How to Ensure Secure On- and Offboarding of Users in the Cloud
Ensuring secure on- and offboarding of users is a complex challenge facing all organizations that are moving applications to the cloud.
In this article, we take a look at different methods for granting and revoking user access to cloud applications and explain why we believe that identity federation is the best solution for ensuring that these processes are carried out securely and efficiently.
When an organization wants to use the services of a cloud provider, the cloud provider needs information on all users who will access the service. The process of providing this information is called user provisioning.Some cloud providers offer a portal where organizations can create users, whereas others offer a tool that automatically uploads information on users from a source system. The latter might initially ease the process of onboarding users, but it is important to remember that user provisioning is a continuous process and not a one-off task.
Every time a new employee joins the organization, IT has to set up new user accounts for that employee at each cloud provider and provision the requested user information. If an employee changes roles, these changes must be provisioned to each cloud provider as well. And most important: When an employee leaves the organization, he or she must be deleted (deprovisioned) at each cloud provider to make sure that the person no longer has access to the organization’s resources.
As you can imagine, with hundreds or thousands of users and cloud applications, user provisioning can quickly become a highly complex and expensive challenge, and in too many cases, it is a task that is not executed properly.
Organizations that don’t have secure processes for user provisioning in place are at risk of unauthorized users gaining access to business resources and data and of not meeting the new and stricter data protection regulations that are being introduced in the EU.
Learn what the new EU General Data Protection Regulation means to your business here
Secure and User-Friendly User Provisioning with Identity Federation
So, how can your organization effectively and securely provision and deprovision users to multiple cloud providers?
Cloud user provisioning can be done in numerous ways, but seen from a high level, there are three different types of solutions to this challenge:
- Your organization could provision all passwords in your own systems to all cloud providers. However, this means that all cloud providers need to know and store the internal passwords of all connected users, which is a security concern.
- Your organization could allow the cloud provider to access internal IT systems to process users’ login attempts. In this scenario, the cloud provider still sees the username and password and, in addition, needs real-time access to your systems. This is an important security concern and also creates practical problems because your organization will be connected to each cloud service in a way that is both difficult to implement and difficult to change.
- Your organization could build a trust relation with the cloud provider in such a way that the cloud provider accepts a statement from your organization about the user’s identity each time a user logs in. In this scenario, users authenticate themselves at your organization and you vow for the identity of the users when they access the cloud service.
This process of authentication is called identity federation and leads to users having only one place where their identity is stored—a single identity. In addition, with identity federation, you only need a very loose coupling between your organization and the cloud providers.
It is easy to see that of these three solutions, identity federation is the only one that can be made manageable and secure while providing a great user experience to the end users.
In fact, identity federation has a whole lot more to offer than smart and secure user provisioning, but that is a subject for a whole other article, so for now, I just want to mention the following two benefits:
- Because your organization is involved in the process of vowing for users’ identities, each time a user accesses the service of a connected cloud provider, it is possible to log the activity of the users. To know which user is accessing which application at what time is crucial for auditing and compliancy, but also for the analysis of productivity and costs.
- And because all connected cloud services trust your organization, it is possible to automatically log users in when they access a cloud service. Or in other words: Create single-sign on.
Learn a lot more about the benefits of identity federation at www.safewhere.com or give us a call at +45 71 99 9007.