7 Steps to Securely Deploy Cloud Apps
April 22, 2015 No CommentsFeatured Article By Chip Epps, OneLogin
In just three years, cloud services has become the fastest growing technology sector increasing by 180 percent. Gartner predicts the number of cloud-provisioned office system users will grow 28.5% a year to 695 million users by 2022 –constituting 60% of the user universe that will exist by then. However, this fast adoption of cloud apps by organizations of all sizes belies an important fact. If an organization has no centralized way to grant and revoke employee access to hundreds of cloud applications, managing users can be labor intensive and error-prone and leave you exposed to crippling security breaches.
Here are seven steps which organizations need to take to securely deploy and manage cloud apps.
1. Automate user provisioning and de-provisioning. Time is money, and the longer it takes to get the right tools like Office 365, Salesforce, and Box into the hands of employees, the longer it takes for them to start being productive. As more organizations transition to a SaaS model, new multi-tenant applications need to be set up. Given the dozens, if not hundreds, of cloud based applications placed into service, each with their own management console and user store, IT simply can’t interface with every application on behalf of every employee in a manual, one-off manner. Bottom line- manual provisioning is time consuming and error prone, thus impractical at scale.
Make sure your identity access management (IAM) solution supports automated provisioning and de-provisioning of leading enterprise cloud applications as a natural extension to existing on-boarding and off-boarding processes. For example, when a user is added to the core directory service such as Active Directory (AD), the user is automatically provisioned to those applications associated with that role or group and access permissions are granted as needed. And when users leave the organization or are terminated their accounts can be quickly de-provisioned to minimize inadvertent or intentional data corruption or loss.
2. Provide Single Sign On (SSO) access. With the growing adoption of SaaS over traditional on-premises client-server solutions, users now have access to web-based cloud applications from anywhere, anytime, from any device. However with each application requiring its own password, with different security requirements and expiration cycles, the complexity increases exponentially as the number of applications increases, as does user frustration. Growing demands to remember, reset and manage constantly changing passwords and URLs across all applications drains productivity. Even more worrisome is that calls into the Help Desk regarding password resets diverts IT resources from other strategic focus areas.
Therefore, make sure your IAM solution provides a single point for managing passwords and the authentication to all subscribed cloud applications delivered to your organization. By alleviating password requirements to each application through single sign-on, access to the right resources through automated provisioning is accelerated, and employees are more satisfied and productive.
3. Address Mobile Form-factor and Native Applications. Nearly 50% of cloud application requests originate from mobile devices, thus mobile applications themselves are an increasingly important tool for driving business outcomes. It’s imperative that mobile applications support a positive user experience otherwise mobile users will move onto other applications to get their job done. For example, it is cumbersome for users to constantly re-enter their credentials, particularly in email and strong password format, from tiny keyboards. This inconvenience will wear on mobile users who may seek alternatives likely to be less secure.
Make sure the SSO solution you select provides a mobile portal that introduces an SSO experience without requiring multiple passwords to access cloud applications.
4. Manage a Standard Application Catalog Sanctioned by the Enterprise. Business users are quick to explore new applications that deliver the right services and information for them to accomplish a task whether or not it has been sanctioned by the organization. With upwards of 80% of cloud applications used within the enterprise outside IT’s control, having visibility into who is accessing what and where potentially sensitive data resides is crucial.
Make sure that the solution you select maintains an up to date catalog of all the cloud apps it supports and also make sure each application supports SSO and automated user provisioning. In addition, double check that all the cloud applications you have or are interested in are in the catalog.
5. Enable Cross Domain Authentication. Digital business has become more distributed, sharing cloud infrastructures and applications through numerous multi-tenant service providers. For organizations to successfully manage their user accounts across all these applications, they need to begin by federating numerous user directories and cloud app user stores, and reconciling them against a chosen directory of record or single source of truth. As the federation of identities and centralization of authentication becomes more common to support Single Sign-On (SSO), risk is aggregated to a singular point serving multiple services. It becomes critical that additional credentialing or multi-factor authentication (MFA) technologies be implemented alongside federation services to support the levels of assurance (LOA) required to meet trust requirements.
Make sure the cloud identity-as-a-service or IDaaS provider is tasked with federating identity and access policies, and applying rules to resolve conflicts. From this, organizations have complete visibility into their users, roles, applications, and behaviors.
6. Centralize Authentication Services via an Identity Provider (IdP). At the crossroads between users and their cloud applications sits Identity and Access Management. As more cloud applications are placed into service and systems become more distributed, organizations must provide trusted authentication across domains. There are three types of authentication factors:
– Something you know: a password or a PIN
– Something you have: a mobile phone or a key fob
– Something you are: fingerprint, voice pattern or iris scan
The password is something users know is most often compromised, so a second authentication factor should be applied. Mobile phone apps or key fobs that generate a unique PIN at fixed time intervals are the most practical ones, thereby reinforcing passwords with additional authentications mechanisms.
Make sure strong authentication services are supported that enforce the policies demanded including user and additional step-up application authentications capabilities.
7. Monitor and Attest Application Access. Responding to auditors is a task everyone recognizes as a periodic cost, yet it ensures the organization fulfills its compliance obligations by providing operational checkpoints that verify proper controls are in place. Ensuring that processes and systems support tasks like defining employee entitlements to applications, tracking management approvals, and responding to changes ensures the organization’s attestation process proceeds smoothly. Comprehensive audit reporting easily summarizes information pertaining to who has access to what, and who has accessed what. Doing this in an automated manner across hundreds of cloud applications and countless organizational roles and policies, versus manually, can save time and money, and alleviate lots of frustrations.
Make sure that those actions necessary to report on user access for audit and compliance concerns are provided, including:
– Inventorying enterprise applications available to the organization
– Identifying employee entitlements to these applications, and associated roles, as well as the information accessible
– Enforcing access control policies unique to each cloud application
– Automating reporting across all cloud applications
About the Author
Chip Epps is Senior Director of Product Marketing at OneLogin where he helps advance cloud security initiatives and guide the evolution of IAM technologies.