Peter Boyle, CTO, Burning Tree
Peter Boyle, CTO, Burning Tree

Identity and Access Management (IAM) is often an afterthought when organisations migrate to the cloud. Ninety-nine point nine percent of customers will have already gotten something in the cloud before they realise that IAM needs to be part of their digital strategy. 

Moreover, many businesses are buying into cloud services without consulting their IT and security teams; resulting in kneejerk reactions further down the line that often negate the benefits of using those services to start with. 

The challenge of migrating applications to the cloud 

Affordability and accessibility is driving cloud services adoption. As a result, we are increasingly seeing that businesses are bypassing IT departments when making decisions about cloud applications. For example, a sales team wanting a CRM service uses its own budget to get Salesforce or another CRM tool, without consulting across the organisation. 

Let's dispel a few myths about cloud security. In many cases moving an application to the cloud does not expose the organisation adversely. Cloud technologies are relatively mature and many applications come ready with IAM and security capabilities. 

However, when cloud applications are adopted without the knowledge of the CIO or the CISO, the business may be exposed. This happens regularly, particularly with customers using cloud CRM applications or outsourcing their ARP platforms where large volumes of private data are moved into the cloud without any consideration for legislation and regulatory requirements. GDPR is a prime example of this, with many decision-makers in organisations unaware of the implications for their business. 

Consequently, when the security team finds out that cloud services have been purchased without their knowledge, they then attempt to take control. This can be a much more costly approach and can expose the organisation to unnecessary risk as well as potentially exposing loss of controls essential for governance and compliance. 

Best practice is to conduct a proper risk assessment before migrating anything to the cloud, and understand what information is being put into the cloud, how to protect it and how to control access. The cloud isn't scary when you understand the risks. 

Privacy and data governance 

In theory, once in the cloud, organisations have less control over where their data is stored. Conversely when you store it in your own data centre, behind your own firewalls, you know where it is. 

The concern is that by running identity services in the cloud, an organisation could infringe data sovereignty regulations or other compliance requirements. However, IAM vendors are addressing these issues with solutions that are specifically built for the cloud, not just ported from on-premise applications. There is also the ability to build some capability yourself from a raw set of APIs – more tailored to your own needs. While there are still complexities around GRC and reporting in the wider IAM sense; authentication, customer registration etc., is all entirely possible in the cloud. 

User experience vs security 

From a consumer perspective, an overly complex approach to IAM can be a barrier to good customer service. How many usernames, passwords and answers to security questions do you have to remember? It is a challenge for organisations to balance user-experience with security and access control. 

Even with a diverse user-base – such as an enterprise with employees, suppliers, corporate clients, and consumers all requiring cloud access – it is possible to create IAM solutions that do not destroy the user experience. 

For example, social login can be used for customers as an initial entry point but additional identification is required for transactional activities or access to more sensitive information. Step-up authentication allows companies to secure cloud systems in an appropriate way, aligned with risk. It offers a higher level of assuredness so the business can be more confident that the person is who they say they are. 

Innovation in cloud security technologies is developing at a rapid pace. Solutions are being developed that will enable an even more seamless user experience without the need for cumbersome authentication methods. Frictionless adaptive authentication is one such development that looks at behaviours and activities to determine the risk and identity of a user. These solutions personalise and simplify the customer experience, removing friction points, and at the same time giving organisations a greater level of assurance in terms of security. 

The Internet of things 

Another challenge is how to manage identity and access management in a world full of connected devices. By its nature, the IoT requires cloud access and therefore IAM. 

Today when we think about IoT we might think about our smart energy meters or connected fridges. For these there are identity and security issues, for instance if a cyber-criminal was to access data from a smart meter they could tell when someone is at home or on holiday. 

However, the IoT is much bigger than connected kettles and doorbells. For some customers the “thing” in the IoT is a fighter jet! 

Moving forward, the traditional way of dealing server security must change. It's going to be critical to be able to look at the network level and see what the usual pattern of network activity is and what isn't - even if that's just the network flowing in and out of your home. The IoT threat landscape is evolving as fast as the applications are, and behaviour will be a key factor in IAM. 

Digital transformation is exciting. There are a multitude of benefits for organisations and their customers. Embrace the change, just don't forget security and IAM, it shouldn't be an afterthought because that can have major repercussions on your business.

Contributed by Peter Boyle, CTO, Burning Tree

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.