PagerDuty Blog

Identify Identity Lifecycles for Cloud App Security

Last month, we covered the tactics Twitter employs to keep users’ data safe. Stephen Lee, the director of platform solutions at Okta, also spoke at the recent PagerDuty security meetup about SaaS apps – the considerations companies need to make around their adoption and protecting the data inside them.

Provisioning the right applications

The great benefit of SaaS products is that they’re available to any user via the web. Yet cloud apps’ ease of use also presents the issue of access control: who gets access to which apps and at what level?

At Okta, automation helps solve one of the major issues of access control: provisioning. When a new employee comes on board – regardless of whether he works in operations, engineering, sales or some other department – he will need to be granted access to certain applications, and automation can greatly simplify this process.

Access control automation also lessens the risk that an employee will need to manually request access to an app down the line, helping reduce IT’s workload and enhancing productivity.

Plan around mobile device use

An important trend that SaaS is helping to power is the growing mobile-friendliness of workplaces. Mobility is great for employees, who are empowered to work where and how they want, in ways that would have been impossible just 10 years ago. Yet it presents real headaches for IT security teams.

Not only does company data live on an ever-greater number of mobile devices, which can easily be lost or stolen, but many of those devices are personal ones. What happens when an employee resigns or is fired – can her former employer be confident that company data won’t go with her?

These considerations demand a robust system for managing access control, one that makes it easy to grant or revoke access on a person-by-person basis.

Anticipate cloud for everything

SaaS isn’t just about enabling mobility. There are other benefits to adopting cloud technology in the enterprise, including cost savings, access to new features and user-friendliness. Yet the massive cloud shift – one of two major trends Stephen pointed to in the corporate tech marketplace, the other one being mobile device adoption – isn’t without security challenges.

For example, managing authentication and authorization when users are accessing apps from a number of locations on a number of different devices is quite hard. You’ve also got the interaction between the end-user and the actual applications – how do you ensure secure connections on networks you don’t control? Then there’s the matter of security audits, to which all public companies are subjected. If you get audited, you’ll have to prove you can generate data around “who has access to what”.

Stephen suggested thinking about security in the context of “identity lifecycles”. The first step in developing a comprehensive security plan is to map out these lifecycles for both internal and external users, thinking in terms of access control. The lifecycle approach makes particular sense when used in concert with a “secure by default” ethos, where security checks are baked in to the product development process.

Think about your users

Another benefit to identity lifecycles: they force companies to identify whose access, precisely, they are controlling. Whether it’s actual users, in Twitter’s case, or engineers and operations folks internally, “lifecycling” requires a holistic look at security.

At Okta, the question is one of accuracy: can people access what they need to access on a reliable basis? Steven presented a view of Okta’s end-user as the Okta security team’s “customer”.

“They need to be able to access what they need, but they shouldn’t be able to access what they don’t.” Stephen Lee, Okta

Thinking in terms of others’ needs is a rare thing in the business world, not least in IT, which spends most of its time immersed in device provisioning, bug fixes, system architecture and so on. Yet Stephen points the way to a better, more “customer”-friendly version of enterprise IT.

Watch Stephen’s full presentation here: