5 Ways Cloud Identity and Access Management will Impact Your Business


Published on

The cloud changes everything, and identity and access management (IAM) is no exception. Cloud-based IAM solutions offer a fast and flexible way to get control of cloud-based application access, quickly and easily. The “state of the art” for cloud IAM is still evolving. Check out our whitepaper for a brief primer of the key concepts and solutions for cloud IAM today.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

5 Ways Cloud Identity and Access Management will Impact Your Business

  1. 1. WHITEPAPER Identity and Access Management in the Cloud: A Primer
  2. 2. Whitepaper Building the Business Case for Cloud SSO 2 Table of content Introduction to Identity and Access Management 3 Single Sign-On 3 Application Integration 4 Authentication Technologies 4 Identity Federation 4 Authorization 5 Summary 5 About CloudEntr by Gemalto 6
  3. 3. Whitepaper Building the Business Case for Cloud SSO 3 Identity and Access Management in the Cloud: A Primer Identity and Access Management (IAM) refers to the set of technologies and policies that control who can access which applications and data and what they can do with those applications and data. The explanation seems simple, but over the years IAM has accumulated a large set of acronyms, standards, implementations and technologies. It’s been around for many years in the enterprise software world, and has a reputation for being costly and complex to deploy. Enter cloud-based applications. Businesses using cloud applications have a whole new set of challenges around managing identity for applications that are inherently outside their control. Their users may not even be within their own networks when connecting to cloud-based applications on the business’ behalf. Whether people are accessing hosted email, using cloud-based CRM or purchasing supplies for the company, the business needs both visibility into and control over application access. The cloud changes everything, and IAM is no exception. Cloud-based IAM solutions offer a fast and flexible way to get control of cloud-based application access, quickly and easily. The “state of the art” for cloud IAM is still evolving. This document offers a brief primer of the key concepts and issues in cloud IAM. Single Sign-On Single sign-on (SSO) is an essential component of a cloud IAM solution because it consolidates access management for diverse cloud applications with one user identity. With a single sign-on solution, a business gives its employees, contractors, partners or other application users access to a SSO portal. Using that single login, people can see all of the applications that they are authorized to use on behalf of the business. And they can then connect to each of the applications without typing in or even knowing any further login credentials. The SSO portal takes care of authenticating the user with the application. Using cloud SSO, you can give business users one login to the single sign-on portal rather than providing them with individual logins for each account. This offers several immediate benefits: > Cloud SSO simplifies the process of getting new users started and distributing new cloud applications to diverse employees and contractors. > You can remove access to all applications instantly when someone leaves by simply disabling their login to the SSO portal.
  4. 4. Whitepaper Building the Business Case for Cloud SSO 4 > People no longer have to remember and manage dozens of passwords – and the business help desk no longer has to handle forgotten password calls. > Because passwords are managed within the SSO portal, the business can ensure that all password policies are enforced. > Cloud SSO solutions can audit and report on all cloud application access through the portal. Application Integration You must configure any SSO solution to work with the various cloud applications your business uses. The exact integration process will depend on how the SSO application authenticates with the application. There is no single standard for this step. The method with the broadest reach across applications is a password escrow approach. Using this technique, the cloud SSO application securely stores and manages all of the user’s credentials for their authorized applications, and sends them to the target application behind the scenes when necessary. Identity federation (described below) offers another integration method. Most SSO solutions come with a set of preconfigured integrations – you may need to do additional work for applications outside those sets or legacy applications. Authentication Technologies Consolidating all of your applications behind one login increases the business risk if that login is stolen or phished. Authentication policies and technologies are an important part of any cloud IAM solution. These might include: > Password requirements (length, complexity, change frequency) > Secure password reset policies (never sending passwords in clear text in email) > Configurable knowledge-based questions for password resets > Support for second factor authentication (using One Time Passwords, out-of-band, biometric or other factors based on your business needs Identity Federation Using federation technologies, two entities (a provider and supplier of identity) establish a trust relationship, then securely exchange information about user identity using identity assertions. Federation provides another way (besides passing passwords) of offering single sign-on.
  5. 5. Whitepaper Building the Business Case for Cloud SSO 5 Identity federation has significant benefits. You can integrate the cloud identity with internal, on-premise directories like Microsoft Active Directory, so people have only one online business identities. Passwords are never sent to the cloud applications accepting the federated identities. Multiple identity federation standards exist today, including Secure Markup Assertion Language (SAML), OpenID and OAuth. In addition, other sites have proprietary federated or distributed login technologies that compete with these standards. Facebook, for example, has Facebook Connect, which is not strictly federation, and is only as secure as the Facebook login. Even if your cloud SSO solution supports one or more federation standards, it will also need to work with the large number of cloud applications that do not yet support federation and require a user name and password. Authorization By further extending identity and access management in the cloud, you could theoretically link a person’s business identity (including their role or group in the organization) with their authorized level of activity on cloud applications. This is generally a function of federation. For example, someone in the Human Resources Group would login to their SSO portal using a federated identity. The SSO portal sees that the user is in the Human Resources group, and gives them access to the application set appropriate for HR. Ideally, the accounts provisioned for the user on the cloud-based applications system would be authorized only to view or work with HR-related files. Automating provisioning at the right level is a further step in an ideal IAM world. While this level of integration may be starting to occur within isolated instances, it is far from reality for most cloud applications. Without widespread standards around cloud application provisioning, this last layer of integration is unlikely to become common soon. Summary Cloud Identity and Access Management is still an evolving field. While not as established as on-premise IAM technologies, cloud IAM solutions are in general much easier and faster to deploy and use than their on-premise counterparts. And companies with existing investments in enterprise IAM may choose to extend their capabilities to the cloud through integration with cloud IAM solutions.
  6. 6. Whitepaper Building the Business Case for Cloud SSO 6 About CloudEntr by Gemalto CloudEntr by Gemalto gives businesses a simple and secure way to manage cloud application access. Using CloudEntr, businesses regain control of their trust networks and cloud applications, while offering users convenient one-click access for all web applications in a single interface. CloudEntr reduces complexity while helping businesses operate anywhere, anytime, and at the right scale. Gemalto’s security and authentication expertise is trusted by many of the world’s largest financial institutions and governments. For whitepapers, video or eBooks, visit www.cloudentr.com/lateset-resources.