Let me set up a common (and alarming) scenario I’m seeing at more than a few enterprises: while IT is slow to move mission-critical applications to the cloud due to fears of security vulnerabilities, outages, or costs, business units within the same company are already procuring cloud applications without even involving IT - even for critical and sensitive applications. In fact, through a recent survey conducted by my company, SailPoint, we found the selection and deployment of cloud applications is increasingly becoming a business-led process. Alarmingly, the survey found that only 34% of business leaders brought IT into the decision-making process when choosing a cloud service, and only 29% got IT’s help while the service was being deployed.
The lack of IT involvement in the procurement and deployment of cloud applications makes it difficult for IT organizations to manage security and compliance risks. In an increasing number of cases, IT has no visibility to the cloud applications in use and, worse still, is not involved in ensuring proper security and access controls (i.e., understanding and managing who has access to what) are in place. Failing to control access to sensitive applications and data can leave an organization at risk for fraud, misuse of data, and privacy breaches, not to mention negative audit findings. At the end of the day, someone in the organization needs to manage and govern who has access to these mission-critical applications no matter where they reside. Frighteningly, our recent survey found that nearly half of business leaders aren’t well educated on this need nor are they equipped to effectively handle user access privileges and other key factors necessary to safeguard the data housed in these new cloud applications.
Compounding this trend towards cloud application adoption, end users are feeling more and more empowered to make their technology choices when it comes to how they access these applications. Accessing corporate networks and cloud applications via “bring your own device” smartphones and tablets has become the norm in corporate environments. Because of this IT must approach the issue of access control with a new mindset. Gone are the days when an organization can simply block users from using devices or applications as IT is often not even aware that they are being used! Instead, IT will have to find ways to manage and secure cloud applications without blocking business user choice and autonomy. Fortunately, the right identity and access management (IAM) strategy can help organizations extend control to cloud applications in a simple, convenient manner.
Specifically within their IAM strategy, it’s wise for organizations to inventory and classify clouds applications by risk, rather than taking a one-size-fits-all approach to policy and control. Based on the potential risk or criticality a particular cloud application represents, different levels of management and control are required. For mission-critical cloud applications such as financial services and customer relationship management applications, an organization would want complete visibility and oversight as to “who has access to what.” Therefore, for this class of cloud applications, it’s important to implement preventive and detective controls over the processes that grant, change and remove access to cloud applications to ensure that compliance and security guidelines are being followed. By providing detailed reporting on user access, IT and business staff will be armed with the intelligence they need to secure the application, reduce corporate risk and meet audit and compliance requirements.
For less sensitive applications, IT would ideally still have visibility into how and when those applications are used so that decisions can be made about the appropriate degree of management and control they require over time. While not directly managed by IT, organizations should ensure employees understand that sensitive or proprietary information should not be posted to those applications.
For some cloud applications, cost control may be just as important as security - for example, many SaaS applications charge based on the number of user accounts. Because of this, it important that accounts are maintained only for users that actively require that a SaaS application to do their jobs and that those accounts are promptly removed when the user leaves the organization or no longer has a need for it. As more and more applications move to the cloud, it will important to know not just who can access applications, but whether workers are truly using the cloud applications that the organization has licensed on their behalf.
Cloud computing is becoming an integral part of a business’ infrastructure, with more and more companies looking to adopt cloud applications as part of their business strategy. However, the benefits of the cloud, from cost savings to speed to flexibility can be negated if they leave a business exposed to security breaches and compliance issues. Successfully managing the adoption of cloud applications requires a shift in IT’s role from that of a “gatekeeper” to becoming an enabler. Those who figure out how to combine the convenience of easy access to cloud applications with IT oversight will be able to gain the buy-in of business users while having the right controls in place to protect assets and manage corporate risk.
ABOUT THE AUTHOR
