Managing identity data and controls can be a major challenge for many enterprise security teams. With the explosive...
growth in mobile devices, applications and cloud services, it can be daunting to maintain adequate security for access and authorization, as well as user provisioning.
New cloud-based identity and access management (IAM) services are growing in popularity as more organizations look to simplify identity management, but security teams should consider a number of factors when implementing cloud IAM products and services.
Implementing cloud-based identity and access management
First, make sure you understand current organizational needs and capabilities when trying to replace in-house IAM or extend existing IAM products using a cloud model. Too often InfoSec pros extend authoritative repositories like Active Directory and others into the cloud service environment. This brings new risks by either replicating identity data into the cloud (for storage), or extending trust boundaries beyond the traditional enterprise perimeter where traditional security controls often can't be applied.
Next, determine whether you will need to synchronize internal and external IAM products and services. If so, be sure to evaluate service-level agreements and performance statistics to ensure smooth and uninterrupted identity access between in-house user stores and the data being accessed and leveraged in the cloud environment. Most cloud IAM providers will support a dedicated VPN connection to their environments so that user repository and identity data can traverse more securely. Be sure the cloud IAM provider supports strong authentication standards for multifactor authentication and passwords.
Ensure cloud applications are not using a different set of standards and technologies than those used for your other applications and general infrastructure. Custom IAM systems not built on standards like Security Assertion Markup Language (SAML) can lead to vendor lock-in problems. When evaluating cloud IAM services, be sure application development teams are comfortable with any standards required for integrating applications and data with the cloud IAM environment. Information owners should integrate identity as a service (IDaaS) interaction into the software development lifecycle (SDLC), especially for partners. This requires a commitment to using the IDaaS during the requirements-development phase of the SDLC, which ensures proper integration.
Consider all current and planned user scenarios as well, including the types of devices and roles that will need to access and make use of the cloud IAM features. Be sure to collaborate with various IT and business stakeholders; many may need to be educated about various ramifications a cloud IAM system will have on endpoints and access processes. With the advent of bring your own device initiatives in many organizations, a broad range of mobile devices -- including some that may not seem obvious -- may need to be supported when integrating identity access.
Finally, thoroughly investigate the security controls in place at the IDaaS provider. If user identity data is going to be stored within the provider environment, or trust boundaries will be extended into its cloud, then the provider must maintain stringent security controls to ensure your data is safe. Security measures should include encryption, logging and monitoring, role-based access control and more. Check to make sure they can meet any compliance requirements associated with identity data, too. This will be accomplished in most cases with standard controls assertion reports like the SSAE 16 SOC 2, Cloud Security Alliance STAR or ISO 27002 certifications.
While cloud-based IAM services can greatly simplify identity and access management, especially for integration with cloud-based applications and services, it's key to properly assess compatibility, use of standards and security before taking the IDaaS option.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security, lead faculty at IANS, and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures.