The Case for Hybrid Identity-as-a-Service (IDaaS) Part I
Hybrid Identity-as-a-Service (IDaaS) provides a clear path to reducing the dangers associated with cloud-adoption.
The world of the information security professional continues to become further complex as more of the services that were traditionally within the control of the information security team, are outsourced to external entities. Just a few years ago, a CISO (Chief Information Security Officer) was able to confidently assure his CIO/CFO/Legal Counsel that their organization was providing adequate levels of protection for the confidentiality, integrity, and availability of the sensitive data that they were tasked with securing, by simply inspecting the organization’s internal hardware and software solutions.
But as organizations are being pushed to adopt more flexible working environments that includes the consumerization of the users’ laptops and mobile devices (BYOD: Bring Your Own Device), those organizations are also faced with no longer having direct control over the security of the locations that the data is served from and the infrastructure used to deliver those services.
Information Security team’s are now tasked with vetting an external service provider to ensure they are up to the task of providing the same level of confidentiality, integrity, and availability that they once provided internally. Now, the Information Security Manager has a new layer of abstraction between their role and the role’s responsibilities while maintaining the same level of liability if something goes wrong. If the CISO had difficulty sleeping before, they are certain to be bleary-eyed now.
So if there are inherent risks in rushing these services into the cloud, why is the business pushing for them? There are many truly exceptional benefits of leveraging cloud providers for reducing CapEx costs, realizing fast ROIs, and amazing, almost unlimited, scalability. Unfortunately, the speed of business can, and often does, exceed the speed of security.
One area where the vacuum has been most largely felt is in the expanse of secure access and identity management.
The Problem. When a panel was asked at a recent security conference “How many web or cloud services their organization is using and how do they manage identities and authentication into them?” One panelist, the CIO of one of the largest cities in America, initially responded, “How do you define the cloud?” Upon further reflection, he stated that there were more than six services with no centralized identity management or authentication mechanism in their organization. The CISO for a state government agency responded similarly but with over 20 (potentially 50) services that are utilized with no centralized access or identity management.
This will probably not surprise most. Just ask any business about the cloud services they use and how they manage the identities and authentication into those environments. Over the past couple of years, adoption of cloud offerings have accelerated to provide businesses’ solutions that deliver needed services without direct payroll costs or management in an incredibly scalable manner. The justification for cloud adoption is becoming clearer to the business-side of the house as there is little or no spin-up time for the organization between the purchase of a solution and using it. So business have jumped ahead at the savings-potential the cloud market provides.
But the information security team is not the only ones trying to catch up. Even now organizations such as the PCI Standards Council are struggling to redefine what is considered “in scope” as the boundaries of past networks are dissolved in order to allow access to valuable data anytime/anywhere.
With the gap widening between the services that a cloud offering can provide and the solutions that can secure the access and identity management to those services, it is clear that organizations must educate themselves of the dangers that this vacuum presents even as compliance organizations work to provide standardized controls.
Stay tuned for Part II next week or drop on by www.passwordbank.com for an advance copy. :)