While securing cloud systems is a top priority, if organizations can’t satisfy auditors that regulated data is being managed in a way that is compliant – the move to the cloud may be a non-starter.
For most organizations, securing the cloud just isn’t enough. As surprising as that may be to some technologists, sound security – as difficult as it is – is not enough. Beyond keeping data secure, many (if not most) enterprises must also answer to any number of government, industry, and internal regulatory compliance and policy obligations. This means that in addition to securing various systems, as I covered in my previous column, “Considerations for Ensuring Security When Moving to the Cloud,” the security controls that are in place must be verifiable and reportable to any governing authority.
There are many ways that a move to the cloud can affect compliance efforts. A very important consideration is the cloud’s impact on data governance. How securely is your data being managed by the cloud provider? How can you (if it’s even possible) collect the information needed to report on who had access to the data? When did they access that data? Should they be able to have access in the first place? And what did they do with the data? Questions like this demonstrate where security and compliance collide.
It also highlights one of the biggest challenges: where do the security obligations with the cloud provider end, and where do they begin? The answers will be quite different depending on the cloud services in question, for example whether it is a Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or public or provided cloud. In fact, the answers to these questions may affect whether it is safe to move data to a particular cloud service. It is vital and necessary to put in place appropriate controls to both protect your data, and also make certain that it meets regulatory compliance obligations.
Centralized Identity is a Foundation to Cloud Security and Compliance. When data is moved to the cloud, identity and access control plays a central role for both security and regulatory compliance. This is a much more significant issue than simply managing identities “in the cloud.” Enterprises need to find technologies that enable them to extend the enforcement of access rights from their on-premise systems out to their SaaS and cloud environments. This way, users who don’t currently have access to protected customer information, or any other sensitive information with on-premise applications, won’t inadvertently end up with access on your cloud systems. Not only is this important, but having identities properly managed across these systems means that when your organization is audited, it’s straightforward to verify who has access to what data.
These capabilities are important for managing users and data, and also for workloads. Consider the example of a virtual machine that contains financial information significant to a public company. Because of its Sarbanes-Oxley relevance, this virtual machine can’t be allowed to run outside a certain controlled and secure internal domain. But if identity and related policy information can be encapsulated within the workload, it can be stopped should someone try to shift that workload to an off-premise cloud.
Another reason why it is important for an identity management capability to be able to span physical, virtual, and cloud systems is because this eliminates the need for entirely different identity management systems for each environment. Such a hodgepodge could require entire various subsets of controls, across many disparate systems, for example for regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and others. Having the ability to centrally manage identity throughout all of these environments will make your compliance management and governance initiatives much more straightforward. For example, there would be no need to add new controls for HIPAA in a move to a private cloud – it could be as straightforward as extending the existing identity policy to the new cloud environment.
In another scenario, consider employees that leave the company or have their job roles change. It is more manageable if access can be centrally de-provisioned, or their access privileges updated across all the various cloud, virtual, and physical systems. If such centralized identity management isn’t in place, the risk of leaving orphaned accounts in various environments escalates significantly.
Additionally, it is important to use other monitoring tools, when possible, to observe the effectiveness of the policies and controls in place. This would include log monitoring, identity and access management reports, security information and event management. These tools should also be integrated with your identity and access management system whenever feasible.
Many enterprises have already virtualized much of their environment, and they’re increasing their use of cloud services. This is rapidly shifting where data is located, and how IT systems are managed. The need for the security and compliance controls that enterprises have used for years on-premise is not going away – in fact, they need to be extended to cloud environments. Few technologies, if any, are as important as those that achieve a capacity to handle identity management.