Thanks to the rush to digitally transform themselves, businesses build, deploy, and use more applications than ever. While this growth of applications is undoubtedly helping improve productivity, it’s also increasing digital security risks if organizations are not careful. This is especially true when it comes to managing the growing number of cloud identities.
Consider the growth of the enterprise application market. The research firm Allied Market Research estimates the global enterprise application market was $238 billion in 2020, with projections to reach $527 billion by 2030. It’s not just commercial applications. Thanks to continuous development pipelines, enterprises create more applications and software functionality.
It also means more identities to manage than ever before. The number of login credentials users must manage is now measured in the hundreds. But that’s just looking at part of the overall challenge. Consider that each business department typically works its own identities in the commercial applications they use and the software they build custom.
All of these applications have credentials that must be managed, and if they aren’t appropriately managed, there are considerable associated risks and costs.
First, with cloud identity management siloed throughout the organization, there’s no visibility for leadership, such as the CIO or CISO, into how these applications are accessed or used. This makes effective identity governance near impossible and maintaining regulatory compliance a manual nightmare.
That also means that when users leave the organization or even change their roles within the organization, their access privileges won’t be updated. That means employees and others will still have access to resources they shouldn’t, making it easy for criminals to use these overprivileged and orphaned credentials in attacks.
There’s also the very real risk that having too many accounts increases the changes that users willreuse their passwords across applications so that they do not constantly forget their credentials.
Such credential attacks are consistently one of, if not the top, techniques used in attacks. These are vulnerabilities that enterprises must mitigate to maintain a reasonable level of security. And beyond security, poor cloud identity management and governance reduce operational efficiency and the daily user experience.
We work with numerous clients that seek to centralize their cloud identities. We help them work through the challenges they run into, such as integrating applications into their identity management system and implementing the necessary processes to make centralized cloud identity management work. While many applications do support the System for Cross-Domain Identity Management (SCIM), which makes it straightforward to automate the provisioning and deprovisioning of accounts centrally, those applications that don’t support SCIM still need to be supported within modern identity governance programs.
These systems also need to be built to be resilient. With identities managed centrally in the cloud, there’s also the risk of having a single point of failure. What happens if your identity access systems go down? Productivity is lost. These systems must be designed and implemented correctly to minimize such risk.
We’ve also helped organizations successfully navigate internal organizational challenges that often arise with large identity initiatives. All of the various departments and business groups need to be well-coordinated so that everyone’s concerns are alleviated.
But it also goes beyond security and into day-to-day usability, too. Good cloud identity governance helps streamline access requests and user deprovisioning so that users get the tools they need more quickly. Application access is shut down when required to reduce the risk of credential-based attacks. Good cloud identity governance also reduces operational costs due to streamlined identity management and productivity gains.
In addition to immediate security and usability benefits, effective cloud security governance provides the foundation that makes it possible to supercharge all aspects of cloud identity and access management program:
- Comprehensive oversight: when cloud identity management is centralized, IT and security can constantly monitor cloud access to maintain proper access levels, making it easier to spot suspicious access attempts.
- Manage Cloud and On-Premises Identities: Effective cloud identity management makes it much more straightforward to manage on-premises identity systems and eventually migrate those systems to the cloud.
- Single Sign-on: Centralized access makes it much more straightforward for organizations to provide users with one password that will provide access to all of the resources they need to work.
- Role-based Access Control (RBAC): RBAC enables organizations to create and manage specific sets of access rights and permissions for users based on the job they do or their role. When identity management is centralized, organizations can work with their HR departments, their various departments, and managers and design roles for each job. This makes it possible to keep permission levels properly aligned, instantly deprovision users when they leave the organization, and provide the right access levels when they change roles. These systems can be integrated with human resources and are highly automated.
- Identity management processes become scalable: Once identity management is centralized, it becomes much easier to comply with new regulatory mandates and add new applications and capabilities.
Finally, these cloud identity initiatives are high-profile projects, and nearly everyone’s life in the organization will be improved with better cloud identity governance and single sign-on. They don’t have to remember so many passwords, and they can log in once and access everything — while the organization becomes more secure and compliant with regulations. Such all-around wins in usability and security are rare for organizations, but centralizing cloud identity is one of the areas where it’s possible.
This blog was written by Leo Magallon, Senior Security Consultant at Set Solutions