Last updated: 15 July 2018
The growing popularity of Cloud services (IaaS, PaaS, and SaaS) solutions in global organizations probably comes as no surprise— enterprises can purchase the features and services their developers need, and scale up or down as the organization evolves – and they can deliver numerous applications quite easily from the cloud. Although some cloud services offer enterprises predictable expenses, the cloud security surrounding these services is less predictable. Such a diverse cloud estate has become a challenge for risk officers, CISOs and IT teams managing different groups of users. These range from remote workers and contractors, administrators of privileged accounts, to standard, in-house employees. Fortunately, you can adopt cloud access management measures for an effective digital transformation strategy, as Part 3 of this 3-part blog series addresses.
Foggy about the series? Read Part 1, Things to Consider in Your IAM Strategy: Secure Multi-Cloud Services and Part 2, Things to Consider in Your IAM Strategy: Privileged Cloud Users
Part 3: How can you provide both convenience and security for standard employees?
It’s not fake news that companies are using more and more services in the cloud, as part of their digital transformation strategy. As enterprises adopt cloud applications, users experience password fatigue – the seemingly endless hassle of creating and maintaining separate identities and passwords for the many cloud and web apps that they need to access daily. As well, standard employees often have to validate their identities with strong multi-factor authentication, hindering their access even more.
Standard users subject to password fatigues and lockouts
Whereas enterprise security officers are concerned with employees working beyond the traditional safe confines of the corporate, on-premises network, it’s a different scenario for standard employees: when low risk end users log into cloud apps, they do not require access to the same information as privileged users, such as Human Resource managers, financial, IT or C-suite level executives. These standard users need to work easily and productively, without wasting time on system lockouts or forgotten passwords.
Cheaper to build; easier to adopt
According to a KPCB report from the Internet Trends Code Conference, May 2017, cloud-enabled applications have risen because they are cheaper to build and easier to adopt. But the report states that these have ‘serious security and compliance implications’ and that 94% of all cloud apps used are ‘not enterprise ready’.
In response to their concerns, some security policies have set up strict guidelines regarding passwords, causing some employees to write them down on sticky notes!
Obviously, not safe, some enterprises offer lighter access policies for their applications secured on-premises, but require stricter access to applications located remotely or in the cloud. However, management and configuration of these policies can be complicated and time-consuming. How can IT teams adopt a seamless, yet secure cloud access management system?
• Offer convenience without compromising on productivity
Instead of requiring end users to keep track of multiple passwords and adhere to strict regulations, IT managers can use a cloud single sign-on and provision users with long session times and limited access to areas or applications reserved to privileged users.
• Allow flexible access policies
Whereas cloud single sign-on provides convenience to standard users, you can establish flexible access policies that require stronger authentication as users step up to higher risk situations. Adding contextual information and session-based management will provide the extra layer of cloud security needed, allowing both standard users and IT teams a relief of identity and access management messes.
• Keep track of user access and monitor activity
A centralized access management system will keep track of the applications end users are accessing, when and from where. Failed attempts will provide IT teams with important information as to the device, location or other contextual information that caused the user to fail or succeed.
• Quickly onboard and deprovision low-risk contractors and employees
An effective system will onboard employees quickly and deprovision them if they change position complete their contracts. In this way, end users can work focus on their core responsibility and leave authentication and access execution to the enterprise IT systems.
When choosing your which cloud access management solution to implement in your organization, your IT team may want to assess the following factors:
1. Does your enterprise use multiple cloud services such as IaaS, PaaS or SaaS?
2. Does your organization have sufficient resources, both human and financial to manage access for each cloud service?
3. Does your IT team have enough time to configure each cloud service?
4. Is your IT team versed in legacy security systems or does it need to be trained or certified to configure cloud services such as Microsoft Azure or Amazon AWS?
5. How many users or groups of users in the organization need admin or privileged access? Does the IT team have enough time to define and manage privileged accounts and define policies affecting different groups of users?
6. How many contractors need to access cloud applications, and when do their contracts end?
7. How many in-house employees need a limited access to applications, and what means are they using to validate their credentials to enter these services?
This post concludes this blog series: Things to Consider in Your IAM Strategy, but it does not conclude the digital transformation of your enterprise. Cloud services for enterprises are not going to evaporate, and neither are their security vulnerabilities. However, CISO and IT managers will find it difficult to apply the same security measures surrounding their on-premises solutions to their cloud-based services, whether they are IaaS, PaaS or SaaS.