Traditionally, organizations invest in IAM practices to improve operational efficiency and to
comply with regulatory, privacy, and data protection requirements:
Improve operational efficiency
Properly architected IAM technology and processes can improve
efficiency by automating user on-boarding and other repetitive tasks
(e.g., self-service for users requesting password resets that
otherwise will require the intervention of system administrators
using a help desk ticketing system).
Regulatory compliance management
To protect systems, applications, and information from internal and
external threats (e.g., disgruntled employees deleting sensitive
files) and to comply with various regulatory, privacy, and data
protection requirements (e.g., HIPAA, SOX), organizations implement an “IT general and
application-level controls” framework derived from industry standard
frameworks such as ISO 27002 and Information Technology Infrastructure
Library (ITIL). IAM processes and practices can help organizations
meet objectives in the area of access control and operational
security (e.g., enforcement of compliance requirements such as
“segregation of duties” and assignment of limited privileges for
staff members to perform their duties). Auditors routinely map
internal controls to IT controls as they support management of
regulatory compliance processes including Payment Card
Industry (PCI) Data Security Standards (DSSs) and the Sarbanes-Oxley Act of 2003 (SOX).
In addition to improving operational efficiencies and effective
compliance management, IAM can enable new IT delivery and deployment
models (i.e., cloud services). For example, federated identity, a key IAM
component, enables the linking and portability of identity information
across trust boundaries. As such, it enables enterprises and cloud service
providers to bridge security domains through web single sign-on and
federated user provisioning.
Some of the cloud use cases that require IAM support from the CSP
include:
Employees and on-site contractors of an organization accessing a
SaaS service using identity federation (e.g., sales and support staff
members accessing Salesforce.com with corporate identities and
credentials)
IT administrators accessing the CSP management console to provision resources and access
for users using a corporate identity (e.g., IT administrators of
Newco.com
provisioning virtual machines or VMs in Amazon’s EC2 service,
configured with identities, entitlements, and credentials for
operating the VMs [i.e., start, stop, suspend, and delete VMs])
Developers creating accounts for partner users in a PaaS platform (e.g., developers from Newco.com
provisioning accounts in Force.com for Partnerco.com employees contracted
to perform business process tasks for Newco.com)
End users accessing storage service in the cloud (e.g., Amazon
S3) and sharing files and objects with users, within and outside a
domain using access policy management features
An application residing in a cloud service provider (e.g.,
Amazon EC2) accessing storage from another cloud service (e.g.,
Mosso)
Since IAM features such as SSO allow applications to externalize authentication features,
businesses can rapidly adopt *aaS services (an example is Salesforce.com)
by reducing the time required to integrate with service providers. IAM
capabilities can also help a business outsource a process or service to
partners with a reduced impact to the business’s privacy and security; for
example, employees of an order fulfillment partner of a merchant can use
their federated identities to access real-time information stored in a
merchant application to manage the product fulfillment process. In short,
extending your IAM strategy, practice, and architecture allows your
organization to extend your user access management practices and processes
to the cloud. Hence, organizations with established IAM practices can
rapidly adopt cloud services while maintaining the efficiency and efficacy
of their security controls.