Sometimes the business need for a cloud app will outweigh concerns IT has about the ability to track what a user does inside the app. In those cases, IT organizations can try workarounds that may offer more insight into user behavior in the cloud. Brown says organizations should think about coupling single sign-on with data enforcement policies to audit SaaS activity using firewall or gateway logs, and then monitor user access via data leak prevention (DLP) tools. "Using that data enforcement policy, you can say, 'I'm going to look at this SaaS application for these users,'" he says. "You can use the enforcement capabilities in DLP to say what is appropriate or inappropriate to be published out to an online sharing site."
As standards evolve and would-be buyers pressure cloud app providers to let them tap into the proper identity-related data feeds, companies should be building cloud identity portals to track and control user access rights and SSO projects that enhance the business case for cloud services. The more value security adds through IAM, the easier it will be for the IT department to rope rogue cloud deployments back under the IT governance umbrella.
IAM can make it easier to shift gears between different cloud applications without having to log in using different credentials. Implementing SSO makes it possible to safely use one set of credentials for everything, with very little interaction with IT required.
"If you make it highly functional, then users will be glad to use it, and then you've captured the prize," Lovelock says. "Make the portal fancy enough to plug into apps from the on-premises side and the cloud. Make the password reset integrate right into the portal. Allow access from anywhere, but perhaps apply rules where some apps can be accessed from the coffee shop and some cannot."
If IT is seen as an inhibitor, Brown warns, then business units are more likely to spin up ad hoc cloud deployments. But if SSO is seen as an easier way to log in to everything, users will demand their new deployments work through the system.
Brown offers the example of an enterprise customer that reined in deployments of Amazon Web Services by offering single sign-on. Staff from different business units used multiple AWS accounts, using native AWS sign-in capabilities for each account. IT worked with each unit to regain control of the cloud contract and do logins through a corporate SSO system.
This made it easier for IT to track AWS use and helped users by letting them use their everyday password through AWS, rather than having to remember multiple credentials. And the company had better clout in negotiating with Amazon.
If more groups take this lesson to heart, they may find that identity management not only helps IT set up the foundation to make security improvements to the cloud model, but it can improve IT operations that are fragmenting across the company.