The reality we face

Breakthrough technologies like big data, machine learning, AI are forcing companies to need more and more computational power. The need for those same companies to maintain competitivity makes the migration to the cloud the most cost-effective option to tackle such endeavour. Although previous times of change (like Covid) force companies to adopt hybrid technological postures, today not migrating to the cloud represent the lost of competitive advantage. So now, cloud, more cloud than ever.

Moving to the cloud may pose the next challenges:

1. Diluted corporate network edge: How far could we go with our security controls?
2. Lack of consistency in security controls: Given the proliferation of different SaaS and PaaS, security baselines are not born the same.
3. A password away from the disaster: Whatever you put in the cloud, since it is out of the corporate network, the requirement of being on such network many times is not possible.
4. Enhanced risk of outsiders: Outsiders are now able to reach your systems out from out of your system.

Introducing IAM

An Identity Management System (IAM) is a collection of processes and technologies to manage and secure identities and resources within a given organization. The system allows to execute next tasks:

1. User Provisioning: Creating, modifying, and deactivating corporate identities.
2. Authentication: IAM systems provide one or more authentication methods for the subject to prove identity.
3. Role-Based Access Control (RBAC): Bundles of privileges are known as roles. Those roles are assigned to groups. To those groups, users are assigned.
4. Accountability: Activity is tracked, and a log registry is generated.
5. Auditing: An entity matches identity behaviour with current corporate policies. Many times those activities are carried out automatically by the same applications that run accountability efforts.

IAM vs CASB

Conceptually both solutions are not substitutive, but instead, complementary. The CASB would be the system through which every thing passes. While the IAM gives content to the inbound and outbound connections, managing the traffic. Right now, many modern IAM solutions are commercialised in SaaS model, eliminating the need to put your own CASB (with the risk of it becoming a single point of failure).

Basic technological features of an IAM:

• Delivered as SaaS: There is no need for a local appliance to locate the information to manage. Usually the system is charged by the number of managed identities, giving the chance to SME’s for first time of accessing a complex system like this.
• Authentication technologies: SSO (Commonly used protocols include Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)), MFA (including FIDO).
• Role-Based Access Control (RBAC): RBAC assigns permissions based on user roles, ensuring that individuals have appropriate access rights.
• Privileged Access Management (PAM): PAM restricts privileged accounts (admin, superuser) and monitors their activities to prevent misuse.
• All those systems have a backlog system where records are stored and can be consulted when needed.

Good news is that since IAM is also offered in a SaaS, it is agile to implement. References in this field are:

• Okta
• Microsoft Azure Active Directory (Azure AD)
• OneLogin
• Ping Identity

If because of security policy or requirement, Identity must be processed internally, you may consider installing a solution based on an on-premises identity solution in combination to CASB, to reach cloud. In this regard, some of your options are:

• Netspoke
• Palo Alto Networks
• Zscaler
• Forcepoint

What to look for?

When considering the provision of one of those solutions, remember to consider effectiveness and efficiency:

• Effectiveness: If there is a product to which you can’t integrate, stop exploring such. Seek for an alternative.
• Efficiency: Look for the TCO (Total Cost of Ownership) considering cost to implement, cost to substitute, cost to operate and risk in the whole operation. In general terms, if the company is an SME, SaaS options are more suitable, whereas for big corporate, it could depend on a plethora of factors.