Enterprise security has never been easy, and the rapidly expanding use of software in the cloud has added daunting layers of complexity—and risk—to your job. If you have not yet already, you will soon find yourself putting valuable intellectual property, personally identifiable information, medical records or customer data outside your firewall. This is not necessarily a bad thing to do, but this strategy does introduce risk—risk that needs to be proactively managed in an ongoing fashion.
The cloud is essential in two ways: First, it is irresistible from a cost and convenience perspective. When you need to add processing capacity, applications or seats for a thousand new users, there is no easier way than the cloud. Then there is the need to extend the reach of data and systems outside the traditional walls and boundaries of an organization. To compete in any industry, you need to open your organization up to customers, partners, vendors and mobile employees. Open access isn’t a choice in the 21st century—it’s an imperative, and cloud computing helps make that possible.
Technology researcher Gartner has projected that enterprise spending on public cloud services will grow from $109 billion in 2012 to $207 billion in 2016. This means additional risk in the form of billions of identity and access relationships. As business line managers build their own software-as-a-service applications and employees bring a wide variety of personal devices into the equation, they may not be completely aware of the risks this leaves their business open to, across the cloud and the enterprise.
As a result, security solution providers and IT executives are in catch-up mode, trying to ensure that this new way of doing business is as secure—or even more secure—than it was before the advent of cloud computing. While there has been an explosion of cloud security products and services introduced in recent years, the real challenge for organizations is managing the risk of improper access to systems and resources in a hybrid environment—one that spans the enterprise as well as the cloud.
Identity and access management needs do not change in the cloud. We still need to ensure that the right people are getting the right level of access to cloud resources, and that they are doing the right things with that access. Cloud applications behave much like on-premise applications, so the technical aspects of the cloud are not what increase the risk. Rather, the issue is the notion of giving up control of assets and data without controlling the associated risk.
Many cloud services are brought into the organization by the line of business. This shifts IT tasks out to the business unit. While cloud computing has positively changed the expectations of users and has democratized the use of technology, making businesses more agile, this ad hoc administration has created holes in how these new applications, resources and the continuing proliferation of data are managed. IT security is still held responsible if something goes wrong, even though a measure of control is lost and risk is increased.
The Identity and Access Management Gap
The cloud only puts a fine point on overall access risk as a growing concern. An expanding identity and access management (IAM) gap looms, threatening the integrity of many organizations.
Breaking it down, many organizations use provisioning systems to group users according to their roles that, by policy, map to rights for accessing enterprise systems and resources. Periodically—say, every three, six, nine or 12 months—organizations attempt to certify that those access rights are in order, usually by asking managers to verify that subordinates have the right access according to their responsibilities.
Organizations then do their best to provision the right access to the right people. But many things can change between provisioning and the certification that happens months down the road. These include business and infrastructure changes, regulatory changes, hirings, firings and transfers, and the addition of new resources, roles, policies and rights. In addition, there may be imperfections in the certification process—for example, when managers without the necessary time or understanding do not complete the process correctly. At the same time, external threats from hacktivists, disgruntled employees or determined cyberterrorists are increasing, just as the technology infrastructure a business depends on is becoming increasingly vulnerable.
The gap between provisioning and certification represents trillions of ever-changing relationships among identities, access rights and resources, introducing a new vulnerability into an organization’s security. What should an organization do? First, take a hard look at IAM programs and expand to include the cloud. Update IAM guidelines and controls. Go beyond mere provisioning and certification to include intelligence and analytics. Define the policies of who should have what type of access, define appropriate use, and get the lines of business involved in the process.
Then, make sure cloud and on-premise applications are included. There should not be separate strategies for cloud and on-premise. Rather, there needs to be an enterprise IAM strategy that incorporates both. Inventory your cloud applications to identify what kind of data is out there and who is using it. Categorize by risk to ensure there is a focus on the high-risk priorities.
Offer these services to the business with a combination of controls and convenience. By giving business units services such as quick access, easy ability to request new services and easier ways of dealing with auditors, you can help build controls in at the same time.
Finally, the strategy needs to address the gap—not just on day one and through periodic reviews, but with real-time monitoring that tracks user activity. As the openness imperative and cloud movement raise the risk management stakes, organizations need to identify and understand the risk, implement security controls to address it and spotlight it in real-time.
One solution is to harness the “big data” in the trillions of access relationships—on the ground or in the cloud—to better understand what is really going on. Security staff is essentially looking for a needle in a haystack of data. Unfortunately, they don’t know what the needle looks like, so they have to look at all the hay and find something that looks different. What they really need to see are meaningful patterns. This is where predictive analytics come in.
As Gartner said, “Big data is a class of information processing problem that, due to the volume, velocity, variety and complexity of the data, requires different approaches to support analytics to derive cost-effective, timely, business-relevant insight.” While big data has been used effectively by lines of business to analyze customer purchase behavior, inventory turns or other critical data, it also offers tremendous promise for IT security to manage business better.
By 2016, Gartner predicts that 40% of enterprises will actively analyze at least 10 terabytes of data for information security intelligence. Combining big data and analytics adds the business intelligence and insight that was previously missing to IT security, addressing the questions: Where is the access risk in my organization, what’s causing it and how do I need to address it?
Closing the IAM Gap
Predictive analytics needs to be applied specifically to the big data around identity, rights, policies, activities and resources to reveal anomalous patterns of activity. Consider a person who has legitimate rights to a resource accessing a cloud-based customer relationship management system, downloading the entire customer database from his home office at 2 a.m. on a Saturday night. This event might bear looking into, but you would never even know it occurred with traditional controls because of the person’s legitimate access to the system. By identifying patterns or anomalies from “normal,” you have a real-time view of your company’s greatest risks. You can prioritize your next security steps, strengthen controls in times of highest risk and continuously update threat definitions.
Whether the applications you monitor are partly or solely in the cloud does not matter; you need to secure all enterprise systems and resources wherever they reside. Cloud computing means that it is necessary to develop a new “perimeter” that understands who someone is, what they should access, what they are doing with that access and what patterns of behavior might represent threats to the organization. Risks are then reduced before they become bona fide breaches and the organization can more securely take advantage of all the benefits the cloud has to offer.