The inherently casual and decentralised nature of cloud services will increasingly push organisations to reconsider their identity and access management (IAM) infrastructure, an Ovum analyst has warned.
Flagging the fact that cloud services are already pervasive within most organisations, Ovum principal analyst for IT security solutions Andrew Kellett said those services’ tendency to handle user authentication through their own services – which are typically poorly integrated with companies’ own IAM services – presented a significant challenge for organisations trying to keep a handle on the flow of business information into employee-managed cloud services.
“The increasing use of cloud-based services is driving the need for better and more interactive single sign-on [SSO] and federated identity management [FIM] facilities,” Kellett said in a statement. “For the foreseeable future, organisations will continue to make use of a mixed range of on-premise, hosted and cloud-based systems and services.”
Those cloud-based services, known broadly as ‘shadow IT’ because they evolve at users’ direction but fall outside the ambit of corporately-managed IT systems, will continue to challenge notions of security control – not only because of their distributed nature, but because their SSO and FIM support tends to be relatively immature.
That leaves businesses with no idea what accounts their employees are using on what cloud-based services – and no way to control the business data that might be stored on those services. Although social-media services like Facebook and Twitter have pioneered identity federation by enabling logons to a range of third-party services, integrating those identities with corporate directory services remains a sticking point.
Some security vendors now offer tools for managing employee logons to a number of higher-profile cloud services, but the proliferation of consumer-managed cloud services – and statistics suggesting 80 per cent of businesses already use some cloud services – means most employees continue to maintain separate cloud-service identities that remain outside the control of their parent organisations, even though they are used for business purposes.
Compounding the problem, in many cases, those identities are managed through employee-owned mobile devices that company IT managers know nothing about – but will see the effects of when varying security protections create gaps in corporate security profiles.
Recognising the more fluid nature of user authentication, vendors must continue to improve the extensibility of corporate identity controls as part of the new IAM. Whether traditional IAM vendors can seamlessly extend themselves to the cloud, or whether cloud-based IAM pioneers start in the cloud and work towards the enterprise, there is still a lot of learning and improvement to be done.
“A new generation of cloud specialists are challenging established approaches to managing identity, and are positioning themselves as offering a more flexible, easier to deploy, and cost-effective approach to managing identity from the cloud,” he said.
“Their ability to operate independently as well as a alongside existing IAM providers needs to be tested, as does the range, quality and security of the bridging facilities and application program interfaces (APIs) currently available for delivering access to cloud-based applications.”
Follow @CSO_Australia and sign up to the CSO Australia newsletter.