Let’s recap shall we? That install of Firefox, IE, Safari, etc. is your method to cheaper, easier to use techno-services outsourced to a service provider (like Google) who take on the infrastructure, technology and heavy lifting so that you, the business, can reap the ROI. Risks, well, we covered that already, HERE.
So how about Identity Management?
We also defined Identity Management, HERE. We can take the 101 knowledge and apply it to the Cloud. So we build out our security into buckets including Access Management (Authentication, Authorization, Entitlements), Provisioning and lest we forget, GRC (Governance, Risk and Compliance). Mix in audit, logging and reporting and we have a recipe for success.
Access Management in the Cloud
For our Cloud solution to work we need strong authentication (making sure you are who you say you are), strong authorization (making sure you can access what you are allowed to access, write where you are allowed to write, read what you are allowed to read, etc.) and record what the user has been up to (audit, log, report).
Provisioning in the Cloud
The keys to the kingdom rely on creation of an actual account (provisioning) but almost importantly in making sure that that when you leave, by choice or not, that we take those keys away (de-provisioning).
Governance, Risk and Compliance in the Cloud (GRC)
Attestation of all accounts (clean up and dump the orphaned accounts folks) and a certification process to ensure it remains so must be implemented. We don’t want Walt of the just fired brigade to have access to the company payroll do we?
Private Cloud Identity Management – Lower Risk with Higher Cost
We defined Private Clouds, HERE. Basically you own it, you operate it, you control it, you firewall it and the associated cost savings are greatly reduced but the security is greatly improved. Private clouds can be built on your own or outsourced to a “private” cloud provider but the cost savings diminishes regardless (disadvantage). Your single sign-on, authentication, authorization, provisioning, role management, GRC, and audit & logging can sit behind the firewall in the private cloud. The odds of data loss and hacking go down considerably (advantage). The return on Investment will be long term at best (I say at best because the technology cycle may produce the “next best thing” before you have a chance to recoup the cost).
Public Cloud Identity Management – Higher Risk with Lower Cost
We defined Public Clouds, HERE. On the plus side, Public Clouds equal diminished costs. Diminished costs equals happy Business people concerned with ROI in business speak we mean Return On Investment, in Security speak we would have meant Risk of Incarceration ;). The risk of deploying Identity Management services in the Cloud increase with the move into the public realm. Security in a shared environment is much more complex as well as the potential network complexity. The risk can be diminished in deploying Identity Management services within the Cloud as you should have access to defined best practices that have been utilized by past customer Cloud IdM implementations. As such the amount of bleeding edge risk will be reduced somewhat (this is where a company like IDMWorks can help you). Your contract with your public cloud provider had better insure that they manage and take responsibility for the risk associated with potentially exposing your company’s corporate, customer and/or user data (by accident of course, but no one wants to lose their job or get sued over such an occurrence).
The Benefits of Private vs. Public Cloud Identity and Access Management
Return on Investment (ROI) higher, much quicker
Higher Risk through lessened security and network complexity
Risk of Incarceration (ROI) lower, Return on Investment long term at best
Associated costs are similar to running the environment in-house, Cloud free
Conclusion: Use Identity and Access Management to cut the Endemic Risk of Cloud Computing
By outsourcing our infrastructure hardware, software and services you, the customer, must verify and co-manage the security your provider provides. This is where Identity and Access Management come in to play.