In this chapter

  • Review how identity governance can help enterprises be more secure as they move to the cloud
  • Explore the advantages of deploying identity governance solutions in the cloud

The Cloud-first Enterprise

In Chapter 1 we referenced an estimate that 92 percent of computing workloads will be processed in cloud data centers by 2020. In fact, a growing number of enterprises have adopted a “cloud-first” policy, where they give preference to cloud-based solutions when they are available (although almost all plan to keep at least some infrastructure on the premises for the foreseeable future).

At any given time in a large organization, thousands of employees, contractors, business partners, and customers are accessing hundreds, or even thousands, of applications. Each point of access for those thousands of users is a potential point of exposure.

In this chapter we consider how this trend, together with changes in the way we work and emerging technologies, have altered what organizations are seeking in identity governance solutions. We will also examine the option of deploying identity governance solutions as cloud services.

New challenges

Mobile computing, SaaS applications, and cloud storage services create many new challenges for cybersecurity:

  • Managing more types of users including employees, contractors, business partners, and customers
  • Associating multiple devices with each user
  • Provisioning mobile apps when employees join the organization or assume new roles
  • Providing visibility into cloud-based applications and platforms outside of the organization’s control
  • Providing information about unstructured data in collaborative apps and storage services such Microsoft Office 365, Google G Suite, Box, and Dropbox.

Provide a single view

Identity governance solutions can provide a single view of identity- and access-related data across all applications and environments, including HR, financial, and other legacy applications in corporate data centers, as well as SaaS and collaborative applications in the cloud. A unified view means that you get a complete picture of the access permissions of each user, and how and when those permissions were granted.

You can also look at the data and determine for each application, and potentially for each document, exactly who has what level of access, and how those rights were granted. Finally, you may be able to reduce software costs by discovering how many people are using specific applications and comparing that number with your licenses.

Create unified processes

Identity governance solutions can ensure that one process is used to request and approve access to both data center and cloud-based applications, ideally through an intuitive online portal. With the right connectors and interfaces, that process can manage the provisioning of access to cloud applications and services, and even to mobile apps for smartphones. A unified approach is far more efficient and reliable than separate processes for managing access to on-premises and cloud applications.

Enforce policies

Identity governance makes it possible to create and enforce a single set of policies that span legacy and cloud applications. That unification allows you to define policies centrally and to apply them across the enterprise.

An identity governance solution can be especially valuable if it works with MDM products and cloud applications to enforce policies. Working together, these tools can mandate the use of multi-factor authentication on mobile devices, prevent users from granting access to files to anyone outside of the organization, and even suspend user accounts when people violate policies.

Support security analytics

By combining identity data from cloud-based and on-premises applications and data stores, an identity governance solution can do a much better job of detecting risk factors such as orphan accounts in cloud apps, employees with excessive access rights, employees who share documents too widely, and violations of SoD policies. It can also speed up the work of SIEM and security analytics products, for example by establishing that the jamesjones storing documents on Google Drive is the same person as jim.jones generating events on cloud-based email server and jjsalesmgr creating alerts on the main financial system in the data center.

Cloud-based Identity Governance


Several cloud-based identity governance offerings (also known as identity-as-a-service solutions) are now available. There are many advantages to subscribing to these services.

These include:

  • Faster time to value, because you don’t need to install, configure, and test hardware and software
  • Lower capital expenditures, since you don’t have to invest in servers and data center operations
  • Simplified management, because you don’t need to manage and upgrade the hardware and software

This model allows enterprises to devote their technical staff to tasks that are more strategic than installing and administering servers and identity governance software.

Customization vs. configuration

IDaaS offerings, like most SaaS products, are not architected to allow extensive customization by individual customers. This can be an issue for organizations that have specialized processes.

On the other hand, cloud-based solutions tend to have easy-to-use interfaces and workflows that reflect industry best practices. Most also provide parameter-based configuration, which allows organizations to tailor processes without the burden of writing and maintaining software code.

Results in two months at Orrstown Bank

Orrstown Bank has almost $1.3 billion in assets and does business through 22 branches in Pennsylvania. It wanted to move quickly on a project to improve regulatory compliance and mitigate risk.

By leveraging a cloud-based identity governance solution, in under two months the bank was able to automate access certifications, password management, and single sign-on for most of their primary applications.

The solution has since been expanded to include over 100 applications. Not only have compliance and security been improved, but the time required to certify access has been reduced by 2,000 hours a year. In addition, users can now change passwords and unlock accounts in self-service mode from mobile devices.

Read More

Identity Governance in Action

Building your Strategic Roadmap

Find out how SailPoint can help your organization.

*required field