The Right Way to use Cloud based Identity and Access Management
With the influx of large amount of data through various sources like mobile devices and cloud applications, the management of identity data can be a huge challenge for most enterprises today. Identity and Access Management (IAM) technology can be used to initiate, record and manage user identities and their related access permissions in an automated fashion. This way access privileges are granted according to the defined policy and all individuals and services are properly authenticated and audited. Off late, Cloud based IAM are gaining momentum in the enterprise scenario as more and more companies look to simplify the management of electronic data. However, prior implementing cloud based IAM products, security teams must consider numerous factors.
First and the foremost consideration should be to understand current organizational needs and capabilities while replacing in-house IAM or extending existing IAM products using a cloud model. At times, InfoSec professionals introduce authoritative repositories like Active Directory and others into the cloud service environment. These bring new risks by either replicating identity data into the cloud, or extending boundaries beyond the traditional enterprise perimeter where traditional security controls can't be applied.
Next, enterprises need to find out if they need to synchronize internal and external IAM products and services or not. If so, they need to evaluate service-level agreements and performance statistics for uninterrupted identity access between in-house user stores and the data being accessed and leveraged in the cloud environment. Often, cloud IAM providers support a dedicated VPN connection to their environments enabling user repository and identity data to transfer more securely. Professionals need to also ensure the cloud IAM provider supports strong authentication standards for multifactor authentication and passwords.
Then, security professionals need to make sure that cloud applications are using the same set of standards and technologies used for other applications and general infrastructure. Custom IAM systems that are not built on security standards can result in vendor lock-in problems. While evaluating cloud IAM services, application development teams should be comfortable with the standards needed for integrating applications and data with the cloud IAM environment. Information owners should integrate identity as a service (IDaaS) interaction into the software development lifecycle, especially for partners, which require a commitment to using the IDaaS during the requirements-development phase of the SDLC for smooth integration. Businesses need to then consider all current and planned user scenarios that consist of the types of devices and roles that will need to access and make use of the cloud IAM features. Here, security teams have to collaborate with various IT and business stakeholders and many have to be educated about various ramifications that a cloud IAM system will have on endpoints and access processes. With the advent of bring your own device initiatives in many organizations, a broad range of mobile devices have to be supported when integrating identity access.
Finally, it is important to thoroughly investigate the security controls in place at the IDaaS provider. The provider must maintain stringent security controls to ensure the data is safe in case the user identity data is to be stored within the provider environment, or trust boundaries are to be extended into its cloud. Security measures should include encryption, logging and monitoring, role-based access control and more. Enterprises should make sure they can meet any compliance requirements associated with identity data, too. While cloud-based IAM services can greatly simplify identity and access management, it is essential to assess use of standards, compatibility and security before choosing the IDaaS option.