Identity and access management in the cloud is one of the key security concerns for IT security teams.
The tens or potentially hundreds of different SaaS, platform as a service and infrastructure as a service (IaaS) applications in use in large organizations mean that, without a way of centrally managing credentials and access rights, it becomes almost impossible to track who has access to which services, and how securely they are configured. Different SaaS services have different password policies and expiration times, and information rights management can be inconsistent at best.
The challenge with secure cloud access control is to integrate cloud logins into the existing security policies of the organization through single sign-on. There are two main ways to do this: use an identity as a service (IDaaS) provider or a cloud access security broker (CASB). Most CASBs incorporate IDaaS into their offering.
In basic terms, IDaaS centrally manages access to cloud services by using identity federation, which means that it uses a technology such as Security Assertion Markup Language to pass credentials to the cloud service. These credentials can be taken from an existing source, such as Active Directory. This makes it relatively simple to handle identity and access management (IAM) in a large number of cloud services.
A CASB broadens IDaaS to provide granular secure cloud access control, ideally by extending your Active Directory policies into the cloud.
Secure cloud access control considerations
However, a emphasized word of caution is needed on the use of IDaaS before you go too far down the path. As with all cloud services, you rely on the security of the vendor. Any company that stores passwords for large numbers of enterprises is a primary target for hackers. The recent hack of OneLogin, an IDaaS provider, proves that your credentials may not be as safe as you are led to believe.
The security of your organization's user identities is of paramount importance to the protection of the business. A security breach of stolen or leaked set of credentials from an IDaaS provider could be used to gain access to data on your systems, both in the cloud and on premises. You essentially outsource the keys to your entire network to a third-party provider. So, before you do, it is sensible to expect their security to be, at a minimum, on a par with your own, but, ideally, much greater.
Ideally, for secure cloud access control, you would restrict the use of cloud services to the bare minimum that is required, and then further limit who has access to these services to avoid the need for CASB or IDaaS. However, when this is not viable, you may, for operational reasons, need to look at using an outsourced service to manage the credentials.
If you do, then it's important to be incredibly thorough on the security of the service; look for adherence to known security standards and ask to see penetration test reports. As an experienced hacker, my advice would be to do everything you can to avoid putting your identities into the cloud.
Check out how to get started with IAM services in the cloud
Learn how to strategically implement a CASB in an enterprise
Find out how CASBs are broadening to address IaaS security