CIOs are waking up to the reality that they've lost control over access to data stored in software-as-a-service applications purchased by other departments.
"By the time an organization buys its sixth or eighth SaaS application, it's in trouble," says Jackie Gilbert, vice president and cofounder of SailPoint, which sells software for bringing these applications back into compliance with company policy. "We're poised to see more auditor attention and more security directed at this problem."
Gilbert says that IT departments are discovering that they can't manage or control access to popular cloud applications such as Salesforce, GoogleApps, Concur, ADP, Workday, Taleo or Box if provisioning and de-provisioning is handled by the department that purchased the application.
"Because it's being done outside of IT, the kind of discipline and access control best practices do not normally get done," Gilbert says. "The more SaaS applications that an organization starts to adopt, the more they start to see security weaknesses crop up."
Here are a few of the most common signs that your identity and access management (IAM) solution isn't working when it comes to your growing portfolio of cloud applications:
1. End users start sticking Post-It notes all over their computers listing user names and passwords for cloud-based applications. One solution to this problem: a single sign-on system that supports your portfolio of hosted applications as well as your directory system.
2. Employees leave the company, but their access to cloud-based applications isn't removed, resulting in a proliferation of so-called "orphan accounts.'' To solve this problem, you need to have an automated de-provisioning system that eliminates access to cloud applications at the same time as traditional software applications.
3. Managers are no longer approving data access for new employees. Most large organizations have access control systems that automatically generate e-mail to managers for them to approve user privileges, but these access control systems don't always include hosted applications.
4. Nobody is monitoring cloud-based applications to make sure access is current. As employees' roles in the company change, their access to information should change, too. A classic problem is entitlement sprawl, where people keep getting access to new information when they are transferred or promoted but nothing gets taken away. IAM solutions can identify employees with excessive access.
5. You're losing accounts to the new employer of a salesperson who left your company. Lighthouse Security Group said one of its customers noticed that it was losing accounts to a key salesperson who had been fired. This salesperson was never removed from Salesforce and was using proprietary data stored there to harvest the company's clients.
IAM vendors say they can solve all five of these problems due to integration with the most popular cloud applications.
Dave Fowler, COO at Courion, explains how IAM tools work for both network-based and cloud-based applications: "We mine the HR system for employee information that will trigger a process to automatically bring a person onboard and give them rights. Automatically, this user might get an e-mail account and an Active Directory entry. Then a request gets sent to their manager, who clicks on the different applications to grant access rights. When the approvals are done, the employee is provisioned automatically. We log everything, and we know who gets access to what. We use the same workflow for on-boarding and off-boarding."