“Everything about the cloud would work if it weren't for security,” computer security specialist Bruce Schneier said at a private financial security summit I attended a couple of months ago, and it's hard to disagree with him. Yet, most people still want the cloud, and everything else in technology to be secure. The questions businesses must ask themselves are:
- How secure do we want our cloud to be?
- Will our security approach promote or hinder adoption of the cloud?
- How much efficiency are employees willing to trade for security?
- How will our security be beneficial to the future of the business?
In the real world, if users don't like the way a system works they will not use it – then the business value of having the system is gone. We're familiar with the saying that the “cure is often worse than the disease,” and unfortunately, this often applies to security. Because of poor approaches to security in the past, people think security tools always hamper employee productivity and impact business processes. The thought of carrying that perceived burden as they embrace new, agile platforms like cloud scares the heck out of them.
Identity and access management (IAM) can be the missing link between effective security and keeping the cloud agile. IAM brings cloud security to the real world by ensuring protection while simultaneously keeping systems manageable from the end user, administrator, and executive viewpoints. IAM is about ensuring that the correct people have the correct access at the right time, building security into the cloud, or any system, from the start. And the security that comes from IAM reflects the simple, common sense we apply in our every day lives.
Let's keep in mind that people who ensure our security in our everyday lives are held to a high standard. Those people are known as police officers, lawyers, judges, and those with similar occupations. They serve as administrators who follow strict policies when they do their jobs. In the technology world, these people are better known as IT managers and administrators, and IAM ensures they are held to a standard that's just as high. IAM is made up of several moving parts, and a key to keeping companies safe is privileged access management. Police can't search without a warrant: IT administrators can't use root passwords without explicit permission within predetermined circumstances. If someone requires privileged access, the system gets authorization from the appropriate managers. So why is it important for IT administrators to have the appropriate access? You guessed it – to be able to monitor the network to prevent security breaches, and efficiently fix problems as they arise to keep your cloud nimble.
That common sense approach can be applied to every aspect of security using IAM. Controlling the administrators' access is just the tip of the IAM iceberg. We'll need every inch of that ice to deliver the promise of cloud and keep security intact while we do it. What I'd like is a good reason to disagree with Bruce. It's up to all of us to see if we can make that happen.