Extending identity governance to the cloud: 5 questions to ask your SaaS provider

Today, many organizations are exploring the viability of deploying software-as-a-service (SaaS) applications in order to streamline their IT infrastructure and lower their IT budgets. But, as certain applications are moved to SaaS, it is important that each organization consider how they will address identity management requirements in that runtime environment.

It is especially critical that organizations ensure their overall IT strategy adequately addresses more stringent security and compliance standards such as the new EU Data Breach notification mandate, the UK Data Protection Act, PCI and Sarbanes-Oxley before they are faced with the consequences of non-compliance – or worse, a data breach.

One of the most important areas of focus when moving applications to a SaaS model is identity governance. Identity governance helps an organization manage and control user access to sensitive applications and data.

A governance-based approach to identity management gives an organization a single view into users and their access privileges and answers the critical questions of “who should have access to what,” “who does have access to what,” and “how did they get it.”

There are several factors that complicate answering these questions for SaaS-based applications. After all, a SaaS application implicitly means working with third-party service providers to ensure the right security and privacy controls are in place to protect sensitive applications and data.

When deploying SaaS applications, an organization enters a contractual obligation with the SaaS application provider who manages the application infrastructure. Despite this shared responsibility, the enterprise itself remains responsible for the security and integrity of data and applications deployed and run by that provider.

To ensure you have the right controls and visibility in place, here are five key questions that you should ask your SaaS providers to better understand how their policies and controls may affect you.

1. What type of technical interfaces and reporting capabilities do you offer to help us support our organization’s identity management requirements?

Your cloud service provider needs to ensure you can integrate your identity governance controls to the application in order to manage who has access to what data at any given moment. Having this type of capability will provide a more seamless integration to your overall identity governance strategy.

2. How do you work with customers when they need to audit their own data in relation to user access controls?

It is common for large organizations to face regular auditing requirements, sometimes several times a year. Auditors are not necessarily concerned with whether an organization’s data “lives” in the cloud or the datacenter, but will certainly pay close attention to who has access to that data, and whether that company can demonstrate it has the proper IT controls in place to ensure access controls meet policy. With some cloud-based applications, you will need the service provider’s support in order to provide the data required during such an audit.

3. What is your process for maintaining accountability for your administrative staff in relation to the control and management of our data within your application?

One benefit of SaaS applications is that your IT organization does not have to handle the administration aspects because the service provider typically does. Because these applications contain sensitive and compliance-relevant data, your organization will need full visibility into who is accessing that data from the service provider. Your service provider must show appropriate policies and operational procedures for privileged user management and must provide separation of duty such that administrative capabilities cannot be used to circumvent control procedures.

4. Do you have any standards in place for regular review of internal user access privileges and overall control of the joiner/mover/leaver process for internal employees?

Because the cloud is still so new, there is a lot of uncertainty as to the specific regulatory requirements applicable to the cloud. Currently, there are no compliance standards specific to user management for cloud computing, but cloud service providers can and should be fully compliant with industry standards such as PCI compliance and should demonstrate a good understanding of the issues around identity and access governance, such as performing regular access reviews and automating the revocation of privileges upon termination.

5. Do you share your auditing process and proof of compliance with your customers?

With widespread discussion of security and compliance in the cloud, most cloud service providers are now making it a priority to address many of these concerns themselves. In fact, many believe they can achieve a competitive advantage by offering high levels of security and compliance benefits. This is great news, but the old saying “trust but verify” applies here. It is imperative that you understand how each service provider handles industry requirements before moving your sensitive data to their applications.

Organizations must make sure their service level agreements with SaaS providers are comprehensive and balanced enough to ensure a necessary level of compliance and the ability to incorporate their own identity governance capabilities into the application.

By focusing on these five questions, you will be better prepared to partner with your SaaS provider to make sure you are adequately addressing your identity management requirements in the cloud. By taking a proactive approach to governing the user access to your cloud applications, you can eliminate any potential gaps in control and visibility over sensitive data and help facilitate the safe adoption of cloud computing to fully recognize the cost savings and operational efficiency it promises.

Darran Rolls directs the continued development and communication of SailPoint's technology strategy and vision. Before joining SailPoint, Darran worked in the CTO's office at Sun Microsystems and led strategic technology and industry standards initiatives at Waveset Technologies. A respected contributor to several international XML standards initiatives, he served as Chair of the OASIS Provisioning Services Technical Committee. In that capacity, he led a two-year industry effort to develop the Service Provisioning Markup Language (SPML) Specification. Prior to Waveset, Darran served in senior technical leadership positions at enterprise software companies including IBM/Tivoli Systems, PointOne Telecommunications and DBMX.