The benefits of cloud-based services are manifold. They enable organizations not only to offset costs but also to achieve greater business agility and to reach new markets and customers. But what about identity management in cloud computing?
Cloud services are essential for embracing many of the technology trends being seen today. Today’s businesses must operate in a world without boundaries. A wide variety of constituents, including customers, business partners, vendors and others, need to access enterprise networks to make purchases, find information and use applications. Gartner estimates that, by 2020, 60 percent of all digital identities interacting with enterprises will come from external identity providers, up from less than 10 percent today. Yet ceding control over internal infrastructure and applications has been cited as a barrier to cloud adoption among 47 percent of firms. IDC also found that 45 percent had, in the past 12 months, at least one known incident of intellectual property being uploaded to cloud computing services when it should not have been.
But are there still barriers to adoption? For one thing, the jury still seems to be out regarding security in cloud services models. Along with compliance and sensitivity, security was still cited as one of the three major barriers to adoption of private and hybrid clouds, according to one recent report by Cisco. However, 76 percent of security leaders interviewed for another recent report are using some form of cloud security services. Furthermore, IDC recently found that 57 percent of enterprises agree that the benefits of using cloud services outweigh the security risks despite the fact that 40 percent have experienced cloud-related security incidents or breaches in the past 12 months.
Greater Need for Identity Management
So what are the risks? In terms of security, identity management in cloud computing is one area that will require increased attention if those benefits are to be fully realized. In order to grant safe access to sensitive information and resources to all those who need it, organizations must carefully monitor which users are accessing what resources to ensure that they are accessing the resources that they need in an appropriate manner. Because of this, Gartner is predicting that identity and access management in the cloud will be one of the top three most sought after services moving forward for cloud-based models.
The need to centrally control access to data and applications is becoming ever more vital to organizations owing to escalating security and privacy concerns. Alarms continue to be raised over data breaches, with the recent breach of 70 million customer records at U.S. retail chain Target currently keeping breaches in the headlines and spurring more organizations to take a keener interest in adding security controls to prevent unauthorized access to customer information. Attackers are using increasingly sophisticated and complex techniques to target organizations, not only looking for one-off hits in terms of the initial data stolen, but also looking to penetrate deep into the network and to stay under the radar while waiting for the chance to seize even more valuable information over time. In almost all such advanced attacks, criminals target specific individuals, often looking to harvest their access credentials.
Such concerns are also exacerbated by more prescriptive regulatory mandates and industry standards and guidelines that require increasingly stringent corporate oversight. Since many such standards and mandates require that strong security safeguards be placed around sensitive information, organizations must be able to prove that they have strong and consistent identity and access controls in place both for those resources housed within the walls of the enterprise and for those accessed remotely via the cloud.
Considerations for Identity Management in Cloud Computing
How do organizations achieve effective identity management in cloud computing without losing control over internally provisioned applications and resources? Context is king. Who is doing what, what is their role and what are they trying to access? This requires the use of threat-aware identity and access management capabilities in order to secure their extended enterprise.
Tying user identities to back-end directories is a must, even for external identities. For this, systems should be used to provide cloud-based bridges to directories. Special attention should be paid to privileged users, which cost US businesses $348 billion per year in corporate losses, according to SC Magazine. Single sign-on capabilities are also a must since having too many passwords tends to lead to insecure password management practices.
Recent research reported by Dark Reading shows that 61 percent of people use the same password for multiple accounts and applications. Deprovisioning of access when it is no longer required is another absolute necessity since orphan accounts caused by poor deprovisioning leaves organizations open to fraud and other security incidents. According to recent research by GroupID, 19 percent of employees change job responsibilities each year, and on average, 5 percent of users in Active Directory are no longer employed by the organization.
But how do you prove that everything is working correctly? For compliance and corporate oversight purposes, all activities related to application access and authorization should be monitored, with comprehensive audit and reporting capabilities provided at a granular level so that all activities can be attributed to specific individuals. The security measures provided are another important consideration to reduce risks associated with fraud, theft or loss of customer data or sensitive, valuable information such as intellectual property.