Identity Challenges in the Cloud

Organizations are moving more and more applications and other resources to the cloud. In fact, a recent study by Osterman Research found that 68% of organizations are storing at least some or even all their sensitive corporate data in the cloud. That’s creating tremendous challenges for IT security—including identity-related concerns. Here’s what identity teams are up against at a time when apps are as likely to be in the cloud as on-premises.

An Attack Surface That Grows With Every App

Extending your IT infrastructure to include the cloud means adding yet another avenue of attack. The traditional perimeter that you could once guard confidently with a firewall is gone, and now there are as many ways into your resources as there are apps in the cloud. Given the boundary-less nature of an IT environment that exists in the cloud as much as it does on-premises, it should come as little surprise that so many data breaches today are identity-related—81% involve weak or stolen passwords, according to Verizon’s 2017 Data Breach Investigations Report.

When you have resources that stretch into the cloud, it’s not enough to have password protection for those resources. Given the proliferation of what we call “islands of identity”—the separate silos of identity information that exist across all of your on-premises and cloud-based services and applications—passwords can be more of a problem than a solution.

Users Who Want Access—and Want It Now

Eager to work as quickly and productively as possible—wherever they are, and wherever their apps are—today’s users have little patience with access and password policies that threaten to slow them down. And they’re not above going around those policies to get the applications and resources they feel they need. This move to “shadow IT” can put sensitive data and information into cloud apps that the IT team doesn’t know about—and can’t protect.

That eagerness to work anywhere can also lead users to rely on public networks that are vulnerable to unauthorized access. Public Wi-Fi is a well-known example of how cyber thieves can hijack data in cloud apps as it moves through the network. But there are others—even publicly-available device charging stations can provide unauthorized access to sensitive data.

Security Playing Second Fiddle to Convenience

Employees who take access shortcuts that put their organizations at risk can be symptomatic of a larger issue with the organization. These companies may be impatient to provide users with faster, easier, more convenient access to resources—and are willing to sacrifice security to make it happen. You can see this kind of misplaced priority in action when business teams pressure IT to move faster to put cloud services in place, then make a move to shadow IT when it doesn’t happen quickly enough to suit them.

Individuals and teams going rogue with resources in the cloud don’t always realize the identity and access risks they’re creating. They may mistakenly think that the cloud provider’s security is enough to keep sensitive information in cloud applications safe. Or they may simply think that it must be all right, or they wouldn’t be able to do it.

That last observation leads to the obvious conclusion that if identity teams want assurance that users are who they say they are, they need ways to get that assurance in the cloud just as they do on-premises. That generally means two choices: integrate a variety of best-of-breed identity solutions to protect what’s in the cloud as well as what’s on-premises, or find a unified solution that can be deployed across both on-premises and cloud.

There are pros and cons to both approaches, and they’re discussed at length in Deploying and Managing Security in the Cloud, an Osterman Research white paper published in conjunction with RSA. Download your copy for an in-depth discussion of the challenges of security in the cloud—including identity challenges—and the choices available for addressing them.