Identity and Access Management in Cloud Platforms

As businesses increasingly leverage cloud storage services, identity and access management in cloud platforms has become a major challenge and risk concern for cloud users.

Identity and access management in cloud platforms

Overview of Identity and Access Management in Cloud Platforms

The rapid migration of systems and data to the cloud with cloud storage accounting for $50 billion of the total amount of $266 billion spent on public cloud services by the end of 2020 raises unique concerns regarding data security, identity management and access control. As more businesses of all sizes opt to invest in the tools offered by popular cloud platforms, it will be increasingly necessary for executives and their IT departments to develop the appropriate identity and access management (IAM) policies designed to address the emerging concerns.

Cloud platform providers are responding to the need for stronger security with integrated IAM solutions. Knowing what offerings are available and how to leverage the tools included in each platform provides a framework for smarter, stronger IAM policies made to address the growing number of potential vulnerabilities and new types of risk associated with connected devices and remote workers in modern businesses.

Cloud computing tools are most commonly offered in two ways: software-as-a-service (SaaS) and platform-as-a-service (PaaS). In a typical SaaS model, the customer pays a monthly or yearly fee to use an application or software platform managed entirely by a third-party provider. PaaS offers more flexibility by allowing customers to control which apps are deployed on a third-party platform.

Cloud Platform Providers

Top cloud platform providers give businesses flexible, customizable cloud environments in which to build networks of integrated and complementary applications designed to support more efficient workflows, improve collaboration and increase productivity. Each provider has its own suite of available applications and range of features to address the diverse requirements of today’s connected businesses.

A white paper published by Identity Management Institute for its members offers analysis of the 3 major cloud platforms Amazon, Microsoft, and Google.

The Role of Middleware for Identity and Access Management in Cloud Platforms

The job of middleware is to connect client requests made via a network to the data being requested. In cloud environments, these tools may be bundled as part of a PaaS offering or obtained through another provider. The link created by middleware serves to bridge the gap between the front end of an application, which the user sees and interacts with, and the back end, consisting of computers, servers and data storage.

For the purposes of IAM, middleware can be used to simplify authentication and user access across extensive suites of cloud-based applications. Third-party authentication options like Okta, Ping Identity and Symantec VIP are known as authentication-as-a-service (AaaS) and are part of the growing number of cloud-based services being established to support the many businesses migrating to the cloud.

Conclusion

Preserving data integrity requires IAM policies designed to clearly define user roles and privileges and control access to applications within cloud computing platforms. Businesses planning to invest in cloud platforms and move more computing infrastructure to the cloud must carefully assess the security controls available and seek PaaS solutions designed to integrate with, supplement and strengthen existing security frameworks.

As businesses move into the future and embrace updated technologies, flexibility in cloud environments will become more important, and security concerns will continue to evolve. Today’s top cloud platform providers offer scalable, customizable solutions with built-in IAM tools, and it’s up to IT specialists to identify the unique concerns of the businesses for which they work and choose the best solution to address workflow needs and security requirements.

Sarbanes Oxley Access Management Requirements

The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.

 

What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.