Increased adoption of cloud services, combined with the BYOD (Bring Your Own Device) phenomenon, is causing identities and access rights to proliferate throughout the enterprise, putting ever-greater stress on organizations to go beyond perimeter defenses to secure access to sensitive information.
According to a survey conducted by Symantec and the Cloud Security Alliance at the CSA Summit this past winter, 90 percent of organizations consider control of who can access which cloud applications to be one of the most important factors affecting cloud adoption.
It’s also a complicated and potentially costly factor.
For instance, imagine an organization that uses Salesforce for its CRM and also allows employee access to Salesforce through personal mobile devices. If an employee leaves the organization, IT must deprovision the employee’s network access. But it must also shut down Salesforce access rights, or else the former employee will continue to have access to valuable customer information. For many organizations, that’s still a largely time-intensive and manual process.
As more and more resources and data move to the cloud, where they can be accessed by devices of all sorts, the traditional concept of security via protecting the perimeter and end-points begins to break down. The perimeter is no longer a sharp line; it is a much fuzzier concept. This is breeding new attention for identity and access management (IAM) systems that focus on identity lifecycles and access controls.
As Chris Zannetos, CEO of IAM specialist Courion, puts it, the goal of IAM solutions is to “ensure that the right people have access to the right resources&and that they are doing the right things with that access.”
IAM Based on Manual Processes Becomes Impossible in Large Organizations
The larger the organization, the more unwieldy a manual approach becomes. Courion COO Dave Fowler points to one client, a financial institution with key financial assets it must protect, with 30,000 employees and about 1,000 applications to support.
“When you multiply out the number of employees, times the number of identities they have, times the access rights they have within those applications, and you look at the number of connections that creates, it’s hundreds of millions of relationships,” he says. “You can’t possibly monitor that through a manual process on a daily basis.”
Provisioning access rights can be just as challenging as deprovisioning them, Fowler says.
“When I start up a new employee, if I can’t automate the process of bringing him onboard, then I lose valuable employee time,” he says. “If it takes five or six days, that’s five or six days of lost time.” That’s not just an efficiency issue. It can have severe consequences for security and compliance as well, Fowler says.
For instance, in healthcare, hospitals can bring on hundreds of new residents in a one-week period. “If they can’t get provisioned to the things they need access to in order to do their work, what do they do?” Fowler asks. “They end up working around the system. Doctors give their system access information to residents, just so they can get their work done.”
The Complexities of Automated IAM
In the past, IAM systems were realistically only available to the largest enterprises. It’s not hard to understand why: creating a system that is both automated and federated is no easy task, Zannetos explains.
“First, there are the complexities of the heterogeneous computing infrastructure,” he says. “This infrastructure consists of many, many applications, systems and networks. Each of those computing systems has a security model and access control that is optimized for that specific system—and not the whole environment. Bridging those is quite difficult. And the business keeps on changing, which often results in recombination of these varied systems in a single process. Think the Automated Teller Machine, via which the simple business action of transferring money from your savings to checking account requires the integration of funds transfer, passbook savings, demand deposit and account reconciliation applications—all optimized for their specific function, not for you transferring money via an ATM.”
And second, he explains, computing has grown to become the foundation for business operations, which means that nearly every business action affects who should have access to what resources, and what they should do with that access.
But IAM systems are now moving into the cloud where they can be delivered on a Software-as-a-Service (SaaS) basis. That has done a great deal to democratize IAM systems and make them available to organizations of all sizes.
“What we’re seeing a lot now is the idea that organizations can go from a manual system or nothing at all, and they don’t have to pay a lot up front,” Fowler says. “They can pay on a monthly basis: OpEx instead of Capex. That is attractive to them. And they get the best practices of all the organizations that have done this before. They don’t have to relearn how to do identity and access management. They don’t have to have any expertise. I can participate the same way that some of the more sophisticated organizations have without hiring all the experts to do it.”
Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org