As more data leaves the enterprise strong identity lags
In addition to convenience, cloud computing is touted for its money saving capabilities as companies reduce software licensing costs and hardware requirements.
Identity management in the cloud isn’t as cut and dry. Standards are emerging to manage identities in the cloud but, until now, it hasn’t been a priority. The auditing and provisioning capabilities that are typical with enterprise-based ID management systems are tough to come by with cloud-based systems. “ID management is the biggest weakness we have right now,” says Tony Busseri, CEO at Route1, a digital security and ID management provider. “People have rushed to embrace a technology that’s great in concept, but they have ignored the ID management.”
These issues exist more in the public cloud than the private cloud, Busseri explains. “The public cloud is great in terms of functionality but from a privacy standpoint you don’t know where the information is going,” he says.
A private cloud, while more expensive, enables a corporation to put its own security and ID management protocols in place. “With the public cloud, security and identity are treated as a secondary concern,” Busseri says, “or not at all.”
And once the data is in the cloud it’s not necessarily possible to get back. “It’s like trying to put toothpaste back in the tube,” Busseri explains.
The problem begins when an organization decides to start using a cloud-based application, says Andy Land, vice president of marketing at UnBoundID Corp. The use of a cloud app typically doesn’t begin with IT but out of a business need.
“It starts with a business case,” explains Land. “It becomes important but then they don’t want to manage it anymore.”
He cites the example of a sales director who finds an app to enable his staff to more easily track of sales leads in the cloud. He has a few of his staff start to use it and they find it is easier than the prior system. The director migrates the entire sales staff to the cloud-based solution, and only after some issue arises does he go to IT and ask them to fix it or manage the system. This doesn’t make IT happy, he notes.
“IT usually controls things and mitigates the risk,” Land says. “When you have these cloud-based apps you don’t know what the risks are or how someone was provisioned.”
If an organization is using more than one cloud app, identity management gets more complex, says Darren Platt, founder and CTO at Symplified Inc. Enterprise-based single sign-on systems solved a lot of the problems with employees accessing numerous systems, but cloud-based solutions that handle these same tasks are still emerging. “These were all uses that were solved inside the enterprise but now because of the cloud there are new challenges,” Platt adds. “You need a different technology to solve the problems.”
Auditing and provisioning are two specific weaknesses with cloud-based identity management. With no central ID repository each application is managed separately and there is no central audit trail to check an employee’s activity, explains Platt. This also leads to issues when an individual leaves a company and has to be de-provisioned.
“A sales representative could be given access to engineering drawings to show clients,” Platt says. “He leaves the company and is taken off of the expense and other systems but is still in the engineering one because there’s no central point of control.”
Cloud-based single sign-on can be created, says Platt. There are a number of different approaches. One would have vendors deploy an in-house gateway that strings together the different cloud-based sites, apps and authentications.
The mobile and the cloud
The combination of mobile devices and cloud computing can enable individuals to access information anywhere they have an Internet connection.
This is good and bad, says Tony Busseri, CEO at Route1. “The mobile computing world will save companies a lot of money by making employees more efficient,” he says. “But we have to put in more time for identity management.”
Mobile devices are causing headaches for network administrators. “People believe that data should follow them and they should have access to information wherever they are,” Busseri says. “But much of that information should not leave the firewall.”
The best way to use mobile devices and the cloud is to set up an infrastructure where information can be viewed and changed but not removed from the cloud, Busseri says, “so data can’t be pulled on to the device.”
The cloud, the mobile and physical access control
The cloud and mobile computing may revolutionize the physical access control industry, says Tam Hulusi, senior vice president for Strategic Innovation and Intellectual Property at HID Global.
Instead of having a wired physical access control system, a mobile device with its wireless connection could be both the key and the processor. “Instead of a reader going to a panel and a panel going to a computer you would have the phone do it all,” Hulusi says. “Your handset is just as smart as the reader and panel.”
With cloud-based physical access control the phone will be the rules engine. When an employee goes to a door several thing will happen. The phone will confirm the location, make sure they have proper authorization to access the area and ensure that they are allowed access at that specific time.
All this data will be checked against data stored in the cloud and then the handset will send an encrypted signal to the door for it to open. “Physical access control systems won’t have to be wired,” Hulusi says.