Cloud-enabled ‘shadow IT’ driving imperative for IAM reinvention: Ovum

The inherently casual and decentralised nature of cloud services will increasingly push organisations to reconsider their identity and access management (IAM) infrastructure, an Ovum analyst has warned.

Flagging the fact that cloud services are already pervasive within most organisations, Ovum principal analyst for IT security solutions Andrew Kellett said those services’ tendency to handle user authentication through their own services – which are typically poorly integrated with companies’ own IAM services – presented a significant challenge for organisations trying to keep a handle on the flow of business information into employee-managed cloud services.

“The increasing use of cloud-based services is driving the need for better and more interactive single sign-on [SSO] and federated identity management [FIM] facilities,” Kellett said in a statement. “For the foreseeable future, organisations will continue to make use of a mixed range of on-premise, hosted and cloud-based systems and services.”

Those cloud-based services, known broadly as ‘shadow IT’ because they evolve at users’ direction but fall outside the ambit of corporately-managed IT systems, will continue to challenge notions of security control – not only because of their distributed nature, but because their SSO and FIM support tends to be relatively immature.

That leaves businesses with no idea what accounts their employees are using on what cloud-based services – and no way to control the business data that might be stored on those services. Although social-media services like Facebook and Twitter have pioneered identity federation by enabling logons to a range of third-party services, integrating those identities with corporate directory services remains a sticking point.

Some security vendors now offer tools for managing employee logons to a number of higher-profile cloud services, but the proliferation of consumer-managed cloud services – and statistics suggesting 80 per cent of businesses already use some cloud services – means most employees continue to maintain separate cloud-service identities that remain outside the control of their parent organisations, even though they are used for business purposes.

Compounding the problem, in many cases, those identities are managed through employee-owned mobile devices that company IT managers know nothing about – but will see the effects of when varying security protections create gaps in corporate security profiles.

Recognising the more fluid nature of user authentication, vendors must continue to improve the extensibility of corporate identity controls as part of the new IAM. Whether traditional IAM vendors can seamlessly extend themselves to the cloud, or whether cloud-based IAM pioneers start in the cloud and work towards the enterprise, there is still a lot of learning and improvement to be done.

“A new generation of cloud specialists are challenging established approaches to managing identity, and are positioning themselves as offering a more flexible, easier to deploy, and cost-effective approach to managing identity from the cloud,” he said.

“Their ability to operate independently as well as a alongside existing IAM providers needs to be tested, as does the range, quality and security of the bridging facilities and application program interfaces (APIs) currently available for delivering access to cloud-based applications.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags shadow ITIdentity And Access Management (IAM)ovumcloud computing

More about Andrew Corporation (Australia)CSOFacebookOvum

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts