The adoption of cloud computing has led to an explosion of new cloud-based applications and software. As a result, organizations are implementing cybersecurity solutions that are delivered via the cloud rather than on-premises. Placing data access control in the cloud brings advantages such as flexibility and convenience. But some organizations may still find on-prem controls as the better solution.
Cloud-based access control.
In many cases, you can leverage your existing architecture and extend access controls into the cloud. For example, many service providers offer support and integration with an on-prem LDAP directory. However, like other on-prem controls, LDAP doesn’t work natively with web or cloud-based apps and services. This adds complexity to deployment and integration. And some service providers are starting to deprecate support for legacy controls.
Access control in the cloud is typically delivered via a Software-as-a-Service (SaaS) model, with the provider hosting the controls in the cloud. This eliminates the need for not only deploying and maintaining hardware and software on-premises, but also for training and upskilling your personnel to do so.
Cloud-based identity management.
To streamline access control, whether in the cloud or on-prem, many organizations adopt an identity access and management (IAM) solution and framework. IAM provides centralized, unified control across your entire organization, ensuring that policies are enforced consistently in any type of environment.
Enterprises are shifting to a cloud-first mentality as their environments evolve to enable employees to access resources from anywhere. As a result, cloud-based IAM solutions are emerging as a better alternative for securing that access.
The move to zero trust.
Another driver for moving access control to the cloud is the growing interest in a zero-trust security model. The traditional access control approach was built off the foundational idea of restricting access to network resources. From there, you implemented additional controls to fill in the gaps.
The adoption of cloud apps, expansion of remote work, and other factors have created a dynamic environment where securing the network perimeter is no longer effective. Zero trust solves that challenge by continuously and dynamically authenticating and authorizing every connection request. In other words, no user, device, or connection is trusted, whether on or off-premises.
Identity-centric security is integral to zero trust because it provides the context you can’t get from network traffic. You can achieve zero-trust principles with on-prem controls. However, when you design a modern access control strategy for a digital business instead, you ensure you’re your security is consistent across your IT ecosystem.
Cloud-based access control pros and cons.
In addition to the benefits described above, other pros to consider include:
- Improved visibility across all platforms, applications, and services
- Faster deployment and increased agility
- Reduced IT workload
Some potential cons to consider:
- Possible loss of customization
- Complexity of migrating from on-prem controls
- Ongoing subscription costs
On-premise access control.
When you’re hosting access control on your own servers, you have complete oversight of the infrastructure. Since the IT team is implementing and maintaining the hardware, software, security, etc. in-house, they also have a better understanding of how the controls are working vs. relying on a vendor.
One of the advantages of on-prem controls is that they don’t need an external network connection. If your internet goes down, you can still authenticate and authorize users to your locally hosted resources through WAN.
When IT resources and networks were located entirely on-premises, commonly in Windows environments, managing user identities and access with a protocol such as Access Directory was simple enough. However, as the IT ecosystem and its security have evolved—adding components such as web access management, multi-factor authentication, and single sign-on—maintaining this expanding footprint has become more expensive and time-consuming.
On-premise access controls pros and cons.
Although cloud-based access controls are becoming the norm, on-prem may be the better option for some use cases. A few other pros to consider include:
- Inherently better security since access management can only be accessed internally
- Potentially faster access, especially if internet speed and bandwidth are an issue
- Complete management authority over the servers and other infrastructure
Cons to on-prem deployment include:
- Increasingly more resources dedicated to upkeep
- Capital costs for replacement, upgrades, or scaling up
- Added complexity in multi-cloud and hybrid environments
To succeed in today’s fast-paced environment, your digital business needs to take full advantage of cloud computing. And understanding the risks of this new environment will help ensure your security controls are evolving as well.
As you move more assets, applications, and data to the cloud, you need to think beyond the traditional IT infrastructure. Cloud-based identity management and governance enables you to transform your business while maintaining security and compliance—and it scales as your business does.
SailPoint supports your cloud journey with enterprise-class identity solutions that allow you to grow and scale securely. Learn more about SailPoint’s identity security solutions.
Since access control in the cloud relies on an outside vendor, it’s important to understand how that may impact regulatory compliance. Some organizations may feel that cloud-based controls have disadvantages from a compliance standpoint. However, cloud-delivered IAM that centralizes and unifies controls such as policy enforcement can actually improve compliance because it enables consistent policy enforcement across your environment.
A hybrid platform enables you to centralize and streamline access control across your cloud and on-prem apps. As one example, Azure Active Directory allows you to connect both cloud apps and those that use traditional protocols such as LDAP or Kerberos.
Access controls include two core components: authentication and authorization. The most common models are:
- Mandatory access control (MAC)—the most restrictive approach where only administrators can allow access
- Discretionary access control (DAC)— gives the user some oversight over the resources
- Role-based access control (RBAC)— grants access based on predefined variables such as role, seniority, and location
- Attribute-based access control (ABAC)—derived from RBAC, this model enables more detailed controls based on criteria such as environmental context and user action
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.