be a hot topic in the information security world, and a recent ISACA webinar reaffirmed the fact that identity management is more critical than ever as services shift from on-premise to cloud-based solutions. One particular presentation stood out during the ISACA webinar for the three aspects of cloud security on which it focused:
- "For the Cloud" — Security for cloud providers
- "To the Cloud" — Security to cloud-based applications
- "From the Cloud" — Security as a service from the cloud
The "For the Cloud" issues were covered in the blog, "Cyber Security: How to Cover Your SaaS" where the need for organizations to be better informed about the security measures of their cloud providers is discussed. For the other two areas, they definitely require new thinking in terms of Identity and Access Management, so it is important they are incorporated into your IAM strategy going forward.
One block of text in particular caught my eye during the presentation, and it should be on every CISO’s mind as the cloud grows in popularity: "Identity is the new network perimeter."
Bring Your Own Device (BYOD), the growth of social media login use and the explosion of SaaS have each broken down traditional views of enterprise risk management, so managing the "Identity" truly needs to be the focus regardless of what actual user account is leveraged to access the service. Users no longer flow through the internal network (i.e. via VPN) to gain access to services since services are becoming spread equally between internal and external resources. Whether a user leverages his/her corporate ID or a Facebook account to access an enterprise application, the key is to be confident that you are performing identity management efficiently for any individual accessing your corporate data.
User provisioning, access management, access governance and password management all need to evolve to address cloud identity management concerns as well. Before cloud identities get completely out of control, a key focus should be to bring them in to a central "Identity Store" so they can be managed. An Identity and Access Management solution should be leveraged to execute user provisioning and de-provisioning to the cloud.
As stated in earlier posts, the concept of Universal Assignment Management should take hold to grant an individual ANYTHING he/she needs, including cloud application access, a security badge, a laptop, signing a policy, access to critical systems, user accounts, etc. After assignments are granted, access certifications should be performed to validate the access is still required.
When you have a grasp of the identities and their associated access requirements to cloud solutions, authentication options can be explored. For instance, a LinkedIn login might be fine for a low risk SaaS corporate application, but other applications that host more sensitive data may require deeper authentication requirements. In those situations multi-factor authentication should be mandated and controlled.
Of course, a cloud provider’s security is a critical component of the holistic cloud identity management strategy, so make sure vendors can meet your Identity and Access Management needs around authentication, authorization and all other security concerns. This starts with asking them questions and requesting that they meet your control requirements prior to signing the contract (if possible).
It is time to embrace all this change because cloud services are not going away. Embracing the change, though, is much easier if you have the right technologies in your back pocket to automate and control the situation!
To learn more about Avatier’s identity management solutions watch the Gwinnett Medical Center user provisioning and password reset case customer case study.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.