 |
In the world of modern IT, most spending is outside the IT department’s control. Employees demand to be allowed to use the latest and greatest mobile devices and gadgets, but decision-makers are often too busy or unwilling to allocate funds. This has left organizations grappling with bring-your-own-device challenges. Business units that want to use best-of-breed enterprise cloud software often sign up for subscriptions outside the organization, and employees who use cloud-based services at home, such as file-sharing, often bring these applications into the office. In many cases, IT has no visibility into how pervasive the use of these services is. Bypassing Decision-Makers and their Controls According to Gartner, 38 percent of IT spending is already outside the control of the IT department. This will rise steadily and reach 50 percent of all IT spending by 2017 and almost 90 percent by 2020. Gartner states the primary functional groups behind this trend are online sales and marketing departments. These figures are echoed in a recent VMWare poll of European IT decision-makers. The survey found that 37 percent suspected their colleagues had bypassed the IT department to buy cloud services. Almost three-quarters of those polled stated that such off-radar spending is beneficial, owing to the sheer convenience the cloud services model provides. However, many acknowledge that they worry about the security risks involved, especially the potential for sensitive corporate data to be inappropriately accessed by unauthorized agents. For example, with file-sharing services, organizations usually have no way of knowing whether sensitive information has been posted or with whom that information has been shared. The Need for Centralized Identity Control for Modern IT It appears that bypassing IT is not a tide that can be turned back. However, the IT department still retains responsibility for spotting security vulnerabilities, preventing unauthorized access to or inappropriate storage of sensitive data, and ensuring rules and policies are adhered to. This cannot be done without centralized control, which should include integration with identity and access management capabilities reaching from the endpoint to the cloud. These are considered by many to be the new perimeter of the organization. However, control of access policies should be placed in the hands of individual business units, since they are often the ones purchasing application subscriptions and defining access rights for users. Systems should allow for granular control of corporate data and applications based on context such as device, role, location, and security policy. Through centralized management, identity and access permissions can be dictated for any computing device. This will enable the organization to shut down rogue access to applications and data in which attempts are out of line with policy. Internal authentication mechanisms contained within the devices themselves help lock down information in an emergency. These require the use of adaptive authentication, which allows access decisions to be made on the basis of multiple contextual factors. Access requires stronger forms of authentication where risk is deemed high. With these capabilities, organizations are afforded integrated identity and access management across all applications, devices, and users, all controlled from one central system. This will allow IT departments to create and enforce access policies that conform to business, compliance, and security requirements. It puts control into the hands of business managers, allowing them to use the applications they need while maintaining the purview of the IT department. [cf]skyword_tracking_tag[/cf] The post How to Manage Identities in the Modern IT Environment appeared first on Speaking of Security - The RSA Blog and Podcast. |
