As Sallie Mae migrates some of its most important applications to the cloud, the nation's largest provider of college loans is keeping an eye on compliance.
Sallie Mae uses identity management software from SailPoint to ensure that its 6,100 employees have appropriate levels of access to data and applications - regardless of whether it's stored in the cloud or at one of its data centers.
"All of our cloud-based services - all of that access is controlled," says Jerry Archer, CSO for Sallie Mae, which uses hosted applications such as Workday for human resources functions. "SailPoint keeps track of roles, access and other workflow processes."
Sallie Mae is in good company. A growing number of organizations including CUNA Mutual Group and the American Red Cross have upgraded their identity and access management (IAM) tools to bolster their security posture as they adopt cloud-based applications.
Identity management in the cloud has become a hot-button issue for CIOs over the last year, says Lina Liberti, vice president of security management at the security business unit for CA Technologies.
"Every customer I talk to is looking at identity management," Liberti says. "There are a lot of very large deals... Companies say they have something that they built that they really shouldn't be managing and it's costing them so much money."
By purchasing the latest IAM tools from such vendors as SailPoint, Courion, IBM, CA, Ping Identity, Aveksa and others, these organizations are ensuring that their employees and business partners have appropriate levels of access to corporate data that's stored by popular cloud-based applications such as Salesforce, Google Apps or Microsoft Office 365.
Today's IAM tools mitigate risks for IT departments by allowing them to comply with federal regulations and successfully pass audits of cloud and network-based applications. They also increase efficiency by eliminating error-prone manual processes for checking access to applications. Increasingly, they offer automated provisioning and de-provisioning of cloud-based applications as well as single sign-on across network-based and hosted applications.
"Identity access management is a market in transition," says Dave Fowler, COO at Courion. "Corporations are opening up more and more of their data to be accessed by employees, business partners, customers and people outside the organization. This is particularly true in financial institutions, healthcare and retail. But in conjunction with opening up more of their data to be used by business partners, they're facing more and more regulations on securing this information."
As IT departments adopt cloud-based applications to cut their operating costs and speed up the availability of new features, they're also dealing with a flood of personal mobile devices that employees are using to access corporate data stored in the cloud.
"We did a survey of 1,000 organizations, and 69% of them allowed personal mobile devices to access their network," Fowler says. "They don't have security over the devices used to access data in the cloud, and they are typically using dozens of cloud-based applications."
Today's IAM tools help IT departments manage the conflicting pressures of trying to secure data that is stored by someone else - a hosted service provider - and accessed by a device that's not owned or controlled by the company. IAM tools also help manage the constant churn of employees being hired and fired by an organization and its business partners.
"When you put an application in the cloud, you don't have mechanisms for provisioning users in the cloud automatically," Fowler says. "When you terminate an employee or the employee changes jobs, somebody has to manually go into these cloud-based applications and take them out. We're building connectors to applications that allow you to automate on-boarding and off-boarding individuals."
The latest development is the availability of IAM as a hosted service from such companies as Courion and Lighthouse Security Group. Only a handful of pioneering organization such as Cintas Corp. and Molson Coors Brewing Co., have chosen a hosted IAM service. For example, Cintas is going into production mode with the hosted CourionLive service for 30,000 users in March.
Sallie Mae, however, isn't ready to put its identity management system into the cloud.
"We're not at the point where we're putting Active Directory into the cloud. We're maintaining our own Active Directory for employees and customer identity," Archer says. "If you move everything into the cloud, with all identities maintained in the cloud, you've put your crown jewels in the cloud now and you really need to begin worrying about a whole different set of problems in terms of protecting your crown jewels. If hackers get to that, they have everything."
Instead, Sallie Mae is sticking with its network-based version of SailPoint, which it has used for two years. Before that, the company used Excel spreadsheets and a manually intensive process to conduct quarterly reviews of employees' access to information systems.
"We would on a quarterly basis pull all the access logs from the systems and distribute them to the managers to approve," Archer says. "With SailPoint, we've implemented role-based access control...No longer do managers have to look at spreadsheets and individual access."
Archer says Sallie Mae has reduced the amount of resources related to compliance by 40% in the last two years, thanks to tools like SailPoint.
"All of this work was very manual with spreadsheets," he says. "We've fundamentally changed everything."
One advantage for Sallie Mae is that the firm already had invested in an identity management system based on Microsoft's Active Directory that provides a single identity and single sign-on for every employee. What SailPoint added was role-based access to systems that helps Sallie Mae comply with industry regulations that require regular audits.
Sallie Mae says it saw a return on its SailPoint investment the first year after installation.
``Last year, I was audited 28 times on access management control, so having a system like SailPoint that provides that has solved a really big problem,'' Archer said. ``I can attest to the auditors that nobody has access that's inappropriate to their role.''
Next, Sallie Mae plans to automate the provisioning and de-provisioning of cloud and network-based applications. Archer hopes to have this functionality in place by year's end.
``Now we have a staff of 22 people doing provisioning and access,'' Archer said. ``Our next step is automated provisioning. We will simply get out of the game of doing this, and it will more or less be a self-service function...When the automated provisioning step is done, we will have increased our savings to 70%.''
Archer's advice to other CIOs is to tackle compliance first, and then worry about automated provisioning and de-provisioning of cloud-based and premises applications.
"Define what consists of successful and appropriate levels of access," Archer says. "The next step is to define roles. If you can get to roles, then provisioning on the front end becomes much easier...The hardest part is provisioning and de-provisioning."
Slideshow: What's hot at RSA
Most enterprises like Sallie Mae are keeping their IAM solutions in-house today rather than adopting a hosted service, admits Vick Viren Vaishnavi, President and CEO of Aveksa, which has both types of offerings. He says companies are too worried about maintaining control over the actions people can take on data and applications in the cloud to outsource the governance piece of identity management.
"Governance is what I call a command and control structure that drives adherence to compliance policies and regulations," Vaishnavi says. "You want to control that within the enterprise because it's like your keys to the kingdom. Most enterprises are not prepared to put it into the cloud yet."
Vaishnavi predicts that more enterprises will be comfortable with hosted services that handle authentication and governance within the next three to five years, particularly as these services demonstrate cost savings.
"The two drivers with identity and authentication in the cloud are risk posturing and cost," Vaishnavi says. "Companies need compliance control, operational control, access control and avoiding audit fines or penalties. They need to protect their brands and mitigate risks. But the other issue is cost. Access is constantly changing. Employees are coming and going. Contractors are coming and going. How do you keep your access entitlements in lockstep with roles performed in the organization? That's expensive."
Companies that do migrate their IAM infrastructure to the cloud will reap savings of at least 30%, says Eric Maass, CTO of Lighthouse Security Group, which sells a hosted IAM service based on IBM's platform.
"The savings come from hardware and data center space, but mostly people and time," Maass says. "You need people to build out a large IBM, Oracle or CA identity management system. That can easily be a half-million or million-dollar investment. There's a large cost avoidance with a hosted application in salaries, administration, patch management and upgrades."