Symplified, one of the industry leading Identity and Access Management solutions providers whom we track here at Solutions Review has a white paper that highlights 6 best best practices for handling cloud-based IAM technology and processes. I have placed them below for your edification.
1. Leverage existing infrastructure wherever and whenever you can.
The IAM solution you need should leverage what you already have in place as much as possible in order to create a secure environment. Recreating parallel security systems in the cloud holds a number of downsides, according to Symplified:
Redundant systems are inefficient, more difficult to secure, and fall out of sync, which in this case leads to orphaned accounts and access policy violations. One such example of where this fails is when an inside sales representative leaves a company and still has access to a corporate application. He can be removed from Active Directory immediately and lose access to on-premises applications. But if his Salesforce account remains in place he can log back in, download a customer lead list and deliver it into the hands of his new employer.
It’s therefore a better idea to integrate those expensive existing systems into the new cloud-based security solution in order to prevent the downsides of parallel systems from overwhelming your business.
2. Leverage Open Standards wherever possible.
Symplified says that “identity is fundamentally an integration challenge.” Open standards help you overcome the problems that come with integration by helping “you to leverage a common integration approach across all of your partners that implement those standards.” This way you don’t have to deal with a different integration challenge every time you need to work with a different partner or identity store. Security Assertion Markup Language, or SAML, can help you achieve this by offering a definition of a one to one relationship between two organizations, as well as by enabling federated SSO. Also, be aware that with SAML you don’t have to implement the entire standard, but only for the business processes that need it.
3. Leverage a Cloud Identity broker.
Using services that act like a bridge to the cloud can be advantageous, as they will have SSO integrations with the cloud for many, if not most SaaS applications. This will help you in the roughly 75% of cases where the cloud app does not have open standards and support federated authentication. A cloud identity broker can therefore solve the integration challenge described in best practice #2 when open standards won’t work.
4. Don’t replicate sensitive user data in the cloud when you can avoid it.
Any federation solution that requires identity data to be replicated from silo to silo to silo can violate end user agreements and increase your vulnerability to a breach. A better way is to work through your existing Active Directory or other data store to provide secure access to cloud apps. This removes the need for replication, keeping the same, sensitive data in multiple places and thus removes risk of a cyber break in.
5. To engage with business units on SaaS deployments, use a carrot, not a stick.
Because IT can take weeks to “move on deployment” whereas SaaS solutions can only take hours, lines of business may avoid looping corporate IT in on SaaS deployments in order to avoid that “speed bump.” However, it is critical that IT be involved due to the important decisions on where data and apps are stored, and thus system vulnerability to attack. IT needs to be able to offer something as an incentive to lines of business considering a SaaS solution. Single Sign On (SSO) could be powerful leverage. When employees expect to be able to access the applications they need through IT controlled and managed SSO and can’t, they will get vocal about having the app integrated with SSO, thus forcing that line of business to have a conversation with IT.
6. Implement an identity management capability that will provide all of the security properties you might ultimately need.
Because IAM solutions are designed with different architectures, they must inevitably have different features. Some of the more basic offerings available today, while cheap, may prevent you from incorporating the security features you need tomorrow. Therefore, don’t just shop on price, but also include whether the solution meets all your needs both today and in the foreseeable future.
For the whitepaper from Symplified on six best practices for identity and access management, click here and scroll down to the ‘Whitepapers’ section.
- Yahoo Goes Passwordless to Access Account Services - April 6, 2015
- The Identity of Things Could Streamline Government Services - March 30, 2015
- The Third-Party Threat: Are You Safe? - March 18, 2015