Three Key Findings from SailPoint’s State of IaaS Report

In the year 2017, we witnessed critical technological advances. From Apple’s groundbreaking face ID technology for the iPhone to Dubai  piloting drones with passengers, AI reemerged with full force. That was also the year SailPoint predicted that by 2020, 90% of enterprises would have hybrid IT infrastructures. Not only is this figure spot on, but no one could have predicted that the events of 2020 would force the acceleration of this duality .

To zero in on the cloud ramp-up of this year, we asked IT managers to report on how they are using Infrastructure-as-a-Service (IaaS) in their organizations. And while IaaS is only one slice of the cloud pie, which also includes SaaS and PaaS, it represents one of the more challenging areas of the cloud to manage from an identity governance perspective. This is because companies who use IaaS are responsible for managing most aspects of the platform, including the applications, data, runtime, middleware and operating system, all of which have users and accounts that must be managed. Examples of IaaS include Amazon Web Services (AWS)Microsoft Azure, and Google Cloud Platform (GCP).

We found 74% of companies use more than one IaaS provider currently, with almost half using three or more. This honestly isn’t surprising to me; I expect that number to continue to tick upwards. The use of multiple IaaS vendors is a strategic practice. It helps to match workloads, minimizes costs, and provide on-going business flexibility. But, using multiple vendors is causing an issue or two. Many people we talked to reported audit, compliance, and security issues. Nearly half of IT managers said the lack of automation is challenging as the systems, applications, and data continue to rise.

Seven out of 10 companies reported they use multiple tools for managing their IaaS environments. Because of this, nearly all of our respondents cited problems with governing access. With almost 1 in 3 companies using multiple teams to govern user access, it is no wonder that 45% have experienced cybersecurity attacks, and a quarter of them have suffered a data breach. A lot of this lies in the fact that many organizations haven’t yet connected the dots between deploying IaaS infrastructure to run their business with needing to manage IaaS much in the same way they manage other cloud apps and resources. At the end of the day, it all comes down to identity, and many companies haven’t yet had their lightbulb moment.   

Clearly, despite companies’ best efforts to keep up, most of them still rely on manual, disconnected methods of managing access to IaaS platforms versus a conscious decision to extend their existing identity programs to cover these new environments. A whopping 91% of companies require manual processes to properly document and report user access and activities. One surprising finding is that over 1/3 of companies do not perform regular governance reviews of user entitlements and actions, a big compliance gap if you ask me.

Companies must use a wide range of technologies to keep their business running—and more and more this will include using multiple IaaS providers. The reality is that if you’re using IaaS tools as the foundation of your IT infrastructure, you must be very clear and confident that only the right people and “things” have access. That’s the most significant hole we continue to see in many organizations today. They think they’re covered with their current approach to identity governance, but they aren’t considering this newer area of their business with the scope of their identity programs today. This especially true when you consider that a majority of access granted in an IaaS deployment is no longer to humans. The machine-to-machine access is a critical gap that most organizations don’t fully understand or address when thinking about deploying new cloud environments.

There is light at the end of the tunnel with identity management. By extending how you’re already governing and managing access to IaaS, you’re well on your way to closing the security and compliance gaps in your business that this survey revealed. IaaS is a foundational technology that speeds and enables today’s digital business, but it represents a significant risk without governance. Shut down this risk with SailPoint Predictive Identity, yet another way we help you ensure access doesn’t fall into the wrong hands, human or otherwise.

Survey Methodology

Hundreds of IT and business roles completed the global primary research survey to understand current cloud infrastructure (IaaS) utilization and practices. 


Discussion