Since ancient times, when mainframes roamed the earth, corporations have controlled login access with user names and passwords. The growth of cloud applications is highlighting an old problem – too many logins and too many places to maintain logins. Consequently, IT organizations are pressed to make user changes in more places.
With the mainframe, IBM created a central identity store. When PCs and networks became dominant, Novell and Microsoft created enterprise directories—like Active Directory—for applications to use. A single, authoritative directory makes it a lot easier for IT to control users and application access. This provides a more secure, more private digital environment.
However, the rise of cloud applications is again creating the problem of too many logins. Take for example, if someone leaves a company who knows what to do with their Salesforce.com account? And what about Office 365, Box or Google Apps logins? Did they have a login to the training site?
Here’s a breakdown of how to work with multiple logins in your network.
Tracking and Authorizing System Access
Similar to the way security issues an ID card to show the employee is trusted, there should also be a corporate authority for tracking and authorizing access to systems. In addition, someone needs to quickly and completely remove access when an employee is transferred or leaves. The organization, which owns these digital assets, should take the initiative to protect information and digital access.
I recommend two solutions to control accounts – identity management and federation. Both provide features to increase security while simplifying the IT department’s job.
Tracking and Authorizing System Access: Identity Management
Identity management (IDM) automates and tracks user ID information across all of the systems. With many corporations, the HR system takes a prominent role as the authoritative source for employee status and information; that’s what HR systems are built to do. Notification of changes from HR flow to the identity management software, which has policy-based processes to create the appropriate new accounts, change user information or disable accounts as needed.
Since the identity manager keeps track of what’s been allowed, it can also provide auditors with reports on who has access to what – and when. Direct line supervisors can provide the final word on what employees need and don’t need, since the supervisor is far more familiar with an employee’s role. This includes IT system administrators – think Edward Snowden.
Secure and Orderly Changes
Automating the process can also simplify a secure, orderly termination or transfer of an employee. Cloud-based accounts can be disabled in order of risk. An employee that’s given notice may not need access to customer reports in Dynamics Online, for example, nor update product information on the Office 365 SharePoint server. Exchange email can be automatically archived to avoid deletions. Data leakage and unneeded, “orphan” accounts are should be avoided.
Identity Management can create “same login” for users so they have consistent user name and password combinations across all cloud and internal accounts. A central reset portal provides self-service and reduces help-desk calls.
Secure and Orderly Changes: Cloud Networks
Many cloud applications can now leverage the internal corporate directory, like Active Directory. Instead of a separate login, providers like Office 365 can “federate” with the corporation and directly use the corporate login. This means that a password change in Active Directory does not have to be replicated to the cloud service using IDM. Rather, the cloud service asks the corporation if this is a valid user. As a result, as soon as a user is enabled in the directory, they are enabled (or disabled) in the cloud, with near real-time control.
Image credit: musetheplace.com