I2M: Identity, Integration, and Monitoring
Clouds have come a long way in the past decade. They’ve gone from being mysterious, new technology fraught with security risks to what is now the de facto delivery mechanism for modern computing. But clouds are still just tools, and like any other tool, they must be professionally managed. Similar to a firearm, many clouds deploy with built-in safety mechanisms. Use them to your advantage, and the cloud is quite safe. Ignore them, and you may shoot yourself in the foot.
For the record, there are obviously far more than three best practices when it comes to implementing a cloud solution. Establishing SLAs, reviewing audit attestations, and analyzing privacy policies just to name a few. Yet having implemented dozens of enterprise-focused SaaS and IaaS solutions over the past several years, I’ve enumerated three foundational best practices that, if omitted, really do create chaos for an organization. As such, these are the “must haves” as far as I’m concerned, and they are: identity, integration, and monitoring. I2M if you will.
First things first: you need to know who is accessing your cloud (authentication) and define what they’re allowed to do (authorization). Virtually every enterprise-class cloud solution does this quite well, so the cloud technology isn’t an issue. The issue is verifying your user's identity while providing a convenient user experience.
So how is this done? By building an SSO infrastructure with global rules governing multi-factor authentication, device rules, and geographic restrictions. This requires building a centralized identity management platform that supports, at minimum, SAML assertions and multifactor token integration. From there, each and every cloud solution you procure must be integrated with this solution. Moreover, all authentication accounting should be piped to your monitoring solution.
Contrary to popular (mis-)belief, cloud data doesn’t exist in a vacuum. Getting multiple cloud systems “in sync” should be done sooner rather than later. Fortunately, not all cloud systems are mult-master solutions. In other words, it’s often the case that one system of record (like Workday.com) authors a business object (such as an employee) and all other downstream systems simply need a copy of the user object when it’s created or altered.
Similar to the identity best practice mentioned above, having a centralized data integration platform that clouds simply “plumb into” is ideal. This can be done with integration middleware such as integration platforms as a service (or “iPaaS”) and master data management (MDM) solutions. These platforms not only decrease complexity around data synchronization, but they also allow one to implement strong data security and governance policies around cross-cloud data flows.
Ultimately, failing to have an holistic strategy around cloud data flows not only increases security risk surface, it creates operational risks as well. Data redundancy and erroneous copies of data creates immense amounts of confusion and general distrust of the systems at hand. Anyone who has ever had to explain to a CEO why two business systems are conveying different numbers will know where I’m coming from.
Once a cloud has established proper identity management and data integration, many organizations call it a day and move on to the next project. This is a huge mistake, as the lifecycle of the cloud has only just begun. Proactively monitoring cloud usage is absolutely critical to understanding user behavior and preventing data loss.
Companies with no instrumentation to monitor cloud usage are truly bumping around in the dark. For example, they fail to see when a user is simultaneously logging into the system from different countries around the globe. They can’t see that data is being accidentally exposed by shared APIs keys or rogue bolt-on applications that fly under the radar. Thus it’s no surprise that these are often the same companies that not only suffer breaches, but endure breaches that last for years, undetected. It’s quite rational if you think about: how would they know they’ve been breached if they have zero visibility?
Getting a handle on user activity and data usage patterns in the cloud is done with a combination of technologies and processes. A cloud access security broker (CASB) solution is a great start, and security and information event management (SIEM) solution that can consolidate and report on activity from both cloud and on-prem solutions is an excellent investment. Process-wise, ensuring you have up-to-date security contacts with your cloud vendors is also key.
There’s much to be said about cloud best practices. Yet if I have to call out three as the most important, they’d have to be identity, integration, and monitoring. These three areas really do yield the most bang for the buck, and all things considered, provide a quantum leap forward in cloud security and governance.