Why identity security is important-- even in a private cloud
What's in a cloud? Apparently a lot these days.
The cloud will account for 76% of total data center traffic by 2018. That's up from the cloud accounting for 54% of data center traffic in 2013, according to Cisco.
Almost half of companies surveyed by KPMG say the cloud will help them drive cost efficiencies, 42% say it will better enable their mobile workforce to access company data from anywhere at anytime, 37% want to improve alignment with customers and partners, and 35% want to better leverage data to provide insight.
These are all great reasons to move to the cloud, but they all point to the need for greater security, particularly managing who has access to data that's no longer within the company's firewall, and what data they're allowed to access.
Many companies prefer a private cloud where the services and infrastructure are maintained on a private network, compared to a public cloud where those services and infrastructure are shared with other companies. Private clouds offer the greatest level of security and control, but like moths to the flame, more hackers will target cloud data - even on private networks - as more data is kept there.
Even in a private cloud environment, it's essential for applications to authenticate a user's identity, understand what that user is authorized to do, create or update an account and audit a user's activities. The 4 A's are critical components of any identity security strategy. Here's a quick rundown.
About half of all Web hacking attackers in 2014 gained access to company data using stolen credentials, according to Verizon's 2015 Data Breach Incidents Report. Authentication and authorization are critical processes for keeping credentials safe.
Authentication is the process you use to verify that a user is who they claim they are, and it's usually done through a user ID and password. But for most organizations, this isn't necessarily as easy as it sounds because of the complexity of their environment. Some users need to access applications that are both on premise and in the cloud, or the company has complex directory structures. This is where federation comes in. Federation makes authentication using corporate credentials seamless in both cases. Make sure that your solution supports federation.
Many organizations today also are implementing multi-factor or strong authentication solutions. Adding multi-factor authentication to your IAM environment is highly recommended for securing your cloud resources. Finally, consider a solution that supports both proxy and agent-based access management to your applications. Proxy based is simple to deploy and maintain for coverage of many applications, while agent based works on an app-by-app basis, but gives higher policy control.
Authorization is any process that allows someone to access applications and information. Your IaaS provider should cover administrative access to your private cloud. User access to applications and APIs should be your primary concern. In today's world of web apps, mobile apps and APIs, it is imperative that you select an IAM solution that supports authorization for all.
Account management is any process where user access is created, updated and disabled. The key when it comes to the cloud is how users are kept in sync between your central directory (AD typically) and your cloud environment (AWS) and SaaS apps. This is another great reason for a federated IAM solution, so that users can be authenticated using their corporate credentials against your active directory instance, which is generally on premises. It should also be standards based, including support for a new standard called SCIM.
Auditing is an official inspection of a user's access and activity, typically by an independent body. Auditing is simple and efficient when users' 'request' for and 'access' to information across web, mobile and APIs is collected in a reliable and standard fashion.
Remember, what happens in the cloud should stay in the cloud. Protect your data with a thorough identity security strategy.