Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
Commentary
4/1/2021
08:00 AM
Connect Directly
Twitter
RSS
50%
50%

Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?

Concerns about identity and access management in the cloud might slow enterprise migration as awareness of gaps in control are realized.

IT decision makers may hesitate or at least carefully consider consequences related to identity and access management (IAM) and the cloud. Recently released research conducted by Forrester and commissioned by ForgeRock and Google Cloud points to numerous organizations planning to expand or play catchup on such matters with initiatives intended to go into action over the next two years.

Andras Cser, vice president and principal analyst with Forrester, says identity that needs be managed in relation to IT can fall into two categories. One is the general business user accessing applications that are in the cloud, which he says tends to be relatively without issue. The other group is defined as privileged users such as administrators who can log into a cloud console to make changes.

That is where potential concerns might be raised, Cser says. “Cloud adoption went way ahead of identities,” he says. “We lack mechanisms to reliably control identities’ access rights for these admin kinds of users as they manage the cloud platform console.”

Image: beebright - stock.Adobe.com
Image: beebright - stock.Adobe.com

Cser says this means organizations might struggle with how to grant access for such privileged users. “It also means many times the access of these users includes too many rights or excessive privileges,” he says. “Sometimes you cannot authenticate these users reliably.”

Understanding access rights -- how one identity has access to objects and resources in the cloud, such as instances, storage, and network -- is also difficult, he says. The problem includes an intertwining of security and awareness of who has access to what, Cser says. “Even understanding who can do what in the cloud is absolutely horrendously difficult. There are a lot of policy types. They determine what the admin user has access to question in an overlay. That is the problem.”

He says this can lead to one set of policies denying access to a user while another policy grants access all layered on top of each other, which can create confusion.

According to Omdia, the research arm of Informa Tech, there are some considerations organizations can make when developing a hybrid, multicloud strategy while coming from an on-prem infrastructure:

  • Quiz the on-prem IAM provider regarding their ability and capacity to support the new environment being envisaged. It may prove less disruptive to add their identity-as-a-service than to rip and replace the entire identity services infrastructure with a brand-new provider.
  • If the response from the IAM provider prompts exploration of other options, a vendor comparison report can offer profiles of leading players, along with strengths and weaknesses.

Hybrid and multicloud are expected to grow according to Omdia's Cloud Service & Leadership Strategies N.A. Enterprise Survey – 2021. Identity and access can be more of an issue for hybrid multicloud, according to Roy Illsley, chief analyst for IT and enterpise with Omdia. "When the world of hybrid multicloud becomes a reality -- on-premises to a number of public cloud providers -- then identity and access become a challenge," he says.

Addressing identity and access management concerns could make it easier for enterprises to transition to and maintain workloads in the cloud, Cser says, while also protecting data. “All this boils down to data protection,” he says. “Misconfiguration is an attack vector, how attackers can get access to your data.”

Nature of the cloud is the biggest culprit in this dilemma, Cser says, coupled with a lack of oversight. “Developers kind of want to be done with stuff,” he says. “They don’t want to build something and then have to revoke all the unnecessary privileges. Developers just want to work. They want to develop their apps. They don’t want to worry about security and revoking access.”

For example, during creation of a resource or object, a developer might allow the resource to remain relatively open, though Cser says there should be a follow up step after development to remove that access or add encryption. “This last step does not happen,” he says. “They don’t clean up after themselves and revoke privileges. Once something goes into production, even if it’s temporary, nobody is going to touch it.”

There can be a fear, Cser says, of changes to production that might jeopardize functionality. “Nobody wants to risk that.” He says these concerns can affect a broad spectrum of organizations. “For everyone who went to the cloud, this is the first or second biggest question,” Cser says. “Data protection is the biggest problem, but misconfiguration or overly permissive privileges are big issues because you don’t have any kind of physical boundaries, as with data centers.”

With the cloud, scripts and code determine where instances live, how much memory is available, and other elements he says are not governed. Cser says products from DivvyCloud, Palo Alto Networks, and Dome9 for cloud security posture management can be put to work to address these concerns.

While cloud platforms such as AWS, Microsoft Azure, and Google Cloud may have built in posture management capabilities, he says, they typically only cover their proprietary systems. “You cannot use Azure’s cloud security posture management to protect configuration artifacts in AWS or the other way around,” Cser says. “You want to avoid a silo for posture management tools for every single platform. You want to centralize visibility of all this into one tool.”

Related Content:

What Bain Capital’s David Humphrey Sees in Hybrid Cloud

Red Hat CIO Kelly Talks Hybrid Cloud for Post-Pandemic World

Does DevSecOps Require Observability to Get the Job Done?

How Continuous Intelligence Enhances Observability in DevOps

IBM Speaks on Growing Hybrid Cloud, AI, & Quantum Computing

The Best Ways to Gain Control Over a Multi-Cloud Environment

 

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
News
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Commentary
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll