Rethink cloud security to get ahead of the risk curve
Blog Article Published: 06/05/2013
By Kurt Johnson, Courion Corporation Ever since the cloud sprung up to the top of every IT discussion, the issue of cloud security was right alongside it. Let’s face it, enterprise security has never been easy, and the rapidly expanding use of software in the cloud has added layers of complexity – and risk – to the job. More valuable intellectual property, personally identifiable information, medical records and customer data now sit in the cloud. Risk should not prevent this, but it’s a risk that needs to be managed. With more data spread across multiple environments, accessed not only by employees but contractors, partners and customers alike, and accessed via more devices such as tablets and mobile, identity and access becomes an increasing concern. Who has access? Do they need this access? What are they doing with that access? All of these are critical for an effective security strategy. The cloud doesn’t change Identity and Access Management needs. We still need to ensure that the right people are getting the right level of access to cloud resources, and that they are doing the right things with that access. However, many cloud applications are purchased by the business units without IT’s knowledge. Identity and access administration become more ad hoc. Security is losing control, but not losing responsibility. The IAM Gap The cloud only puts a fine point on overall access risk as a growing concern. We’re confronting an expanding identity and access management gap (“IAM Gap”) that’s threatening the integrity of many organizations today. Many organizations use provisioning systems to automate the setup, modification and disablement of accounts according to policy. Access certification provides a periodic, point-in-time look at who has access. Managers must attest that subordinates have the right access according to their responsibilities. But, what happens in between? New applications, new accounts, new policies and other changes are a daily event. The ad hoc nature of the cloud means new users and access could be happening without any visibility to IT. Identity and access should not be a once-a-year checkpoint. The gap between provisioning and certification represents trillions of ever-changing relationships among identities, access rights and resources. It’s a danger zone that exposes the soft underbelly of your organization’s security. One wouldn’t expect to do a virus scan or intrusion detection analysis once every six months, so why should your organization stall on monitoring identities and access? So, what should your organization do? Take a hard look at IAM programs and expand that to include the cloud. Update IAM guidelines and controls. Go beyond mere provisioning and certification to include intelligence and analytics. Define the policies of who should have what type of access, define appropriate use and get the line of businesses involved in the process. Then, make sure cloud as well as on-premise applications are included. There should not be stove-piped strategies – one for cloud, one for on-premise. It should be an enterprise IAM strategy that incorporates both. To incorporate the cloud in this strategy, start with an inventory of your cloud applications. Once the cloud applications have been identified they should be categorized by risk, much like any enterprise application. Define the appropriate identity and access controls to the appropriate risk levels. Low risk applications, like TripIt, should have acceptable use agreements and password policies. Too many end-users use the same passwords for personal applications as they do for enterprise applications. What happens when password breaches occur, such as those that happened with Evernote or LinkedIn? Medium risk applications, such as Box or ShareFile, should add automated provisioning and de-provisioning, access certification reviews, access policy reviews and exception monitoring. For high risk applications, such as Salesforce.com, higher level controls should be added which include user activity monitoring, privileged account monitoring, multi-factor authentication and identity and access intelligence so as to provide more real-time analysis and monitoring of access risk. The strategy needs to address the gap not just on day one and through periodic point-in-time reviews, but with intelligence that provides a measure of real-time monitoring and which tracks user activity. As the openness imperative and cloud movement raise the access risk management stakes, organizations need to:
- Identify where risk is and understand it
- Drive security controls to settle the risk
- Dynamically strengthen security controls based on risk status
- Spotlight risk in real-time
Share this content on your favorite social network today!