This is the sixth post in my series:
You would have to be living under a rock to have missed the disruptive technologies now being adopted throughout the IT world by Cloud solutions. Cloud solutions come in all forms. IaaS, PaaS, SaaS and many others. It’s not just applications, platforms or infrastructure that organisations can purchase in a service model and delivered from a public cloud offering. Organisations are also using desktop as a service solution, device management as a service, and Identity as a service solution to name a few more, but there really is no limit to the solutions that have traditional on-premise architecture that are now delivered via a public cloud offering.
The key to enabling and adopting these services is security. We see one hack after another based on insecure environments. Whether they originate from external hackers obtaining thousands of user identity details, or a disgruntled employee accessing corporate information and releasing it or destroying the data for illegal purposes. The traditional perimeter-based security simply isn’t sufficient to counter these threats. It doesn’t extend security beyond the organisation’s border and it doesn’t prevent a user who has the right to access the organisation from accessing the information they shouldn’t be accessing.
This is where Identity Management comes into its own. Identity Management provides a security layer based on each user’s role, access, position or location or any combination of these or other user attributes. The firewalls were never built to control access to resources at such a refined level. It was always a binary state of yes or no to resource access. There was never a conditional case for yes (i.e. yes but only this bit) if you are a manager, or no (even though you are just down the street) even if you are the CEO. Identity Management drills down to these particulars and makes real-time decisions in controlling what a user has access to and when.
We haven’t delved into this level of Identity Management in this series of articles I hope to write a few of those so that we can expand the scope of Identity Management in the future and build a better understanding of how Identity Management can be the key to securing the corporate and user data in such an open world of Internet and Cloud technologies.
The previous articles in this series outlined what it takes to develop a core Identity Management solution in an organisation. If an organisation is looking to adopt cloud services, Identity Management technologies can provide the security it will take to ensure only authorised users can access the application.
Many organisations jump into Cloud services without any thought for managing Identity access or authentication to the Cloud service. Identity Management extends the controls an organisation can have over Cloud applications in the same form that they have for on-premise applications.
To do this we simply look at each source and target application and connect to these in a secure method. Likewise, many application vendors have not considered Identity Management and the role their application plays in securing the client organisations data and user identity information.
By understanding each identity within an organisation, and each identity requiring access to organisations applications and data (even external identities), we can at last control the access we give to those identities. Identity Management makes it possible to secure each application and the access each user has throughout the lifecycle that the user has with the organisation. This includes provisioning users when they first start working with the organisation, managing the access within and to each application and securing the users access by denying access when that user is no longer permitted access through termination or changes in corporate policy.
These rules apply to every organisation adopting cloud services. The size of an organisation is irrelevant. Larger organisations tend to have more complex policies, assigning specific roles and access to applications due to the complex layers of the organisational structure. Smaller organisations can manage control through simple access rules and extend these as the organisation grows.
Identity Management also builds on the existing perimeter security approach that’s been built over the years by extending the security of data and users Identity information, keeping all of that information within the perimeter and controlling access through secure channels, and maintaining authentication data (usernames and passwords) behind the firewalls. The extension goes far beyond this though by managing timely disabling of accounts on termination of a user and changing application access levels through minor changes to the user’s details where it belongs, within the department that is responsible for managing all staff details – HR. External identities such as customers, partners or vendors too can be managed by controlling each Identity through a separate or event the same source of truth. Establishing groups to manage access or defining access at the individual level.
Managing each identity truly has become the new security mechanism for organisations. It centralises the control of access, roles and authorisation for all users, making the move to cloud systems no more complex or risky than adopting a new application on-premise in the past.