Arraya Insights | December 12, 2019
Cloud has dominated technology conversations in recent years, a trend which shows no signs of reversing come the new year. In its 2020 State of IT Report, Spiceworks projects that hosted/cloud-based services will command nearly 29% of organizational IT budgets next year, a figure on par with 2019 totals. With organizations continuing to spend big on the cloud or, in some cases, only just embarking on their own cloud journey, our team wanted to highlight one larger cloud discussion that doesn’t seem to happen early or often enough.
In truth, identity and access management should be among the first topics covered after the initial decision to move email, an application or some other workload into the cloud. It’s such a big deal, that identity and access management actually straddles at least two spots on the Cloud Security Alliance’s Top Threats to Cloud Computing: The Egregious 11 list. It ties into both number four (“Insufficient Identity, Credential, Access and Key Management”) and number five (“Account Hijacking”) on the not-for-profit research organization’s list of the biggest risks and vulnerabilities facing the cloud. Yet, it’s often set aside in favor of other topics.
To remedy this, we sat down with our team of experts to get their take on how to bring identity and access management into cloud conversations sooner rather than later. Here are their six essential talking points:
- What authentication method makes the most sense for our organization? Once the decision is made to move workloads into the cloud, the next decision should be how to allow users to securely reach them. Either internally, or with the help of a partner, organizations must weigh the pros and cons of approaches such as pass-through authentication and federated authentication in order to find the right one for their environment and needs.
- Do we want users to be able to access workloads, apps, etc. from anywhere? Working from home or on the road or from wherever has a definite appeal. However, it may not always be an option, due to internal attitudes or industry regulations. If it is in the cards, follow up conversations on topics such as conditional access will need to occur. Working “from anywhere” doesn’t have to mean literally anywhere as organizations may want to restrict access to known countries, circumstances, etc.
- Do you want to enable multifactor authentication (MFA)? Considering how many cyber attacks can be prevented just by turning on MFA, the answer to this question should almost always be “Yes.” Maybe a better question to focus on is: “How are we going to present MFA to our end users?” Users may not be thrilled with extra steps, however, it does help to work with representatives from across an organization to find an approach to secondary authentication that values both security and user experience.
- What are the legal ramifications of our cloud access strategy? Even organizations outside of traditionally heavily-regulated industries need to be cognizant of their responsibilities regarding the safety and security of data stored in and accessed via the cloud. Encryption is a huge part of this, including whether or not data must be encrypted both at rest and in motion. Also, laws like GDPR and California’s Consumer Privacy Act have much further reaches than some realize, making organizational legal counsel an unexpected, yet essential, voice in cloud conversations.
- Do we want to allow data-sharing with third parties? Platforms like OneDrive for Business and SharePoint make it easy for users to share files and collaborate – both inside and outside the organization. Before turning users loose with these or any similar platform, organizations must determine what, if anything, they’re comfortable with users sharing outside of the company. Then, it’s up to admins to put the policies in place in support of that goal.
- How are we going to keep track of all of this? The cloud has developed a reputation as a “set it and forget it” kind of tool, but that’s not the case. Organizations must keep a close eye on their environment and keep a running log of who’s accessing what, who’s making what changes, etc. By maintaining an auditable trail, organizations will be able to get to the root cause of (and correct) issues far faster than they could without.
Begin the next phase of your cloud journey on a secure foot
Need a hand designing, revising or implementing your own access and identity management strategy? Arraya’s team can help. Our experts have the in-the-field experience and insights needed to help organizations of any size or specialty be more productive and secure in the cloud. Please visit https://www.arrayasolutions.com/contact-us/ to start a conversation with our engineers.
We want to hear from you! Let us know what you think of this blog using social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date with our latest blogs, podcasts and exclusive IT training opportunities.