Ramifications of IAM And The Cloud
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.