Recently large enterprises have shown a growing interest in cloud computing, however, there is still a need for a better understanding of what implications the introduction of cloud has on their existing identity and access management models.
There are a large number of issues that face information security professionals, especially those focused on identity and access management, when their business adopts cloud-computing, SaaS or PaaS, including controlling what they no longer control, verifying controls are correctly implemented and managing changes in requirements and their risk profile:
However the issue that I find more challenging to address is not the impact cloud-based business application services have on information security organisations but rather the implications of having identity and access management services delivered in the Cloud.
These are the very services that provide the necessary control over the business critical applications businesses rely on that may also exist in the Cloud. Thus the questions information security professionals should now be asking themselves is:
- Will this make it easier or harder to support business application services?
- Will this be necessary to prevent silos of identity being created within separate cloud services?
- Should I do this before or after business application services exist in the Cloud?
- Does it make any difference?
A few years ago our clients wouldn’t even consider outsourcing the application maintenance and development of their identity and access management services. These services were considered too confidential to trust an external party to maintain.
Now we live in a world where identity services themselves might not just be maintained by a third party but they will also be implemented by a third party. This allows the client to define their requirements and put more focus on the strategic activities of their business. Is this fantasy or should we look at identity and access management services in the same way we do any other business application service?
Accenture has been recommending to clients that they need to look at identity and access management services as business applications rather than infrastructure. In actuality these services help manage and control infrastructure, however they are not infrastructure in the traditional sense of pipes and boxes. This suggests that the concept of these services being cloud based is no more fantastic than any other application service.
What businesses should focus on now is whether identity and access management services delivered via the Cloud will help or hinder.