Cloud Computing Hides Big Issues In Corporate Data Sharing

To many enterprise organizations cloud computing looks – appropriately enough – heaven sent. When a company has a business opportunity that demands more processing capacity, or new applications, or adding hundreds of new users, they can dial it up through their cloud computing service provider with slightly more effort than it takes to get lunch delivered. No capital expenses, no vast spikes in maintenance costs, no resource and skill requirements. The cloud is an IT service that helps business move faster, cheaper and smarter.

So persuasive is cloud computing that companies have been known to plunge into it with gusto while turning a deaf ear to warnings from information security officers, who see gaping holes in the corporate data security fabric where business managers see agility and economic benefit. The security officers are usually right. Then again, so are the business managers.

Companies can plow into cloud computing as aggressively as business managers want and with the necessary security – as long as they understand two things. The first is that cloud computing is just one part of a much bigger concern, and needs to be managed as such. The second is that they need a system of control to effectively manage and monitor who has access to their data and what they’re using it for. Without that knowledge, they’re almost advertising for a catastrophic loss of vital information like intellectual property (product data, launch plans, etc.), medical records, personally identifiable information and customer data.

Long before cloud computing, companies were sharing vital information with customers, partners, vendors, and contractors to make business processes run more efficiently and economically. They started with Web commerce, then moved into mobile applications and social networking. Each new information-sharing program opened up another hole in the corporate information security armor. While traditional security was focused on keeping people out of the data center, new security processes needed to be implemented to ensure that only the appropriate people were getting in. Cloud computing is another step on the continuum, and it also raises the stakes. Hosting vital data and applications on a cloud provider’s infrastructure puts vital information outside the corporate wall. Even more importantly, it creates a new set of users who have full access privileges to your data and applications — namely the cloud service administrators.

Between those two factors, organizations are ceding a risky amount of control over vital information.

Too often, without realizing it, they rely on nothing more than trust to keep their data safe. They trust that the right people have the right access to vital information and will use it for the right things, yet they don’t really know who they’re trusting because they don’t know who all of those users are. Their service provider tells them to trust that they are managing user access effectively. Trust, in this context, is a flimsy defense.

Regaining control over vital data means focusing on an often-overlooked aspect of data access – identity and access management. IAM encompasses the business processes and technology automation systems used to provision access, calculate risks to information resources, and eliminate those risks quickly and efficiently. It approaches data security from the perspective of ensuring appropriate user access policy is set; understanding and identifying who your users are; and granting them access appropriate to their roles in the organization.

Policies and roles are central to an effective IAM program. Roles, defined by business managers, enable organizations to classify users in groups and assign them appropriate access privileges based on what they need to do their jobs. A role for front-line retail employees, for example, might include an e-mail account, access to their wage and benefit information, POS systems, file servers hosting relevant documents and remote access privileges. Their manager’s role would include all of those privileges, plus access to time and accounting systems, employee evaluation files, customer and inventory databases and more. The company might create a role for suppliers to allow them to see inventory information and the ordering system. A role for partners might give them access to the project management system to check on the status of joint ventures. Classifying users according to their roles takes the unknown out of user access equation. The organization “knows” its users according to their roles.

Technology can be a significant asset to help organizations with this challenging process. IAM software systems automate key functions such as role definition and management, provisioning access privileges, access verification and certification, and password management. Automation makes IAM fast, agile and scalable, compared to ponderous and expensive manual systems. Combined with data analytics applications, they can identify associations and patterns that might violate compliance guidelines and company policies, or indicate hidden risks. Organizations that build this kind of infrastructure can implement any kind of information sharing program without creating unreasonable risk to their vital information assets.

Automation effectively helps organizations through all the phases of the identity and access lifecycle:

• defining policies for who should have access to what;
• automatically enforcing this policy for all joiners, movers and leavers to the organization;
• verifying that the access is appropriate, and
• providing ongoing monitoring and manage access risk on a continuous, near real-time basis.

Let’s circle back to cloud computing. It carries significant risk due to the location of potentially sensitive information and the need to share that information with a wide variety of individuals. The fundamental technology of cloud computing is no less secure than conventional networking technologies; often it may be more secure. The concern stems from giving up control of key assets and data without effectively managing the risk of doing so. Knowing that a new class of users, cloud provider administrators, will have high level access to that sensitive information, this must be effectively managed. Giving up the infrastructure and storage of the data does not mean an organization gives up responsibility for managing user access to it. Organizations must work with their service provider to ensure tight policies on which individuals have access to that data for administrative purposes. They need to understand where their data is located; have ongoing controls to provision new users, de-provision users no longer requiring access; and know at all times who has access to the data and what they are doing with it. Controlling who can get to it is the first and most important part of due diligence.

Ensuring that information can quickly and easily get to employees, partners, and customers is becoming a critical business requirement. But opening information systems without the necessary controls opens up the organization to significant vulnerability. Customers, partners, vendors, employees, and contractors must be able to access your information from anywhere and through any means, from a cloud infrastructure to hand-held device. This free flow of information helps business run faster, smoother, and at lower cost. The advance of technologies like IAM will help ensure that it also flows securely.