Identity management in the cloud goes beyond security

Here are the best practices to adopt for IAM as you move to the cloud

IAM (identity and access management) is clearly the best security model and best practice for the cloud. That's why some cloud providers, such as AWS, provide IAM as a service out of the box. Others require you to select and deploy third-party IAM systems, such as Ping Identity and Okta.

But you should be thinking of identity management not only as a security technology, but also as a business driver. Thus, when you deploy IAM, you need to focus on the core business processes and on the details around security. This is a shift from the recent thinking in which the business drivers were largely out of IT's consideration.

Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more important, become significantly more agile in supporting new business initiatives.

Those benefits are why it's easy to predict that IAM will be a part of more than 50 percent of the applications migrated to the pubic cloud, but almost 90 percent of new applications built in the cloud.

The more notable best practices emerging around the use of identity-based security with cloud computing are the following:

The integration of cloud-based identity management solutions with enterprise security from the outset. Although many in IT are OK with creating security silos that use different approaches and technologies, such silos are counterproductive over time. You'll eventually need to consolidate around a single security model to be both effective and manageable.

An IAM architecture that supports both cloud and on-premises usage. The IAM tools today are focused either on cloud computing or on on-premises usage. But you want a solution that applies to both cloud and on-premise usage. Focus first on the design and architecture of your identity-based security needs; only then select the technology.

Yes, this will require a more complex tool set, but the underlying architecture should endure through many technology changes. Never let technology lead your requirements or design.

Splurge on testing, including "white hat" security tests. These help you understand where the vulnerabilities exist, which leads you to better approaches for the use of security technology.

So far, IAM systems that focus on cloud computing have a great track record in such testing. However, this could be due to the fact that many on-premises enterprise systems are much less secure and provide better pickings for hackers.

Make sure to consider performance in your design. Although most IAM systems don't slow down proceedings, they can. These are typically issues that are hard to fix after deployment, and they cause issues with security systems because users quickly figure out ways around the security, and thus the performance issues.

Make sure to consider your industry and all required regulations for compliance. These policies are typically managed by IAM tool's identity governance system, and you need to understand them right from the beginning. It's tough to retrofit these policies after implementation.