Three Views of Access Governance in the Cloud

Cloud Security Blog (Apr 26 2010) IAM

Categories:
Cloud Security: Compliance, IAM
Trusted Cloud Initiative: Certification, Trusted Cloud
  1. Three Views of Access Governance in the Cloud

    Part 2: Cloud to Enterprise

    As I pointed out in my last post  companies have real needs and real concerns when it comes to access governance - the continuous monitoring and enforcement of context driven access management - in the cloud.

    These needs and concerns are complicated by the fact that the cloud, in the form of myriad SaaS applications, is coming into the enterprise in new and unprecedented ways that are frequently user-driven (that is, NOT driven by IT).
     
    But just as increased usage of convenient, web-based software presents the enterprise with unique access governance challenges, it simultaneously presents SaaS providers with an even greater opportunity: meeting the needs of their customers.

    The question is, will SaaS providers be willing to implement the access controls that their customers are looking for?

    To illustrate the issue at hand, I’m going to use a personal friend as an example, in part because I think his situation is fairly typical.

    From the standpoint of his employer, he is a heavy business user of the IT  systems. At the same time, he is a heavy online reader and collaboration service user as well, and, to make things even more complicated, he uses the service both professionally and personally.

    Why does he use the service? One big reason is that it gives him access to his documents and other data (like URLs) wherever he is at the time. On top of that, the service helps him organize himself by making it easy for him to index, search, and share his documents, etc. Plus, it’s FREE!

    Of course, he could use the in-house options but then he’d have to work through the help desk, cost centers, and all that. Instead, he has a solution where it is easy to set up an account, easy to share stuff, and the price is right.

    There is a problem, though. Some of the documents he creates, for example, contain financial forecasting. He wants to keep this data safe for competitive reasons, and, even more than that, he doesn’t want to violate any policies or regulations by putting unsecured information out there. These kinds of violations could get him fired or, worse-case scenario, land him in jail.

    Does he trust the SaaS provider to secure his data to the standards required by his company? Not sure. On the one hand, the security is probably pretty good. However, valid or not, well-publicized cyber-attacks as well as the ease of making a mistake on security settings for shared documents made him very nervous. It seemed to be too ad hoc and untrustworthy.

    The real question becomes, does he forget about the ease of use in the name of security, or does he risk it in the name of convenience and hope for the best? A real dilemma.

    My friend's experience as a user of both in-house and low-cost or free SaaS-type applications is becoming the norm in the business world and I truly believe that he is not alone when it comes to concerns about security when using the latter type of tools.

    Unfortunately, we don’t have a ton of options with the way that many SaaS vendors currently operate,. We either use their products “as is,” or do without the convenience and flexibility they offer because they don’t fit with the compliance and other constraints imposed on us by the regulatory environment we all have to work in.

    The other option would be for these SaaS vendors to adopt some kind of identity and access management solution that would integrate with an organization’s existing systems. Customers are expressing interest in these solutions. Are the vendors listening?

    Next Up: The Third Option: Identity as a Service.

    Bookmark or Share this article


    Related Articles

Login to comment.