Can cloud computing implementation help with access governance?
This article is a guest interview with Tedd Rodman and Jason Garbis of Aveksa, and is the fourth in a series of cloud computing experts who share their expertise on how organizations can securely conduct their business using cloud computing services.
(Articles in this series include: “Holistic Approach to Cloud Computing” and “When Clouds Collide”, and “Avoid the Risks of Multiple Cloud Providers”)
What is the public's primary security concern with cloud computing?
We’ve seen a handful of security apprehensions from clients. Much of the concern lies in the fact that the IT infrastructure – and company data – is no longer under their direct control.
However, the security procedures of an on-premise IT department are often overlooked. In many instances there is unfettered physical access to systems, turnover in the IT department, and an ever-increasing complexity of today’s systems – requiring more specialized expertise and manpower.
Can client companies successfully use multiple cloud computing providers?
In many instances, yes. However, it depends on the level of application integration required. Many cloud providers have an API; others have an import/export mechanism in place. Of course, manual data integration is increases the likelihood of error.
It’s important to have procedures in place, and have records for who’s responsible for the integration. Then you get into issues of access-governance.
Can access-governance be an issue? Can cloud computing help?
Organizations, especially those that are publicly-traded, need processes in place to understand who has access to which data and applications. Turnover isn’t only an issue in the IT department. When roles and responsibilities shift, it becomes more imperative to substantiate that access controls are still in place.
The process of segregations of duties is a popular example. To avoid a conflict of interests, one individual shouldn’t have the power to establish AND pay a vendor. Or payment should at least require two signatures.
A privately-held organizations can also certainty benefit from solid access-governance processes - in the areas of risk management and as a business enabler in removing of impediments from working with a publicly-held company.
If companies find it difficult to get a good grasp of its access-controls, cloud computing can make sense. In many cloud environments, management can control which employees have access to certain data through the use of a username and password. We’d advise against relying solely on cloud computing for access governance, but it can certainly be a good start.
Looking into moving to the cloud, but not sure where to start? Register for a free webinar on the Five Steps to Understanding and Implementing Cloud Computing.
