Every day, we read about another enterprise moving its IT environment to the cloud. General Electric and Capital One are doing it, as well as Netflix, The Weather Company and hundreds of other companies.
Yet we don't hear much about how applications are protected once they're moved outside the company's infrastructure--especially when it comes to identity and access management (IAM). Cloud providers themselves stress that security is a shared responsibility between vendors and customers. Vendors have an obligation to ensure data centers are built to the highest level of reliability and security. But it's also incumbent upon enterprises to ensure they use best practices in areas they have control over, such as strong authentication and access, which are beyond the control of the cloud vendor.
If your company is starting the cloud journey, you're probably thinking, "What's the big deal? We'll just continue to use our existing WAM solution for those apps in the cloud."
You might want to think again. Here are three reasons why your existing web access management (WAM) system doesn't easily extend to apps in the cloud.
1. Traditional WAM solutions are too customized and complex for the cloud.
While a traditional WAM system offers a comprehensive and highly customizable WAM solution for internal users and applications deployed within a firewall, the customization and complexity works against it when IT wants to adopt new initiatives, such as:
Connecting with SaaS applications.
Protecting applications deployed in infrastructure as a service (IaaS).
Adding APIs to applications to enable mobile apps and server-to-server communication.
Let's look at a real-world example: General Electric.
According to an article written by Lance Weaver, GE's chief technology officer for cloud, GE tried to leverage its existing WAM solution as part of its ongoing migration of about 9,000 applications to the cloud. As of November 2015, GE had 350 low-risk applications running in the public cloud, with a target goal of 1,000 by the end of 2015.
GE is also working on additional controls, allowing medium-risk applications to be moved to public providers. High-risk applications are placed into public cloud providers as well, Weaver wrote, but GE assessed and implemented controls with these providers "to create an environment conducive for those applications."
2. Traditional WAM solutions significantly affect performance.
GE first tried leveraging its legacy on-premises WAM solution and put an agent out in the public cloud to protect those apps. This caused performance issues because the agent was meant to be on the same network, not out in the cloud. Next, GE tried recreating its WAM implementation out in the cloud. But that, too, proved to be too complex, time consuming and costly.
Connecting agents or proxies at the IaaS level with on-premises policy servers can be costly for network operations--not to mention that it increases request latency and significantly impacts the user experience. It can shatter an otherwise brittle system that's not prepared for an IaaS deployment.
3. Attempts to extend traditional WAM solutions to IaaS undermine the savings attributed to deploying to IaaS.
So far, the public cloud has been cost-neutral for GE, Weaver says, without counting all the additional benefits of innovation cycle time reduction. "When an application is optimized for the cloud it's cost-favorable," he wrote. Traditional WAM systems are not optimized for the cloud, so spending time and money to retrofit them into a modern cloud solution can undermine the initial cost saving of IaaS.
Ping Identity has built a comprehensive Identity Defined Security platform where access management and identity administration capabilities work in symphony. This means applications are secured wherever they are deployed. Federated Access Management is the cornerstone of Identity Defined Security. Federated Access Management brings together single sign-on (SSO), federation, web and API access management and multi-factor authentication. Lightweight identity standards and protocols are used to support on-premises IAM deployments in conjunction with IaaS deployments. (Interested in looking under the hood of Federated Access Management? Check out this blog.) Wherever your organization is in the spectrum of IaaS adoption, Federated Access Management can secure your applications and enable their migration to wherever is most cost effective.
The challenges are real, and Ping Identity has them covered.
As your enterprise migrates to the cloud, you can implement both on-premises and cloud apps, and Ping protects them both. Ping can also implement a centralized policy into your existing CA or Oracle environment to provide a seamless SSO experience, so you can move your apps into the cloud. Your customers won't even know the difference.