The new document offers a list of recommended best practices, meant to offer a roadmap to providing a comprehensive set of controls to assure identities and secure access management.
IAM includes people, processes and systems that are used to manage access to enterprise systems and information. As recommended, the implementation assures that the identity of an entity is verified, and then grants the correct level of access based on protected resource allocation, assured identity and other contextual information.
In a cloud context, where several external applications are being delivered, centralization of the user identity as a means to secure the perimeter, as it were, becomes key. Also, managing appropriate access controls can be critical to preventing inadvertent malware attack from malicious cloud apps.
“Staff who have admin rights can unwittingly or irresponsibly download applications that contain malware and cause significant problems if entered into the corporate network,” said Paul Kenyon, Avecto co-founder and COO.
In fact, survey results from Avecto show that 39% of IT professionals are reporting malware from unauthorized applications being downloaded on their network. Nearly 40% are reporting a network infection as a result of at least one unauthorized application.
“The cloud presents organizations with a whole new set of challenges when it comes to assuring proper identity controls and access to privileged resources,” said Patrick Harding, CTO of CSA member Ping Identity.
The IAM components addressed in the guidance report include: centralized directory; access management; identity management; role-based access control; user access certification; privileged user and access management; separation of duties; and identity and access reporting.
“There is a great deal of excitement around providing Security as a Service but organizations need to make sure that the solutions being provided follow strong security guidelines,” said Dave Fowler, COO at Courion Corp., a sponsor of the report. “CSA’s SecaaS Working Group has done an exceptional job of defining the key security categories and incorporating feedback from domain experts across the security spectrum for this expanded version of implementation guidance.”