I was talking to someone at InfoSec a few weeks ago about cloud based directory services. We were discussing some of the challenges associated with Identity Access Management and whether those would be more or less prevalent using a cloud-based solution. They said that the great thing about having a cloud-based directory services solution is that it’s a clean environment and hence would not suffer from ‘legacy’ issues such as inappropriate access rights or rights accumulated over time.
So is a cloud based directory services solution a panacea for IAM? Let’s look at some of the challenges:
- Multiple entitlement stores – at idax we think it is important to have a consolidated view of user entitlements and so commend the idea of bringing together federated access rights from modern-day cloud services into a centralised repository. idax supports one or many stores and have helped clients to rationalise their disparate entitlements store into a single view, and so a single store fits well into our vision.
- New joiners & movers – we often find organisations who still grant access to new starters based on the access rights of someone they will be working with rather than based on the role they will be doing. We also find a correlation between the amount of time a person has been at an organisation and the number of access rights they have which suggests they have accumulated rights over time which should have been revoked. This problem will not go away with a cloud based solution, although clearly migrating to a suite of new cloud based services may provide an opportunity to clean up some of the legacy entitlements. idax allows you to identify which access rights a person should have when they join or move within an organisation. Many of these decisions can be automated with no need for manual approval. idax then integrates with your existing provisioning solution, or has built in workflow to track any manual provisioning which may need to take place.
- Role-based access – organisations have long struggled with role-based access rights. As the number of people, applications and access rights increases, the problem gets exponentially more difficult. We think this is likely to continue with cloud-based solutions as the problem of figuring out what access a particular person should have does not get any easier. idax looks at the existing access rights within an organisation and establishes profiles to determine who should have access to what. Furthermore, we do it right out-of-the-box; there is no need for a large analysis exercise to establish profiles and set up rules and typically, once the data is loaded, idax can get answers in hours rather than months.
- Principle of least privilege – due to some of the challenges outlined above, the principle of least privilege has also historically been a difficult thing to achieve in practise. Again, we believe that in a cloud-based environment, the same challenges will not only persist, but the risks of not doing it will be exacerbated. One of the great advantages infrastructure as a service and software as a service brings is that it becomes much easier for organisations to provide access to their systems from different devices and locations. This very flexibility means that organisations should be much more confident that people only have access to the systems they need to have access to in order to do their job.
In summary, we think cloud based directory services are an excellent tool for helping manage entitlements in a cloud based application architecture. However, after a brief respite due largely to moving to new applications and demising old ones, organisations will find the challenges of identity and access management do not get any easier. Further, because of the increase in the number of end-points where a piece of software can be used, the challenges become even more important ones to solve.
At idax we believe identity analytics is the way forward. If you would like to learn more, please get in touch.