In their quest for faster time-to-value and an optimized digital supply chain, businesses are increasingly turning to hybrid ITโs blend of public and private cloud solutions with traditional on-prem gear and composable infrastructures. But theyโre hitting a speedbump on the way. Identity and access management (IAM) systems, long recognized as a core component of IT security strategy, are showing signs of strain in a hybrid world.
Users perceive todayโs IAM controls as overly complex, slowing down access to the tools and data they need for their work and as a result making them less productive. They often have to juggle multiple sets of identity factors and credentials.
IT staff end up spending too much time on what should be straightforward tasks like authentication and account provisioning/deprovisioning when theyโre working across multiple environments, often including solutions from different cloud providers. Theyโre hampered by AIM technology โislandsโ that lack support for open, flexible identity and access control standards. Identity and access control data may have different levels of security, privacy and availability protection, depending on the location from which itโs consumed or the platform where itโs stored.
Itโs time to move towards a modern, integrated identity management system that spans cloud and on-premises infrastructure and provides a common control plane to manage your identities, credentials, devices, and applications, as well as access to them. Here are five steps you can take to get there.
1. Simplify your on-prem IAM. Most organizations have many different on-prem tools and solutions โ for example, multiple directories, single sign-on (SSO) solutions, and strong authentication solutions. This kind of proliferation will make the integration with public cloud providers (such as AWS, Google Cloud Platform, and Microsoft Azure) more complex, so your first move should always be to simplify. Bear in mind that many of the disciplines you rely on for your on-premises infrastructure are the same ones youโll need in the hybrid environment, so this is a great opportunity to review.
2. Honor the principle of least privilege. At many organizations, itโs not uncommon for sysadmins to use an administrator account to perform routine administrative tasks that can be done with a plain user account. This practice increases the risk exposure of privileged accounts. Limit the risk by giving admin accounts only the permissions they need to do their job, and only for the time they really need them. Sysadmins can use a plain user account for day-to-day work, then switch to an administrator account temporarily for tasks requiring higher privileges.
3. Evolve to a federated identity model. leveraging open standards โ such as Security Assertion Markup Language (SAML) โ to integrate on-prem and public cloud IAM and to provide a single sign-on experience. As a first step in that direction, most organizations start off with a directory synchronization engine: an on-prem master directory with slaves in the public cloud. But youโll want to move from there to a full federated model, in which you become your identity provider and all public cloud providers are resource providers.
All public cloud providers support identity federation. Make sure that you set up the correct group and attribute mapping between your internal on-prem identity provider system and the different access control systems of the public cloud providers.
4. Integrate IAM with and security information and event management systems. Make sure that all of your event and alert sources โ including compute, storage, networking, and security, and for both on-prem and cloud infrastructure โ feed up to your security information and event management (SIEM) systems. Also ensure that SIEM is integrated with your enterprise dashboard and ticketing/helpdesk systems.
5. Leverage software-as-a-service and standard public cloud IAM features to the maximum extent. Reduce time-to-production for IAM solutions by making full use of IAM SaaS products and the built-in IAM features in public cloud offerings. This simplifies your ongoing IAM operations and maintenance. It will also reduce the CapEx needed to get started with IAM in a hybrid IT environment.
Different cloud providers provide slightly different identity access management tools, and they use different terminologies to describe them. At first glance this can be a bit confusing, but if you spend a little time working with them youโll find that, to a large extent, they all offer basically the same controls.
HPE Pointnext can help you architect and build a tailored, future-proof IAM platform for your hybrid IT operation, one that empowers employees and enhances their productivity. Working closely with your team and our IAM solution partners, we can take you every step of the way, from an initial assessment of your existing environment, to roadmap development, to solution implementation. Learn more about HPE Pointnext Security services and start working with us today.
Featured articles:
- Surprise! You're running hybrid IT
- Hybrid cloud management: What you need to know
- Consumption-based IT: A primer for your business
- Want to know the future of technology? Sign up for weekly insights and resources
Jan_De_Clercq
Security Chief Technologist, WW HPE Pointnext Services Security Practice
