Last updated: 01 February 2018
What is cloud access management?
Cloud Access management is the discipline that enables the right user to have access to the right resource in the Cloud at the right level of trust. Cloud Access management solutions answer the questions, “Who has accessed which resource in the cloud, when, and how was their identity verified?”
According to Gartner, “By 2019, more than 80% of organizations will use access management software or services, up from 55% today.”
Cloud-based applications, in turn, play a vital role in fulfilling productivity, operational and infrastructure needs in the enterprise. Cloud access management systems allow administrators to sync existing users or create new ones, and authorize their access to applications, databases, cloud-based infrastructure (IaaS) and other systems through a hosted server.
Cloud compliance and security hurdles
Maintaining the confidentiality of data residing in the cloud is one of the main concerns of any organization. IT departments, literally the gatekeepers of enterprise resources, face a host of challenges in this respect, such as managing cloud credentials from multiple admin consoles, ensuring visibility into cloud access events (which is critical to compliance), resetting passwords due to lost or forgotten credentials, and scaling cloud access to 100s and 1000s of users while maintaining security.
When dealing with the growing number of cloud users, we must keep in mind that not all of these users are identical, and not all of them need access to the same resources. For that very reason, the ability to apply different authentication policies to different cloud apps, based on resource sensitivity and user role, would definitely make it easier for IT leaders in any organization.
Meshing scenario-based access policies with Cloud Single Sign-On
Traditional single sign-on solutions work “buffet-style” vetting you once at the entrance, and granting you access to all items afterwards. Cloud Access Management combines the convenience of cloud single sign-on with the security extended by customizable access policies, allowing security to be stepped-up post-login. This lets IT leaders match the level of authentication required from each user to the app they are accessing, their user role, and whether they are working inside or outside the office.
Here are some examples of how access policies could be matched to the needs of different user groups in your company:
- Standard user access management: Some organizations may wish to offer SSO to most of their applications, while excluding those with sensitive data. This can be done with a policy requiring password-only authentication for users accessing their first app at the start of their day. An exception policy could be added to require additional authentication for users accessing business-critical applications.
- Remote worker access: Employees working from outside the trusted (office) network would require two- factor authentication (2FA) with their token after entering their domain credentials when launching an SSO session. Conversely, users working inside the office, would only need to enter their domain credentials.
- External contractor access: Access to cloud applications for external contractors could be granted on the basis of a one-time password (OTP) once per SSO session. (Additional monitoring would be available through logs of access events.)
- User access from predefined locations: Another policy that could be set up would require OTP authentication each time a single sign on session is initiated from predefined geographies. Equally, if access attempts should be limited to only one or two geographies, a policy could be defined to block all access attempts originating from outside those geographies.
- Privileged user access: Since privileged users, such as C-Suites and IT administrators, are exposed to highly sensitive information and resources, a policy could be configured to require strong authentication every time they launch an SSO session (whether on or off-premises). This helps protect confidential data and cloud-based resources such as PaaS and IaaS (e.g. AWS, Citrix, VMware etc.) that are managed by IT on a regular basis.
- Data Compliance: According to recent Gemalto research, 96% of IT decision makers say that access management can contribute towards their organization’s ability to comply with data protection regulations and pass security audits (e.g. GDPR). According to the latest version of PCI DSS 3.2, anyone accessing a resource that holds cardholder data must do so using MFA, whether that resource is a network, server, portal or app that holds credit card information. To enable PCI DSS compliance while retaining an SSO experience, an access policy could be set up to require multi-factor authentication (MFA) each time users access these resources. The same goes for GDPR compliance (General Data Protection Regulation) that deals with the personal data of EU citizens, regardless of where that data is processed, as well as HIPAA (Health Insurance Portability and Accountability)—both which require adequate measures to be taken to secure access to private information.
To conclude, by customizing and adapting access policies to the scenario at hand, IT can ensure that policies are as strict or as lax as required—prompting for no credentials at all, a single credential or multiple credentials each time a user logs in to an SSO session or an individual app within that session. In this way, user access remains frictionless, while organizations remain protected, compliant and in control.
Discover how continuous authentication enhances cloud access management or see how SafeNet Trusted Access secures all your cloud apps for yourself with our free demo.