Hey, You — Get Off My Cloud!
There are many good reasons to live in the cloud, but hosting unexpected visitors isn’t one of them
Subscriptions to digital cloud services are all the rage right now, and there are a lot of reasons why. Take, for example, the ability to scale up operations from tentative prototypes to full market penetration overnight — a core capability of cloud architecture. The upfront infrastructure costs associated with cloud use are also lower, as companies are not required to invest in hardware, data centers, etc. As a result, on-site maintenance costs are lower. Software licensing costs are lower, applications are always up to date, and both the available bandwidth and storage capacity of cloud computing are superior to on-premises computing at the same price point.
Of course, there are tradeoffs. Migrating to the cloud can require surrendering control of your organization’s critical business data, infrastructure, and processes to remote third parties. Relinquishing responsibility for the operation and security of a company’s information systems typically requires a major cultural shift within an organization, which can generate strong internal pushback, leading to issues with operational efficiency and workplace dynamics.
We have decided on our cloud provider. When do we start the migration process?
This was the question I got from the CIO of a medium-sized financial firm, First Choice Financials. He called it a “cloud-first strategy” for all new IT initiatives, which included pushing all on-location and data-center-deployed applications to the cloud. After learning about all the benefits that a cloud-first strategy could provide, the CEO and CFO signed off and embraced the CIO’s new direction. However, there were still a few issues they had to sort out.
Who is in charge?
When moving to the cloud, an organization must have very clear answers for the following questions: Which applications must be moved to the cloud? Which business units and end users will be impacted? Who owns the application and associated data? Who will ensure the organization will remain compliant before, during, and after the move to the cloud? What should the approach be to move applications to the cloud? Should we employ a “lift and shift” approach or completely rewrite the applications in the new platform? Do we have a list of candidate applications? If so, which ones and how do we prioritize them?
Organizations need a comprehensive strategy that will allow them to move their operations to the cloud with minimal impact on the operational efficiency. When moving to the cloud, you are presented with a wide range of strategic options, such as Infrastructure as a Service (IaaS), Platform as a Service (Paas), or Software as a Service (SaaS). Each option comes with its own set of advantages and drawbacks. Selecting the right strategy for your business is a crucial step in the migration process, as it will influence every aspect of the organization from culture to production.
When First Choice Financials was presented with multiple cloud migration strategies, the application development team capitalized on an opportunity to optimize their approach to delivering improved business functions. They recognized they could alter their approach and deliver continuous improvements and updates without having to pay for additional overhead costs typically associated with options like dockers, containers, and serverless application development processes. This led the CIO to consider a new architecture for application development, which required considerable redesign and learning. Therefore, the CIO had to answer the following questions: How do we ensure the data integrity among various connected systems? Where should we place our massive source data for optimal efficiency? Who will take ownership of transporting data back and forth during the migration phase?
The CIO decided to adopt a “lift and shift” approach in the short term with an eye toward his long-term vision of cloud application development. Once the approach was determined, the CIO turned his attention toward security.
Are we secure in the cloud?
Security concerns don’t go away when digital operations are moved to the cloud. It’s an issue that major players in the industry have been candid about. An Oracle/Intel white paper on the topic acknowledged “there has long been a perception that cloud migration introduces a new source of cyber risk or exposes organizations to additional vulnerabilities.” A separate study by Gartner makes a similar point: “Companies have become comfortable about migrating their infrastructure to the cloud, but the stigma of perceived insecurity persists.” Observers have also recognized both the perception and reality of security threats along with the deterrent effect they have had on organizations contemplating their own digital transformations, though most are quick to offer reassurances about the relative security of public cloud services.
For our client, First Choice Financials, the security question came down to, how do we give appropriate access to different types of users? Developers need to be able to publish code, debug systems, and patch applications, while end users need to use the application as part of their job. So the security issue led them to ask the question: How do we provision access to new applications?
Even in the comfort of a heavily armored data fortress, the security issue typically boils down to controlling who can request access to the organization’s assets and why they need the access — something that can get quite complicated. For example, there are different types of user roles. In addition to an organization’s current employees, executives, and staff members, there could be job applicants and interns who require some level of access. Suppliers, vendors, and partners might need access, as would contractors and certain outside constituents and stakeholders. However, the types of information and work processes they would need to access will vary, along with the length of time that access should remain available.
First Choice Financials’ authentication technology — an integral element of access management — had to be secure and easy to use for all types of users. Access risk, based on each user’s role, should drive the use of multifactor authentication, risk-based authentication, and behavior analysis technology. Each user would have a specific level of access governed by his or her role in the organization. Privileges and entitlements would be granted to users as defined by their roles.
To properly manage their environment, First Choice Financials required an identity and access management (IAM) program that allowed them to manage users’ identities from creation to deletion on their new cloud systems. There also had to be a way for compliance officers to audit identity governance activity, such as access approvals, user provisioning and deprovisioning, and access reviews. This led them to ask yet another question.
Do We Have an Identity Management Strategy?
The policy and governance framework of IAM establishes user credentials and other attributes, and manages the stipulated permissions concerning any roles that may be authorized to enter the system along with the resources that may be available to them. Rules that specify which operations are permissible and what sorts of metadata will be collected, reported, and audited to document the details of each visit are part of the IAM framework. This sort of policy governance is fundamental to regulatory compliance, a growing area of concern to any company storing data.
Other components of IAM include user lifecycle management services, such as provisioning and deprovisioning users, as well as self-service functions like password creation and tools to help administrators manage user identities, including password resets and blocking or deleting users. Directory services that link the names of network resources to their respective network addresses, as well as rights management (provisions that allow the data owner to control his or her information by instructing publishers to manage what recipients can do with it) are also embedded in an IAM system. So is the location of administrative authority, or authorities, and the rules governing interoperability of the system with external federated partner systems.
The IAM strategy for First Choice Financials will define how they manage user identities that will, in turn, enable the “right access for the right person to the right resource at the right time.” This strategy combines the three essential elements of a well-run IAM program: people (whose identities are managed), processes (to manage all operations related to an identity and its attributes), and technology (that will enable digital transformation of manual processes).
It is a complex and dynamic mix. Its elements vary with every institution and business. One size does not fit all. In many organizations, the various IAM functions are scattered among different teams, each operating in its own silo, creating the prospect of contradictory role and policy interpretations and conflicting actions. It is a concern that applies equally to organizations that have migrated to the cloud and those that have not. But IAM is not a function that can be casually handed over to the cloud service. Though the cloud operator might be responsible for implementing technical aspects of IAM, it is the client’s responsibility to craft the underlying policies.
First Choice Financials’ identity management team developed a comprehensive strategy to manage identities in their new cloud environment. They decided to adopt a strategy that would rely on automation in almost all aspects of a user’s identity lifecycle, avoiding the gaps they experienced in their on-premises environment. This allowed them to gain visibility of users, roles, and privileges and act proactively to ensure compliance and a strong cybersecurity posture. The identity-centric approach enabled them to request and allow access based on a least privilege model.
Not surprisingly, commercial software has become available to help companies implement IAM systems. Vendors include CyberArk, SailPoint, Okta, Thycotic, RSA, Omada, Oracle, ForgeRock, and many others. But formulating the underlying policies and aligning them with an organization’s strategic business goals is the responsibility of each enterprise. At the same time, an industry of consultants who specialize in working with organizations to design IAM policies has emerged, allowing clients to maximize the value from their data systems, whether they’re in the cloud or on-prem. For every modern organization, IAM is a resource well worth exploring.