By 2022, 40% of global midsize and larger organizations will use identity and access management (IAM) capabilities delivered as software-as-a-service (SaaS) to fulfill most of their needs, cites a 2019 Gartner press release on IAM technology trends.
Today, businesses are aligning themselves with a digital ecosystem by moving toward cloud adoption. On the journey toward cloud adoption, a crucial element of digital readiness is safe identity assurance. This assurance is needed to define and maintain identities requiring access to resources at certain times and in specific ways.
Amid this ongoing push toward cloud adoption, businesses have many questions around requirements, implementation and compliance. Here are considerations for evolving cloud IAM on the path digital transformation.
Cloud IAM and On-Premise IAM
When businesses subscribe to multiple cloud services, managing security concerns is critical; however, on-premise IAM is not enough to secure identities in such a wide arena. Despite the importance of ensuring these services adhere to an organization’s security and compliance requirements, many enterprises are hesitant about the idea of breaking their existing comfort zone with on-premise IAM.
For example, a customer I worked with had a roadmap to transition to cloud, but also had serious concerns about why they should move away from on-premise IAM. Given that they’d been using an on-premise IAM solution for 12 years, their primary concern came from cloud infrastructure being so new. Would cloud IAM prove to be stable enough? And, would it protect their personally identifiable information (PII)?
The customer believed that on-premise solutions are more secure since they are within the premises. This is actually false and a common misconception. The level of security available for cloud IAM solutions is almost the same and sometimes better than on-premise IAM infrastructure. While on-premise security can be subjective, depending largely on the skills of the IT team implementing it, cloud IAM is not prone to such variables.
While using on-premise IAM, this customer was paying license fees, training their information technology (IT) department and managing ongoing server hardware, power consumption, cooling and space costs. Moving to the cloud relieved these pain points. A cloud-based IAM solution provided the customer with 99.99% availability and scalability to support large amounts of end users with no additional infrastructure. Plus, the solution eliminated concerns around continuous patching, upgrades and maintenance lifecycle. Moreover, cloud IAM provided the customer with an outstanding user experience, which led to higher customer satisfaction, loyalty and retention.
We often see customers struggling to choose the right cloud IAM strategy, due to the multiple cloud options available, lack of information, complex business requirements and financial limitations. When selecting the best-suited IAM strategy, there is no single rule. Security leaders should analyze varied IAM designs and zero in on one that aligns best with their business model.
Opt for a Hybrid Approach to IAM
Organizations looking to move from existing, well-established on-premise services to the cloud should look into a hybrid approach to IAM. The hybrid cloud approach offers the best path to unlock key features of cloud security without impacting the existing, mature on-premise functionalities. This allows for gradual shifting of a business from on-premise to cloud.
A federated identity management is the best way to proceed forward with a hybrid approach to IAM. Cloud IAM can use the existing lightweight directory access protocol (LDAP) that have been used by an organization for its on-premise access management. Once all services have been migrated to the cloud, the on-premise service can be closed down with zero impact.
Identification, Authentication, Authorization and Auditing (IAAA) for Cloud IAM
IAAA plays a major role in securing a cloud ecosystem. Various security attacks on cloud services have been prevented by applying stringent identification, authentication and authorization mechanisms. This process validates a user’s identity by asking the five Ws and one H: Who is accessing? Why is a user granted permission? Where is the user’s geolocation? What is he/she trying to access? When is the user accessing the services? And, how is he/she trying to access via mobile, laptop?
Gone are the days when traditional user IDs and passwords were the only medium to verify a user’s identity. Businesses now have advanced authentication mechanisms for evaluating identities within a cloud IAM. This ranges from zero sign-in to passwordless authentication services for enhanced user experience.
Zero sign-in facilitates users to sign in directly through a Windows authentication. Passwordless authentication consists of verifying proof of identity by means other than passwords, which can include biometric authentication, push notifications, U2F-based multifactor authentication, YubiKey OTP and Google’s Titan Security Key.
Biometrics are user friendly and provide strong security against phishing and real-time, man-in-the-middle attacks; however, they contain highly sensitive user data.
Other passwordless authentications, such as U2F-based OTP, FIDO U2F Token and web authentication are strong from deployability, usability and security perspectives. Push notifications are also strong in deployability and usability and provide better protection from man-in-the-middle attacks.
With the growing demand for flexibility in authentication and authorization, there also comes the need for context-aware or adaptive authentication. Adaptive authentication goes hand-in-hand with conventional password-based authentication or advanced passwordless authentications, providing an additional layer of security. Adaptive authentication is an extended multifactor authentication, which leverages users’ behavioral traits to detect fraudulent activity. It uses “smart” information like geolocation, day, time, type of device used or user behavior to improve security authentication. These adaptive access controls ensure high levels of trust along with increased identity assurance for customers.
Cloud IAM and Digital Transformation
As the continuous push for digital transformation is booming worldwide, it is increasingly important to ensure the right users access the right resources at the right time. Cloud IAM fosters safe identities while ensuring safe access. For businesses looking forward to secure, seamless and streamlined cloud adoption, cloud IAM is truly the guardian angel for digitalization.
After all, the end goal is to secure identities, facilitate only authorized accesses, achieving greater levels of regulatory compliance and provide delightful user experience, while keeping the competing return on investment.
Explore IBM Security Verify
Senior Advisory Consultant, IBM Security