Cloud-enabled ‘shadow IT’ driving imperative for IAM reinvention: Ovum

The inherently casual and decentralised nature of cloud services will increasingly push organisations to reconsider their identity and access management (IAM) infrastructure, an Ovum analyst has warned.

Flagging the fact that cloud services are already pervasive within most organisations, Ovum principal analyst for IT security solutions Andrew Kellett said those services’ tendency to handle user authentication through their own services – which are typically poorly integrated with companies’ own IAM services – presented a significant challenge for organisations trying to keep a handle on the flow of business information into employee-managed cloud services.

“The increasing use of cloud-based services is driving the need for better and more interactive single sign-on [SSO] and federated identity management [FIM] facilities,” Kellett said in a statement. “For the foreseeable future, organisations will continue to make use of a mixed range of on-premise, hosted and cloud-based systems and services.”

Those cloud-based services, known broadly as ‘shadow IT’ because they evolve at users’ direction but fall outside the ambit of corporately-managed IT systems, will continue to challenge notions of security control – not only because of their distributed nature, but because their SSO and FIM support tends to be relatively immature.

That leaves businesses with no idea what accounts their employees are using on what cloud-based services – and no way to control the business data that might be stored on those services. Although social-media services like Facebook and Twitter have pioneered identity federation by enabling logons to a range of third-party services, integrating those identities with corporate directory services remains a sticking point.

Some security vendors now offer tools for managing employee logons to a number of higher-profile cloud services, but the proliferation of consumer-managed cloud services – and statistics suggesting 80 per cent of businesses already use some cloud services – means most employees continue to maintain separate cloud-service identities that remain outside the control of their parent organisations, even though they are used for business purposes.

Compounding the problem, in many cases, those identities are managed through employee-owned mobile devices that company IT managers know nothing about – but will see the effects of when varying security protections create gaps in corporate security profiles.

Recognising the more fluid nature of user authentication, vendors must continue to improve the extensibility of corporate identity controls as part of the new IAM. Whether traditional IAM vendors can seamlessly extend themselves to the cloud, or whether cloud-based IAM pioneers start in the cloud and work towards the enterprise, there is still a lot of learning and improvement to be done.

“A new generation of cloud specialists are challenging established approaches to managing identity, and are positioning themselves as offering a more flexible, easier to deploy, and cost-effective approach to managing identity from the cloud,” he said.

“Their ability to operate independently as well as a alongside existing IAM providers needs to be tested, as does the range, quality and security of the bridging facilities and application program interfaces (APIs) currently available for delivering access to cloud-based applications.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: Identity And Access Management (IAM), shadow IT, ovum, cloud computing

Google introduces Chrome 'factory reset' pop-ups to tackle extensions hijacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.