Cloud Identity Management: Convenience With Control

Over the past year, the team at my company has held discussions with some of the world’s largest companies about their plans for cloud adoption. What has become clear is that the initial hesitation to move applications to the cloud – especially in highly regulated industries like financial services and insurance – is giving way to greater acceptance of the cloud. The benefits of cloud computing, including ease of use and cost savings, are just too great to ignore.

It’s important to point out, however, that these same customers tell us accelerating cloud adoption will not result in the wholesale replacement of existing enterprise applications. While the majority of “net new” applications will be deployed as cloud services in many organizations, the core application infrastructure will remain on-premises. For this reason, the “new world order” of enterprise IT will be more complex and will require management of a hybrid environment comprised of both on-premises and cloud applications.

Adding to the challenge is the reality that business units are gaining more autonomy to buy and deploy applications without consulting or involving the IT organization. The new generation of “empowered” business users wants to consume services with convenience and simplicity, and they want them immediately.

As more and more applications are procured outside of IT, it becomes more difficult for IT to monitor and control user access, because in an increasing number of cases, IT has no visibility to the cloud applications in use throughout the enterprise.

Identity management of cloud applications

Effective identity and access management of cloud applications requires organizations to take a more flexible approach. What’s needed is not a “one size fits all” approach, but one that recognizes that different cloud applications require different levels of management and control. In order to give workers more choice and empowerment in the tools they employ, enterprises need business-friendly ways to manage user access to cloud applications and to apply different levels of policy and controls to those users and applications.

The right identity and access management strategy allows organizations to meet compliance requirements and mitigate risk but also provides valuable services to the business, aligned with the cloud’s core value propositions of speed and simplicity.

Organizations that successfully manage cloud applications procured outside of IT’s control must build both visibility and flexibility into their processes. By combining the convenience of easy access to much needed cloud applications for the business with IT oversight, enterprises can gain the buy-in of business users while at the same time putting the right controls in place to keep cloud applications secure.

For mission-critical cloud applications, such as Workday and Salesforce.com, a high degree of control and governance is required. The enterprise must protect and govern access to these types of critical cloud applications and provide complete visibility and oversight to “who has access to what?”

For this class of cloud applications, it’s important to implement preventive and detective controls over the processes that grant, change, and remove access to cloud applications, such as approval workflow, policy enforcement, access certifications and policy violation scanning, to ensure that compliance and security guidelines are being followed. Detailed auditing and reporting is required to give IT and business staff the intelligence they need to meet the requirements of audit and compliance staff.

For applications procured by business units or individual users that are not under direct IT management such as Box.com or Concur, organizations need visibility to how and when those applications are being used, so that decisions can be made about the degree of management and control that is appropriate.

For many cloud applications, security may be less important than cost control management. For example, many SaaS applications charge based on the number of user accounts, it’s important that users only receive access to SaaS applications that they need to do their jobs and that users are promptly deprovisioned when they leave the organization.

Focus on business enablement

As IT departments begin to formally address cloud identity and access management requirements, it’s critical that they approach cloud identity challenges with a new frame of mind. Gaining visibility and control over cloud applications is required to meet security and compliance requirements, but organizations must evolve their management style from an across-the-board “lock down” approach to one that uses selective controls based on business risk.

Proactively partnering with business users to deliver convenience, service and value is key to getting their buy-in to IT’s management and control of cloud applications. By helping business users become more productive and efficient in their jobs, IT can gain the cooperation and visibility they need. This helps IT align with the cloud’s core value propositions of convenience and simplicity for the business. The right identity and access management strategy allows IT and business to work together to implement the right tools and processes in order to mitigate risk and meet compliance requirements.

Jackie heads SailPoint's Cloud Identity Business Unit, where she focuses on delivering cloud-based solutions to complement and extend SailPoint's flagship IdentityIQ product line. In this role, Jackie manages a team of engineers, product managers, and operations staff focused on rapidly innovating to meet emerging market needs. She has spent the past 20 years driving entrepreneurial projects in technology companies, large and small, and has spent the past 9 years focused on identity management technology and markets. A frequent commentator on identity management, cloud and compliance trends, Jackie's work has appeared in leading technology publications such as SC Magazine, CSO Magazine, CIO.com, Government Security News, Computer Technology Review, Risk Management, and Public CIO.