The challenge
A huge amount of business applications and services continue to move to the cloud. Along with the rise of remote workers within an organisation, securing and controlling access to cloud-based infrastructure and services has become a challenging and complex requirement. Once infrastructure and services are no longer secured or maintained by an organisation, ensuring additional controls are in place along with mature policies is vital to reducing the risk exposure.
Some organisations may have mature Identity and Access Management (IAM) solutions, which protect internal systems. However, with the rapid adoption of the cloud, many are trying to use existing policies and controls to secure the cloud. This is not an effective way of approaching the problem; the cloud must be seen for what it is, a completely different solution which requires its own policies, procedures and controls.
[easy-tweet tweet=”Auditing capabilities can also be an issue when it comes to cloud-based services” hashtags=”Cloud services”]
Whilst many cloud applications or services provide a certain level of access control, this requires them to be managed locally, either by platform or application. Generally, it does not provide the ability to link internally to the active directory or identity platforms, or at best it provides an unreliable or insecure API integration with internal systems. This means managing users becomes a complex and time-consuming process to conduct and also reduces employee effectiveness and productivity, as users are forced to continuously log into the various systems they require. This is one of the most common issues businesses encounter.
Auditing capabilities can also be an issue when it comes to cloud-based services or infrastructure. Whilst most cloud solutions will provide a level of auditing capabilities, they can be quite limited and will require the administrator to access each service or platform to run reports. Again, this is a very time-consuming exercise, particularly if an organisation has multiple solutions requiring auditing.
Risks and threats
Many cloud providers have their own security controls in place to protect their services. However, it is the responsibility of the business to protect their own data in the cloud. As such, the security controls provided to an end user are usually limited and in some instances, simply do not exist. Some of the most common risks to cloud-based services can be overcome by ensuring an IAM solution is in place.
The most common risks which can be reduced through an IAM solution are as follows;
- Poor identity and access governance and management. From weak passwords to poorly managed joiners/leavers/mover’s processes
- Data breaches caused by poor credentials and identity management and procedures
- Insecure user interfaces and API. Lack of provisioning, authentication and user activity monitoring
- Compromised accounts. Attackers gaining user credentials, poor password expiration policies
- Insider threats. No user auditing capabilities, poor user authorisation policies, lack of duty segregation
While an IAM solution will provide the ability to reduce these risks and threats unless it is combined with a mature strategy and the correct processes and procedures, the reduction of risk will be far less.
Securing and reducing risk
The main challenges of moving services or infrastructure to the cloud can all be remediated, or at least reduced greatly, by implementing an IAM solution. An IAM solution combined with an enterprise Single Sign-On (SSO) solution will provide an organisation with the following benefits;
- Centralised management, visibility and control
- Increased security hardening
- Consolidation and control of access privileges
- Automation of all user lifecycle processes
- Demonstrable compliance adherence
It’s important to note that implementing these solutions without proper planning and the underlying policies and procedures in place will result in poor adoption, issues with deployment and configuration and the programme will ultimately fail.
Policy is key
One of the first actions an organisation should carry out when taking its first steps towards the cloud or working to mature their existing cloud access controls, is to evaluate any existing policies currently in place governing the acquisition of new infrastructure or software and the management of user credentials. In most cases, these will not provide sufficient governance for cloud infrastructure and software as usually they will have been developed for internal systems and user management only. Ensuring the correct policies and procedures are in place for the cloud is vital and this should be a priority for any organisation looking to mature its cloud access. This can be achieved by updating the existing procedures to include the cloud or creating a new set purely to govern the cloud. There are good arguments for both approaches, but providing it is done correctly it makes little difference to the effectiveness.
A mature policy should consider not only the provisioning and de-provisioning of users but also look at the impact of any potential compliance requirements the organisation may be required to adhere to.
Simplifying access
Refining or creating policies to cover cloud-based software and/or infrastructure will provide a business with the governance needed to ensure the risk exposure is reduced. Nevertheless, these will not provide any additional security or assist with controlling user access.
This is where additional tools can provide a huge amount of value utilising an SSO solution such as Ilex International’s Sign&go, which supports federated SSO. The solution is very effective and can also provide cost savings to the organisation.
Implementing an SSO solution to integrate with an IAM solution, or even as a standalone, will provide a great amount of control over what users can access. The solution will also reduce the need for users to remember multiple credentials. Also, it will provide a single portal to manage and audit user behaviour and activity.
Another benefit of implementing a single SSO solution, such as Sign&go, is the ability to add mobile access and data security including total protection of corporate data.
[easy-tweet tweet=”Using a federated SSO solution will allow for a user to be allocated a single set of credentials” hashtags=”SSO, Cloud”]
Federated access
Another very effective expansion to a Single Sign-On solution is to introduce federated capabilities. Using a federated SSO solution will allow for a user to be allocated a single set of credentials, which grants access to multiple accounts. This access is controlled by the active directory groups a user is a member of.
By introducing federated sign-on, a business can expect to realise the following benefits;
- Reduced timescales for rollout of cloud services
- Greater control over joiners/movers/leavers, access will automatically be adjusted/decommissioned reducing the overhead of accessing individual platforms/services
- Greater auditing capabilities
- Increased user productivity through reduced login times/issues with credentials
- Reduced strain upon IT helpdesks
In short, an SSO solution utilising federation is quite simply a business enabler.
Conclusion
There is no doubt that moving to the cloud can cause concern and result in an increase of risk exposure, especially around the increasing security challenges and the potential requirement for additional IT infrastructure spend. This said, a move to the cloud should be viewed as a business enabler as the benefits can be great; reduction in infrastructure maintenance costs, user enablement through greater collaboration capabilities, location flexibility, user experience and flexibility, automatic software updates in many cases and a reduction in CapEx. These combined will more often than not outweigh the investment of additional security measures should they be required, more so when these benefits are further increased as the additional security controls can be applied elsewhere in the business resulting in further increases in security throughout the organisation.
The key consideration when moving to the cloud is to evaluate and understand the gaps in existing process, policy and procedures, the potential need for additional security controls and the requirement for detailed planning and project governance is critical. If these key actions are carried out, it will ensure any adoption of cloud services or infrastructure is a success.
Gabriel Wilson provides Identity and Access Management consultancy to Ilex International. He has over 10 years’ IT experience and specialises in technical information security. He leads Rivington Information Security’s Managed Service practice (Ilex International’s implementation partner) and as a Managing Consultant has worked with many high-profile clients across a multiple of industries. His broad range of experience includes managing complex teams and solutions, the design and operation of Security Operation Centres determining the most appropriate security technologies to support the business aims.
Comments are closed.