Today, a vast range of cloud-hosted products, systems and components can be procured and deployed at the click of a button. While offering significant cost efficiencies and many other benefits, the use of cloud-based services introduces new considerations. In this blog post we consider the impact of cloud on Identity and Access Management (IAM).
Before the advent of cloud, organisations hosted most their services on-premise. These were located close to the organisation’s IAM solution, securely positioned behind the firewall. End users would access these from the organisation’s premises or, occasionally, from other locations using a Virtual Private Network (VPN) to acquire an on-premise presence.
Cloud and IAM
The advent of the cloud turns this model upside-down. Today, organisations are replacing their on-premise systems with cloud-based products. This can even include core infrastructure systems, such as Active Directory. The overall effect is to move intelligence from local systems to the cloud, with technical management and policy enforcement following.
If we think about IAM as a framework for applying processes and policies, cloud IAM is essentially no different from legacy IAM. However, a framework needs technology to give it effect; and, as we’ve just seen, the cloud has changed that radically. Let’s look at some of the ways that IAM has evolved to accommodate the cloud.
Before the cloud, service providers would often issue their customers’ end users with credentials to access their service. This was inefficient and insecure because there was no easy way of ensuring that credentials were being assigned and used appropriately. Other service providers would use their customer’s IP addresses to authorise access instead. This was simple but it constrained access to the customer’s premises, making remote working harder.
Modern cloud-based services use federation technologies that take a completely different approach. With federation, the customer is responsible for provisioning and manager its users, authenticating them, and supplying identity data (e.g., their username) that can be used by the service provider for authorising user access, and other purposes. Common federation technologies include SAML 2.0 and OpenID Connect (OIDC). The customer’s IAM solution provides the federation functionality.
Zero Trust is an emerging security paradigm that sound complicated but is really very simple. It extends federation to its logical conclusion by architecting for a fully federated infrastructure. If all service access is authenticated using a federation technology, and encrypted using modern web technologies, there is no need for a secure underlying network. Users can still work, safely and securely, from any location. Zero Trust makes even more sense in a cloud-based scenario, because services are delivered from any network: the customer organisation has no control over this.
As a result of Zero Trust, the IAM solution is elevated from a tool to increase efficiency, to the central point of an organisation’s security architecture.
Despite all the hype about cloud, most businesses have on-premise systems and that will continue for the foreseeable future. Cloud offers tremendous benefits, but it isn’t always the answer. Which services are you willing to lose if your internet connection does offline; or the cloud provider fails; or you have a dispute with a service provider? Sometimes there’s no substitute for physical possession.
Consequently, it is important to think about architectures that accommodate a hybrid of on-premise and cloud. In fact, your IAM solution itself might benefit from a hybrid approach to help ensure business continuity in the event of disruption to the on-premise or cloud infrastructures.
The cloud changes IAM by elevating the importance of its role in delivering services to your users and securing your organisations resources. When thinking about your IAM architecture, ensure that it has the capacity to scale in terms of demand (users, devices, services, etc) and infrastructure (on-premise, hybrid, cloud) to ensure that it can fulfil its critical role within your business.
How can New Era help?
Able+ is a comprehensive, future proof IAM solution that helps deliver your organisation’s digital strategy. As a managed service, Able+ can be operated from the public cloud, private datacentre, or as a hybrid infrastructure. By operating across any infrastructure, Able+ can be scaled seamlessly to meet your demands.