Access Governance in the Cloud Age (Part 3 of 3)
Part 1 of this 3-part article defined access governance, and part 2 described some of the unique challenges poised by cloud applications. In this last part, I provide some recommendations based on our experience bringing cloud applications under governance.
Similar to any evolving technology, cloud applications will continue to change and advance, and the advent of standards, particularly in security and IAM, as well as the adoption of common interfaces will ultimately prevail, but it will take some time before this happens. In the meantime, adoption of cloud applications will continue to push the envelope of the organization’s IT security tolerance and agility. So, here are my recommendations to those tasked with bringing cloud applications under governance.
1. Invest in Education
This is not to be confused with attending an instructor-led class or getting certified, even though doing so can certainly help. In this bleeding edge area of IT, education means getting involved with peers in the industry, participating in industry forums, and reading information in the blogosphere (articles like this for instance), and learning to filter noise, from vendors who may not have the most objective of views. I commend the work coming out of the Cloud Security Alliance, particularly in the formulation of practices and guidance for the cloud that brings best security practices to this space.
I suggest that you also invest time in understanding security assessment and management frameworks that are relevant to your IT security and IAM operation, such as ISO 27001, ISO 27002, and COBIT. In the end, the principles and practices advocated by these standards will apply directly regardless of who hosts the application and where.
More recently, we find continuous auditing concepts being brought up in the context of IAM. It seems this approach is expanding beyond financial services, where it has been most commonly adopted, and becoming mainstream in the industry – it may be worth familiarizing yourself with it.
2. Embrace the Cloud
Repeat after me “cloud applications are not evil, they are here to help, and they are here to stay”. This is truly a mindset.
The fact is cloud applications will inevitably be part of the access governance scope, given their increased business value. Organizations will need to continue meeting their governance requirements, just like they need to do so today with on-premise applications. So, being proactive in defining policies for how cloud applications are to be dealt with from a governance perspective will help the process of actually bringing them into the fold.
Ensure that the essence of the policy can be understood by IT security folks, but also by business stakeholders. For instance, make an IAM and access governance assessment criteria for cloud applications available (say as an RFP template), so that those lines of business that go on a shopping spree for cloud applications will at least ask the right questions of the prospective cloud application vendors. Some of the items you should include in your cloud application assessment are:
- Ensure that you have defined an approach to gauging risk according to your data classification policies.
- Compile a comprehensive security assessment questionnaire that considers access governance, as well as privacy and identity information. Find out how the vendor deal with PII data and protects privacy
- Have a procedure (or set of procedures) to identify gaps, based on your security assessment questionnaire, and then define a process for how to go about remediating these gaps. At a minimum, you should have a good understanding of what the gaps are, and have an approach or an engagement model with the cloud vendor to resolve them. This will help you identify which battles to pick with your vendor, and set the expectation with them on how you expect to go about closing the gap(s).
- Ask the business stakeholders who are going to be the administrators for the cloud applications, who approves access and what should be the approval process. Remember to have a process to replace approvers or administrators if their business function changes or if they are terminated. Avoid the pitfall of having IT staff making business decisions on who should have what access
- Remember to define good SLAs and recourses for situations that are important to you: unauthorized access, data loss, and privacy violations. How much is an outage or a breach worth to your business owners? Remember, having very strict SLAs with penalties will also increase the cost of using the cloud application, which could discourage the cloud vendor, so ensure that you are clear on what is a must-have versus a nice-to-have.
3. Raise Awareness
This is not something that applies just to cloud application security, but to IT security in general. Proactively raising awareness about security risks upstream at the business and end user stakeholders’ level will pay dividends downstream. This is something the IT security group should champion. Think about how firefighters normally spend most of their time visiting schools and educating the population about fire hazards, how to avoid them, and how to react in case of a fire. This will sure bring another meaning to “firefighting” in IT.
Many tools and resources are available to aid in raising awareness in IAM and IT security. A good example of resources are the concise and informative training clips that my friend Guy Huntington offers, which are intended for non-technical audiences to raise their IT security and privacy risk awareness.
Awareness will also help business stakeholder better understand why they should involve IT Security early on in evaluation process of a new cloud application; and this should reduce the cases of IT security getting blindsided.
4. When possible, Leverage your Existing Access Governance Framework
Treat cloud applications as just another system or application based on their sensitivity and risk levels. Leverage existing tools for access request, approvals, role management and access recertification wherever possible. There are tools that help you automate, but automation is not the only way you can achieve good access governance.
5. Reconcile Frequently
You may need to do this just to stay on top of cloud applications' subscription fees, but recognize that reconciliation is an important control in your access governance framework regardless of where the application sits.
6. Re-assess Periodically
Update and maintain your “cloud” security assessment policies, reflecting the knowledge and experience you have gained.
Ensure that you keep cloud vendors on their toes for identified security gaps. Leverage industry and customer forums, and other venues to raise visibility on the issues you have found. Chances are you are not the only one facing them, and can benefit from collaborating with other organizations, presenting a united front to push the vendor to address deficiencies; if you cannot get them to move on your own.
Stay abreast of advances and the planned roadmap of your cloud vendor as it relates to Security and IAM. Eventually, they will adopt open standards-based interfaces.
That’s it in this 3-part series. If you read through all three, my hope is you found them valuable, especially if your organization is wrestling with bringing cloud applications under governance (even if not by choice). As always, I look forward to your comments and feedback.