Cloud-based applications deliver well-known benefits including low-cost deployment, IT agility, scalability and a wide range of choices for the business community. But as enterprise usage of cloud apps accelerates, so do the administrative challenges related to onboarding (and offboarding) users with new IT services. Manually provisioning and managing user accounts among SaaS providers is a labor-intensive and error-prone task. IT administrators simply don’t have the time to add, modify and remove individual user accounts via the administrative consoles in each cloud app.
When working with apps from 10-20 cloud providers, it can be laborious to resolve who has access to applications and who is authorized to use specific functions within each app or who has used use them. When hundreds of cloud apps are in use, it is nearly impossible to manage and govern these demands manually with any efficiency.
The solution is to automate provisioning activities across all user accounts and cloud applications.
There are three fundamental and, in many respects, prerequisite requirements to achieving this endeavor:
- Federate user identity – Aggregate user identity and authentication data to streamline access processes.
- Embrace open standards – Remove complexities and costs associated with proprietary APIs.
- Centralize account management – Provide a single point for managing user accounts across all cloud apps.
Federate user identity and data stores
Digital business has become increasingly distributed as cloud infrastructures and applications are shared through numerous multi-tenant service providers. As the number of available applications grows, the task of managing identity and access controls across these points of service becomes progressively more complex, particularly when considering each cloud application stores unique user identity information.
Businesses have traditionally used Microsoft Active Directory (AD) as a repository for employee-related data and policies on Windows domain networks. However, many companies are also adopting cloud-based HR systems such as Workday for identity management and to centralize user data.
Each of these systems has unique data structures and ways of identifying user roles. Sharing and replicating information across these disparate systems means somebody has to map the various attributes and synchronize the identity management procedures. An easier way to manage user accounts across applications is to federate user directories and cloud app user information, and reconcile them against a chosen directory to construct a single source of truth.
A cloud identity-as-a-service (IDaaS) provider can federate identity (or essentially share information among cloud services), centralize access policies and apply rules. The IDaaS solution serves as an independent user identity store that accommodates each cloud application schema. It becomes a universal point of federation between Active Directory, HR systems and cloud-based applications like Office 365 and Salesforce to provide complete visibility into users, roles, applications and behaviors.
Support open standards including SAML and SCIM
Technology standards help define rules and establish frameworks to simplify compliance and streamline administrative processes. In the case of enterprise cloud apps, open standards promote interoperability among cloud vendors and help drive industry innovation and maturity.
Every application is built differently. In the absence of standards, proprietary APIs help IT teams to extend identity and access management (IAM) services to cloud apps on an individual basis. However, this method is not ideal. Not only is it costly to create the interfaces, it also forces those who are responsible for identity and access management to manually track dependencies between various connectors, as well as to sort out the discrepancies among applications and versions to ensure uninterrupted connectivity to the user community.
Without standardized access and provisioning APIs, companies that utilize cloud apps will incur unnecessary costs and risks, including potential downtime.
Open standards can mitigate these difficulties by removing the need for proprietary integrations. For example, standards provide a broad framework for rationalizing provisioning instructions, which enables a one-to-many sort of scenario. When cloud application vendors can code once to a universal identity standard, all parties can benefit from reduced risk and accelerated deployment.
Security Assertion Markup Language (SAML) provides a federated identity standard that applies secure tokens to authenticate users without repeatedly prompting for each application password. This enables secure single sign-on (SSO) and prevents brute force hacking attacks.
System for Cross-domain Identity Management (SCIM) offers a standardized API interface for user management, including account provisioning. These open standards, SAML and SCIM, form the foundation for cloud app integration, and deliver inherent cost savings and stability.
Centralize and automate account management
With personnel throughout the enterprise utilizing multiple cloud applications, IT managers can find it difficult to answer questions such as “Who has access to what?” and “Who accessed what?” Centralized management can eliminate these governance challenges by providing a single console from which to manage user accounts and application policies. It can also generate reports about users and the applications they access.
A cloud-based IAM solution can bridge on-premises directories like AD with the organization’s cloud applications and automate user account provisioning to these apps. Centralizing management delivers additional benefits that include the ability to establish roles and security policies that define user entitlements to specific functions within each cloud app. Sensitive data can be made accessible only to authorized users. Access privileges can be instantly revised or revoked by changing a user’s role or status.
Reports can leverage aggregated data, including information about which applications were accessed, failed login attempts and more. This infrastructure including actionable reporting helps streamline IT workflows, optimize business processes and improve security analytics.
Companies should consider deploying an IAM platform that centralizes user account management and automates application provisioning based on user role. An IAM solution should also be able to authorize application entitlements based on user or application policies and revoke user access rights from a single console.
Cloud services are only as good as the practices that support them
An organization can’t fully reap the benefits of cloud-based applications and services if it lacks the capacity to properly provision users and enforce access policies. If IT doesn’t fulfill the prerequisite steps to federate identity, implement standards and centralize management to grant and revoke employee access to cloud applications, managing these users and applications can be risky and time consuming.
Manual management and upkeep of user accounts and directories can be a never-ending task, even for one or two cloud apps. By automating user onboarding and offboarding, organizations can more effectively control access based on role, department, location, title and other attributes.
It is imperative that companies have the ability to enable, manage and govern access to cloud applications and that they can retain, suspend or delete user data based on established policies. A standards-based cloud IAM solution can streamline these activities by automating crucial provisioning processes. Through automation, organizations can reduce IT involvement, improve security and accelerate time to productivity.
Chip Epps is senior director of product marketing at OneLogin, where he helps advance cloud security initiatives and guide the evolution of IAM technologies.