Oh! Don't worry, we don't intend to bore you with a lesson of typical IAM stories - we're sure you've come across a lot of information in this area. However, you do need to have an independent view of the actual business needs and challenges in the cloud area, so that you can get the most out of your own situation.
Identity and Access Management (IAM) is the discipline that plays an important role in the actual cloud era of your organization. It's also of value to small and medium-sized companies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuring appropriate and secure access to resources inside and across company borders, such as cloud or partner applications.
The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is a recommended requirement of reviewing and overworking this strategy in order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it's very important that your IAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can't implement a successful IAM functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs in IAM.
The following three groups show the typical indicators for missing IAM capabilities on the premises and for cloud services:
Your employees/partners:
Same password usage across multiple applications without periodic changes (also in social media accounts)
Multiple identities and logins
Passwords are written down in Sticky Notes, Excel, etc.
Application and data access allowed after termination
Forgotten usernames and passwords
Poor usability of application access inside and outside the company (multiple logins, VPN connection required, incompatible devices, etc.)
Your IT department:
High workload on Password Reset Support
Missing automated identity lifecycles with integrity (data duplication and data quality problems)
No insights in application usage and security
Missing reporting tools for compliance management
Complex integration of central access to Software as a Service (SaaS), Partner and On-Premise applications (missing central access/authentication/authorization platform)
No policy enforcement in cloud services usage
Collection of access rights (missing processes)
Your developers:
Limited knowledge of all the different security standards, protocols, and APIs
Constantly changing requirements and rapid developments
Complex changes of the Identity Provider
On top of that, often the IT department will hear the following question: When can we expect the new application for our business unit? Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, but suddenly another popular phenomenon pops up: The shadow IT! Most of the time, this introduces another problem - uncontrolled information leakage. The following figure shows the flow of typical information - and that which you don't know can hurt!
The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that, and in which manner, they are being used. Simply migrating or ordering a new service in the cloud won't solve common IAM needs. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in a regulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify that you are responsible for data classification, IAM, and end point security in every model:
|
Cloud Service Modell |
IaaS
|
PaaS
|
SaaS
| |||
|
Responsibility |
Customer |
Provider |
Customer |
Provider |
Customer |
Provider |
|
Data Classification |
X
|
X
|
X
| |||
|
End Point Security |
X
|
X
|
X
| |||
|
Identity and Access Management |
X
|
X
|
X
|
X
|
X
| |
|
Application Security |
X
|
X
|
X
|
X
| ||
|
Network Controls |
X
|
X
|
X
|
X
| ||
|
Host Security |
X
|
X
|
X
| |||
|
Physical Security |
X
|
X
|
X
|
Many organizations are facing the challenge of meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional means of business communication.
Let's dive into a short, practical, but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it's always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with one Full-time Employee (FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:
Let's analyze this extreme example to reveal some typical problems, so that you can match some ideas to your IT infrastructure:
Provisioning, managing, and de-provisioning identities can be a time-consuming task
There are no single identity and credentials
There is no collaboration support for partner and consumer communication
There is no Self-Service Password Reset functionality
Sensitive information leaves the corporation over email
There are no usage or security reports about the accessed applications/services
There is no central way to enable Multi-Factor Authentication (MFA) for sensitive applications
There is no secure strategy for accessing social media
There is no usable, secure, and central remote access portal