By 2022, 40% of global midsize and larger organizations will use identity and access management (IAM) capabilities delivered as software-as-a-service (SaaS) to fulfill most of their needs, cites a 2019 Gartner press release on IAM technology trends.

Today, businesses are aligning themselves with a digital ecosystem by moving toward cloud adoption. On the journey toward cloud adoption, a crucial element of digital readiness is safe identity assurance. This assurance is needed to define and maintain identities requiring access to resources at certain times and in specific ways.

Amid this ongoing push toward cloud adoption, businesses have many questions around requirements, implementation and compliance. Here are considerations for evolving cloud IAM on the path digital transformation.

Cloud IAM and On-Premise IAM

When businesses subscribe to multiple cloud services, managing security concerns is critical; however, on-premise IAM is not enough to secure identities in such a wide arena. Despite the importance of ensuring these services adhere to an organization’s security and compliance requirements, many enterprises are hesitant about the idea of breaking their existing comfort zone with on-premise IAM.

For example, a customer I worked with had a roadmap to transition to cloud, but also had serious concerns about why they should move away from on-premise IAM. Given that they’d been using an on-premise IAM solution for 12 years, their primary concern came from cloud infrastructure being so new. Would cloud IAM prove to be stable enough? And, would it protect their personally identifiable information (PII)?

The customer believed that on-premise solutions are more secure since they are within the premises. This is actually false and a common misconception. The level of security available for cloud IAM solutions is almost the same and sometimes better than on-premise IAM infrastructure. While on-premise security can be subjective, depending largely on the skills of the IT team implementing it, cloud IAM is not prone to such variables.

While using on-premise IAM, this customer was paying license fees, training their information technology (IT) department and managing ongoing server hardware, power consumption, cooling and space costs. Moving to the cloud relieved these pain points. A cloud-based IAM solution provided the customer with 99.99% availability and scalability to support large amounts of end users with no additional infrastructure. Plus, the solution eliminated concerns around continuous patching, upgrades and maintenance lifecycle. Moreover, cloud IAM provided the customer with an outstanding user experience, which led to higher customer satisfaction, loyalty and retention.

We often see customers struggling to choose the right cloud IAM strategy, due to the multiple cloud options available, lack of information, complex business requirements and financial limitations. When selecting the best-suited IAM strategy, there is no single rule. Security leaders should analyze varied IAM designs and zero in on one that aligns best with their business model.

Opt for a Hybrid Approach to IAM

Organizations looking to move from existing, well-established on-premise services to the cloud should look into a hybrid approach to IAM. The hybrid cloud approach offers the best path to unlock key features of cloud security without impacting the existing, mature on-premise functionalities. This allows for gradual shifting of a business from on-premise to cloud.

A federated identity management is the best way to proceed forward with a hybrid approach to IAM. Cloud IAM can use the existing lightweight directory access protocol (LDAP) that have been used by an organization for its on-premise access management. Once all services have been migrated to the cloud, the on-premise service can be closed down with zero impact.

Identification, Authentication, Authorization and Auditing (IAAA) for Cloud IAM

IAAA plays a major role in securing a cloud ecosystem. Various security attacks on cloud services have been prevented by applying stringent identification, authentication and authorization mechanisms. This process validates a user’s identity by asking the five Ws and one H: Who is accessing? Why is a user granted permission? Where is the user’s geolocation? What is he/she trying to access? When is the user accessing the services? And, how is he/she trying to access via mobile, laptop?

Gone are the days when traditional user IDs and passwords were the only medium to verify a user’s identity. Businesses now have advanced authentication mechanisms for evaluating identities within a cloud IAM. This ranges from zero sign-in to passwordless authentication services for enhanced user experience.

Zero sign-in facilitates users to sign in directly through a Windows authentication. Passwordless authentication consists of verifying proof of identity by means other than passwords, which can include biometric authentication, push notifications, U2F-based multifactor authentication, YubiKey OTP and Google’s Titan Security Key.

Biometrics are user friendly and provide strong security against phishing and real-time, man-in-the-middle attacks; however, they contain highly sensitive user data.

Other passwordless authentications, such as U2F-based OTP, FIDO U2F Token and web authentication are strong from deployability, usability and security perspectives. Push notifications are also strong in deployability and usability and provide better protection from man-in-the-middle attacks.

With the growing demand for flexibility in authentication and authorization, there also comes the need for context-aware or adaptive authentication. Adaptive authentication goes hand-in-hand with conventional password-based authentication or advanced passwordless authentications, providing an additional layer of security. Adaptive authentication is an extended multifactor authentication, which leverages users’ behavioral traits to detect fraudulent activity. It uses “smart” information like geolocation, day, time, type of device used or user behavior to improve security authentication. These adaptive access controls ensure high levels of trust along with increased identity assurance for customers.

Cloud IAM and Digital Transformation

As the continuous push for digital transformation is booming worldwide, it is increasingly important to ensure the right users access the right resources at the right time. Cloud IAM fosters safe identities while ensuring safe access. For businesses looking forward to secure, seamless and streamlined cloud adoption, cloud IAM is truly the guardian angel for digitalization.

After all, the end goal is to secure identities, facilitate only authorized accesses, achieving greater levels of regulatory compliance and provide delightful user experience, while keeping the competing return on investment.

Explore IBM Security Verify

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…