Cloud Applications, A Challenge For User And Access Control
For an IT department, working with cloud applications and their providers can present a number of new challenges. Where the IT department previously took a facilitating role that is now transitioning to a coordinating role. In addition, it can be significantly more difficult to control user and access privileges in cloud applications. The control over user accounts and roles — who has access to which cloud applications and data — is more complex than with applications that reside within the network. Below are some of the causes:
1. Large amount of information
The flow of information within the business environment is exponentially larger, and with greater frequency, than a few years ago. Organizations have to deal with a large number of users (employees, partners and even clients in some situations) and also many changes; for example, an employee leaves the organization. Previously, it was possible to perform necessary account management process during a pre-established and given time, like monthly or quarterly. Today, this is no longer feasible and the data must be refreshed weekly or even daily. Also a factor, custom scripts often do not work with cloud applications.
2. Different structure
It is a major challenge for the IT department to manage all identities, roles and the data that exists in the various cloud solutions. Many solutions use proprietary authorization and authentication structures. It is common that the same data is required in different systems, but the varying structures make it very difficult to manage in a centralized fashion.
3. Multiple authentication sources
Active Directory, or other directory service, such as Novell eDirectory or Apple Open Directory, is normally the central authorization point for users and most likely controls access to other internal applications and systems. Cloud applications are typically not Active Directory integrated and the result is the need for multiple authentication sources; a directory service for internal applications and typically one authentication source per application in the cloud.
Working with multiple authentication sources of this type is complex because there are only limited options to synchronize user accounts between the sources — also known as federation support — such as Microsoft ADFS and the SAML standard.
4. More manual actions
Vendors that do not offer federation support — for example, several vendors of electronic portals and HR systems — offer a Web browser that administrators can use to directly manage the cloud application management. This requires personnel to manually manage the creation of accounts for new employees and partners, and disabling accounts for employees and partners who are no longer part of the organization.
Although typically very well organized, the web portals require a large number of manual operations. This is time consuming and subject to errors. Some applications will allow a bulk upload via a .CSV file but this still requires manual intervention to create the file, upload and verify which can produce a lot of work. In some cases, vendors have developed a link to user accounts to fully automate the process. This is also known as provisioning. The link retrieves information from the portal where the information is contained, and processes it to the electronic learning environment.
5. Password and naming conventions
Another issue that often arises is the standards for naming conventions and passwords. What works or is required in one system, may not work in another. For example, a user ID in the network may be based on the login name and in the cloud application may require the e-mail address. This makes the exchange of user account data between both environments very complex. This same issue can arise with password conventions. Complex passwords are usually required within the network, for example, the requirements of a combination of characters and numbers, however, you may not be able to utilize this convention within the cloud applications. Another factor to consider is the password expiration cycle — one system may be on a 90-day cycle while another might require a change every 30 days. Synchronizing passwords between the network and cloud applications can be tricky and proper planning is required prior to implementation.
6. What if the connection drops?
Vendors that provide links between the network and cloud applications often utilize event-driven synchronization between systems (i.e. when a change occurs, it is propagated immediately between the network and the cloud). However, they may not have a procedure for handling a temporarily dropped connection. Suppose a bulk upload to create a new employee accounts occurs but in the middle of the transfer, the connection with the cloud application drops. The result can be a tremendous amount of manual work to see which records have or have not been created. Cloud applications may not provide a notification that synchronization was successful.
7. Bulk actions
Processing bulk actions in the cloud is sometimes restricted or denied by the application. For example, imagine you need to create user accounts for several thousand employees, partners or clients students in a hosted e-mail system at the beginning of the school year. There are cloud applications that restrict the number of actions that can be implemented at one time or even require that administrative work be done after work hours to avoid overload on the network. While not all cloud application vendors are restrictive in this fashion, several are and this can impose extra work on the IT department.
8. Connecting import scripts
Frequently, various systems within a single network require the same information. The IT department wants to avoid duplicate manual input of information whenever feasible as it is inefficient and can lead to errors. In many cases scripts are created to load the data from an authoritative system to all dependent applications. Usually, a script will be required for each dependent system as the data elements and requirements will be unique. With the advent of cloud applications, this is more difficult to achieve as these solutions do not always provide a methodology to utilize traditional scripts.
Every organization has to deal with tight budgets, strict federal or local regulations and all are under great pressure to constantly seek ways to work more efficiently. Working with cloud applications can, in many cases, mean that the user and access control is not optimal or effective and requires more attention. Suppliers of cloud solutions give little priority to the development of better management of user accounts and access rights in their applications. They are obviously working with the development of new features and business-oriented functionalities. There are many third parties that offer software that your organization can implement to support easing the burden of managing user accounts and access rights to cloud applications.
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management, serving more than five million user accounts worldwide. For more information, visit their website at www.tools4ever.com.