I spend a good amount of my time in the field meeting with our partners and customers because I have always felt that is the only way you can fully understand how they use our products, and what their pain points are.
A common misperception I hear from customers who are moving to the cloud is that they either won’t have the same compliance obligations or will not be using Active Directory (“AD”) bridging. When you start to peel back the onion a bit, you find out they have not really landed on a clear choice of what their cloud directory will be, but seem perfectly happy to stand up a duplicate directory.
I find it ironic they are thinking of this approach because this is one of the reasons they have been leveraging technology such as SAML & AD bridging in the first place: to not have a bunch of identity silos. Many of our customers leverage the same tools whether the system lives on premises, with a cloud provider or any combination of the two. Just because the system will run somewhere else does not mean you cannot leverage the same tools you use today and take advantage of the AD you already have invested so much money in.
Even better, think of all of the security tools, provisioning and processes you have already put in place around AD. You can save time and money leveraging the same investment regardless of which cloud provider you are standing up infrastructure in.
Then you need to think about the security you have put in place around your directory. I get that it's easy to take advantage of a directory in the cloud that is already there when you are spinning up new services and people want the path of least resistance. You’re trying to quickly bring a new application up in the cloud for your company and we often do not think about the security involved in standing up a new directory. We trust the cloud provider to have done their due diligence around their security and assume they have this covered for us.
The cloud providers do put a lot of thought and effort into their security and go through many different types of certification to prove this. However, when they do that, they follow their set of processes around how they properly secure something. That does not mean that you have followed the same processes securing yours. All cloud providers institute a shared ownership approach and you own the accounts you create there.
In the early days of PCI (Payment Card Industry data security standard), companies thought that if they outsourced their credit card transactions, they were outsourcing the PCI requirements. Out of sight, out of mind: X company handles our transactions, so we do not have to worry about them and have no risk.
This worked for a very small period of time until auditors found out credit card data was still being stolen, and letting people outsource the responsibility meant they relaxed their own safeguards. The PCI industry recognized that this approach still did not protect customers’ data and gave them no reason to not expect the same level of compliance controls for these customers.
Compliance and Security is YOUR Responsibility
You have to own your own compliance and security safeguards. There is no such thing as outsourcing your risk away, and though you may be successful with this approach for a small period of time, the responsibility is ultimately going to come back to you. Go read the fine print in your agreements with your cloud providers, they put you on the hook for your users and what they do.
Our latest survey report, “Reducing Risk in Cloud Migrations,” drives this point home. You have to own your cybersecurity strategy, approach, and implementation from A to Z. For example, over half of respondents to our survey are taking different approaches to controlling access to cloud environments than they do on-premises. Why? They can, and should, leverage a common security model across the modern enterprise IT environment.
The survey also revealed that 76% are using more than one identity directory in their cloud strategy, and only a third are using modern privileged access management solutions to avoid creating new identity silos in the cloud. As business transformation is enabled by multi-cloud strategies, it’s important to not intentionally create identity sprawl and expand the attack surface. Leverage the master identity repository you already have – AD or otherwise – to broker privileged authentication and access to everything, no matter where it resides in the IT fabric.
The modern threatscape is rapidly evolving, and requires flexibility to adapt to changes. But oftentimes using best practices and solutions that we’re familiar with – such as AD bridging – can be just as applicable for new technologies and challenges. At the very least, it’s better than not using them and creating more risk, not to mention that you already own this directory and have spent years putting together your processes to secure it.
During your next audit, wouldn’t it be great to rely on this to save you time and money?