19th January 2012

Maintaining control of data is fast becoming one of the hottest topic of 2012, and identity and access risk management (IAM) tools are forming an important part of managing the associated issues. Courion’s Chief Operating Officer, Dave Fowler, explains the issues and solutions available.

Understand Risk: Realising business value from Access Risk Management in the cloud
Dave Fowler, Courion Corporation

Cloud computing offers great advantages for businesses such as low maintenance costs, fast time to implementation, great scalability and unlimited processing capacity. However, to tap into the huge potential of the cloud, businesses need to resolve the security challenges associated with outsourcing data and critical assets to third party cloud service providers.

To achieve that, they need to integrate cloud security into their overall security strategy and establish a robust system of control that effectively manages and monitors who has access to their data and what they’re using it for. But what are the key steps involved?

One of the key issues to address is managing access risk outside the perimeter of the organisation. As cloud computing involves moving security risk outside the data centre, new security processes need to be implemented to ensure that only authorised users have access to sensitive information and are using it in the right way.

Hosting vital data and applications on a cloud provider’s infrastructure creates a new set of users who have full access privileges to your cloud-based data and applications — namely the cloud service administrators. Security issues arise when organisations rely solely on the cloud service provider to keep their data and applications safe. This is a risky strategy which puts security control in the hands of third party service providers.

To be able to regain control over vital data in the cloud, businesses need to establish effective identity and access risk management (IAM) solutions and processes that enforce internal security policies and effectively manage access risk. These systems need to constantly evaluate risk and grant access to company resources in accordance with pre-established rules and policies.

Another essential part of the IAM strategy is the provisioning of roles and user entitlements that enable business managers to classify employees in groups and assign them appropriate access privileges. This approach helps information security officers ensure that only the right people have access to the right information and are using it in the right way.

However, as employees, cloud administrators and stakeholders are moving between different user groups and changing their entitlements, it becomes increasingly difficult to control access rights. IAM technology can help organisations with this challenging process by automating key functions such as granting and revoking access privileges, provisioning access verification and certification, and password management. This not only improves work efficiency, but also strengthens security by enabling fast, agile and scalable IAM, as opposed to ponderous and expensive manual systems.

Furthermore as internal and external factors are constantly changing security risk, businesses need real-time access intelligence tools that constantly evaluate and quantify access risk, while providing a comprehensive overview of where the greatest vulnerabilities lie. This approach will enable organisations to quickly identify associations and patterns that might violate compliance guidelines and company policies, or indicate hidden risks.

Automation of IAM processes, combined with real-time risk monitoring and assessment, will enable businesses to better determine access risk policies and automatically enforce them across the organisation. Furthermore it will enable businesses to continuously monitor and manage access risk for all users, regardless if they have just joined, left or moved within the company.

This is particularly important for cloud-based applications and services. Cloud computing carries significant risk due to the lack of sufficient control of who is accessing corporate assets and sensitive data in a hosted virtual environment. The cloud requires businesses to delegate significant access privileges to cloud service administrators. This poses security risk if these privileges are not effectively managed.

To mitigate risk, businesses need to establish ongoing controls of who is accessing their data and how it is being used. This requires consistent implementation of internal security and compliance policies as well as strict control of user entitlements and how they are being used.

As businesses are under increasing pressure to open their networks to mobile workers, customers, shareholders and contractors, controlling access to critical data is becoming a vital business requirement. Enabling users to access the information they need, anytime, anywhere in the world creates significant advantages for organisations and improves business agility.

By enabling free flow of information, organisations can achieve competitive advantage but only if they maintain control of their data and assets in the cloud. IAM can help businesses achieve such competitive edge without compromising on data security.

Dave Fowler is Chief Operating Officer for Courion, a global provider of Access Risk Management solutions

Related stories: Tips for managing risk in the cloud
                               Retailers still rank security as greatest challenge

Tags: cloud security