Cloud Identity Management Challenges
For years, enterprises have been rapidly adopting cloud technologies for many of their data processing tasks.
The area of identity management is no exception. To this day, it is still a particularly fast-growing trend within the cloud revolution.
Cloud Identity providers, or IDPs, have been taking the world of IT by storm. According to an estimate from Gartner, cloud-based identity is and will continue to be, one of the fastest-growing cloud-based services.
Indeed, industry leaders have long pointed to the strengths of cloud-based options for managing digital identifies, often not available with on-premises options. Moving the primary “home” of the data from on-premise servers to the cloud means that endpoint devices–from laptops to PCs, to file servers–become merely a local access point to the larger body information. This means that all of the authentication data can be secured on the cloud-based repository. This also translates into big advantages from a management perspective. IT departments no longer have to handle data storage on devices individually and any changes, alterations, or updates to authentication procedures can be executed once for all users.
However, managing identity from the cloud is not without its challenges. Understanding the issues that arise from shifting to cloud-based identities will leave managers more equipped to handle them.
Although cloud identity services initially make it easier for users to access their applications, complexity can quickly increase with the number of applications being accessed. Each application has a different set of password requirements, such as expiration cycles and length/complexity rules. The variety of requirements often creates a situation of diminishing productivity, as every user ends up investing more time and effort just to keep up with these rules. Imagine the increase in employee frustration as they spend more and more time trying to reset, remember, and manage these constantly changing passwords across all of their applications. Perhaps an even greater concern is the security risks caused by the same users who react to this “password fatigue” by using obvious or reused passwords written down on post-it notes or saved in Excel files on laptops.
Cloud-based IAM services providing Single Sign-On (SSO) can alleviate these concerns by giving users a central place to access all of their applications with a single username and password. Better yet, a cloud-based identity management system can also enable various departments to manage identities for both on-demand and on-premises applications.
Visibility: Who Can Access What?
It’s important to understand who has access to applications and data, where they are accessing it, and what they are doing with it. This is particularly true when it comes to cloud services which increase exponentially the ease of access to data, and the locations from where users can access it. However only the most advanced services on the market today offer any compliance-like reporting, and even then, it’s often stored for just one application.
To answer auditors who will inevitably ask which employees have access to which applications and data, companies need central visibility and control across all systems. The ideal IAM service should enable IT to set access rights across services and provide centralized compliance reports across those rights, as well as user and administrator activity. Furthermore, this means the on-boarding and off-boarding processes of employees should be verifiable, with the solution able to track which users are accessing what and when.
What About my Current User Directories?
Many enterprises have made significant investments in corporate directories (such as Microsoft AD) to manage access to on-premises network resources. As organizations adopt cloud-based services, they need to leverage that investment as much as possible and extend it to the cloud. The alternative would require the creation of an entirely separate but parallel directory and access management infrastructure just for those new applications.
A best-of-breed cloud-based IAM solution should provide centralized, out-of-the-box integration into central Active Directory or LDAP so directory functions can be seamlessly leveraged and extend to those new cloud applications—without any on-premises appliances or firewall modifications being required. As you add or remove users from that directory, access to cloud-based applications should be modified automatically, via industry standards like SSL, without any network or security configuration needing changes. Just set and forget.
Identity sprawl refers to a situation where a user’s identity is managed by multiple siloed systems or directories that are not synchronized with each other. This results in multiple identities for each user.
The situation often arises when an application/system is not, or cannot be, integrated with the central directory service of the organization. This creates the need to manage another set of user identities to support access to that application/system. Identity sprawl has been a problem for organizations adopting cloud services that operate separate identity siloes, which means users needed a separate identity for the cloud service.
The most straightforward solution to this issue is the adoption of Stateless Cloud infrastructure. Stateless protocols allow for the transmission of data without identifying information of the sender or recipient being retained by either. Stateless servers function as a digital gateway, as opposed to a storage place for credentials and identities. This means that these systems do not rely on synchronization with an on-premises identity provider, thus removing the potential for identity sprawl.