The Truth About Cloud Identity Management
by Mark Adams, on 20-Aug-2015 15:51:00
Did you know that 61% of people use the same password for multiple accounts or applications?
Those same people usually like to use really easy-to-remember passwords and write them on sticky notes to place on their computer screen for all to see.
Those are obviously bad habits. But you can’t exactly blame people since there are literally thousands of cloud services out there that require authentication.
The truth about cloud identity management is that because there are so many accounts and applications to keep track of, it takes discipline to make sure they’re all being handled correctly—especially within a business or an organization. But is there a good way to manage all of the user identities within a company?
To find out, we’re going to look at where cloud identity management is currently at, where it’s headed, and what it all means for you.
The Current State Of Cloud Identity Management
Cloud identity management is not just about authentication—it’s about an application understanding who you are and what data you should have access to within that service or app. Unfortunately, we’re a long way from cloud services being able to do that.
Currently, as you move from one cloud solution to the next, there is no way for each service to know who you are—you’re just another login, potentially with a license type (standard or premium) attached to your name. Cloud applications don’t know what your role is in a company, and they certainly don’t know why you’re accessing the service or what you want from the experience.
This means you get a very disjointed user experience. You may be a finance manager logging into a new service, but you can’t access any finance information because the service doesn’t know that’s what you’re looking for. There are systems with built-in password management (Safari, Chrome, Android, Windows, Mac) but this becomes problematic when you want to use multiple browsers or platforms.
And, not only are there problems with one person trying to access multiple services, but there are problems with multiple people trying to access a single service.
Some companies say they only want to pay for one user license, so they’ll have four employees working from one login. But there can be serious ramifications for that. Does the password for that account get changed on a regular basis? What happens when someone changes the password without telling everyone else? What happens when multiple people have access to data in the account that they really shouldn’t be seeing? Most people choose not to think about these things.
There are solutions out there (like LastPass) that save your password across multiple services, but those solutions are directed toward a single user or users in small businesses—not large enterprises. The current enterprise solutions are based on active directory (even though 5% of users in a company’s active directory are no longer even employed there) and only work inside the company’s firewall. Outside the firewall, they’re useless.
Where Cloud Identity Management Is Headed
Although only in the embryonic stages, multi-cloud and cloud management are seeking to bring all of these services together, creating a single user identity that can be used across all services. Your identity, which would be created based on your role within a company, would be centrally managed in a single cloud management platform.
When you set up your identity in that platform, you’d be able to tell the service if you’re in accounting, marketing, or sales, and then you’d get authenticated against that criteria when using each solution in the platform.
What Does That Mean For You?
The problem with cloud identity management is similar to the problem with shadow IT, in that many companies want to “bury their head in the sand” and ignore that there even is a problem. But because there is no industry standard around identity management yet, it’s up to organizations to come up with policies and useful advice around how identity management should be done if they want the problem to be fixed.
Create An Identity Management Policy
Just like your company needs a shadow IT policy, you need a password policy with 5-10 bullet points outlining your password requirements. Think about what you want your employees to know as they create passwords, and keep track of those thoughts. Once you’ve put them together in a policy, make sure it addresses the most important issues by asking these questions:
Do I address the multi-device environment my employees are working in?
Do I address the bad habits employees may be using?
Do I issue recommendations around passwords? (Password length, special character requirements, etc.)
You’ll also want to look at whether your company is using consumer cloud services or services that are made for businesses. Business services have more built-in identity control—not just in the security of passwords, but in managing those passwords and identities. They also have an administrator setting that allows one person to control password resets. If you aren’t using these services, it’s time to start.
By centralizing the control of your cloud solutions, and using the right services with the right security settings, you’ll begin to see improvements in your cloud identity management.