April 17, 2014 By Fran Howarth 4 min read

The benefits of cloud-based services are manifold. They enable organizations not only to offset costs but also to achieve greater business agility and to reach new markets and customers. But what about identity management in cloud computing?

Cloud services are essential for embracing many of the technology trends being seen today. Today’s businesses must operate in a world without boundaries. A wide variety of constituents, including customers, business partners, vendors and others, need to access enterprise networks to make purchases, find information and use applications. Gartner estimates that, by 2020, 60 percent of all digital identities interacting with enterprises will come from external identity providers, up from less than 10 percent today. Yet ceding control over internal infrastructure and applications has been cited as a barrier to cloud adoption among 47 percent of firms. IDC also found that 45 percent had, in the past 12 months, at least one known incident of intellectual property being uploaded to cloud computing services when it should not have been.

But are there still barriers to adoption? For one thing, the jury still seems to be out regarding security in cloud services models. Along with compliance and sensitivity, security was still cited as one of the three major barriers to adoption of private and hybrid clouds, according to one recent report by Cisco. However, 76 percent of security leaders interviewed for another recent report are using some form of cloud security services. Furthermore, IDC recently found that 57 percent of enterprises agree that the benefits of using cloud services outweigh the security risks despite the fact that 40 percent have experienced cloud-related security incidents or breaches in the past 12 months.

Greater Need for Identity Management

So what are the risks? In terms of security, identity management in cloud computing is one area that will require increased attention if those benefits are to be fully realized. In order to grant safe access to sensitive information and resources to all those who need it, organizations must carefully monitor which users are accessing what resources to ensure that they are accessing the resources that they need in an appropriate manner. Because of this, Gartner is predicting that identity and access management in the cloud will be one of the top three most sought after services moving forward for cloud-based models.

The need to centrally control access to data and applications is becoming ever more vital to organizations owing to escalating security and privacy concerns. Alarms continue to be raised over data breaches, with the recent breach of 70 million customer records at U.S. retail chain Target currently keeping breaches in the headlines and spurring more organizations to take a keener interest in adding security controls to prevent unauthorized access to customer information. Attackers are using increasingly sophisticated and complex techniques to target organizations, not only looking for one-off hits in terms of the initial data stolen, but also looking to penetrate deep into the network and to stay under the radar while waiting for the chance to seize even more valuable information over time. In almost all such advanced attacks, criminals target specific individuals, often looking to harvest their access credentials.

Such concerns are also exacerbated by more prescriptive regulatory mandates and industry standards and guidelines that require increasingly stringent corporate oversight. Since many such standards and mandates require that strong security safeguards be placed around sensitive information, organizations must be able to prove that they have strong and consistent identity and access controls in place both for those resources housed within the walls of the enterprise and for those accessed remotely via the cloud.

Considerations for Identity Management in Cloud Computing

How do organizations achieve effective identity management in cloud computing without losing control over internally provisioned applications and resources? Context is king. Who is doing what, what is their role and what are they trying to access? This requires the use of threat-aware identity and access management capabilities in order to secure their extended enterprise.

Tying user identities to back-end directories is a must, even for external identities. For this, systems should be used to provide cloud-based bridges to directories. Special attention should be paid to privileged users, which cost US businesses $348 billion per year in corporate losses, according to SC Magazine. Single sign-on capabilities are also a must since having too many passwords tends to lead to insecure password management practices.

Recent research reported by Dark Reading shows that 61 percent of people use the same password for multiple accounts and applications. Deprovisioning of access when it is no longer required is another absolute necessity since orphan accounts caused by poor deprovisioning leaves organizations open to fraud and other security incidents. According to recent research by GroupID, 19 percent of employees change job responsibilities each year, and on average, 5 percent of users in Active Directory are no longer employed by the organization.

But how do you prove that everything is working correctly? For compliance and corporate oversight purposes, all activities related to application access and authorization should be monitored, with comprehensive audit and reporting capabilities provided at a granular level so that all activities can be attributed to specific individuals. The security measures provided are another important consideration to reduce risks associated with fraud, theft or loss of customer data or sensitive, valuable information such as intellectual property.

Benefiting from the Extended Enterprise

Implementing effective identity management is more urgent than ever as organizations open up their networks so that they can more securely extend their services to an ever wider range of external constituents and be able to take advantage of new technological developments such as social media and mobile technologies to better engage their customers. As consumer-oriented technologies continue to rise in importance, organizations must embrace more consumer-conscious approaches for granting and controlling access to their resources, especially to those based in the cloud.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today