Article
Cloud identity
Cloud identity is a software-as-a-service solution that combines identity, access, application, and endpoint management. Administrators use this identity-as-a-service offering to manage users, applications, and devices from a central location. A unified solution, cloud identity benefits IT and security teams by streamlining the process to federate identities between identity providers.
Cloud identity benefits
Benefits of cloud identity include the following:
- Allows users to easily access applications using single sign-on
- Assesses domains’ overall exposure to a data breach
- Automates mobile device management
- Enables intuitive user experiences on endpoint devices
- Extends on-premises directory to the cloud
- Identifies users that pose security risks
- Leverages threat intelligence signals to optimize security defenses
- Protects user and organizational data with multi-factor authentication
- Provides an easily accessible view of administrator activity logs and overviews of key metrics and trends
- Secures devices by enforcing screen locks or passcodes
- Supports policy enforcement for all devices (i.e., personal, corporate) with endpoint management tools
- Unifies management of users, access privileges, applications, and endpoint management
Typical features of cloud identity solutions
Key features of cloud identity solutions include:
- Ability to set up digital workspaces quickly
- Account takeover protection
- Automated user provisioning and de-provisioning
- Context-aware access
- Endpoint management
- Hybrid identity management with Active Directory and secure LDAP (lightweight directory access protocol)
- Integration with hundreds of cloud applications out of the box
- Multi-factor authentication (MFA)
- Single sign-on (SSO)
- A unified management console
Cloud identity and single sign-on
Cloud identity, acting as a third-party identity provider (IdP), supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols. While SAML requires more effort to implement than OIDC, it is more well-established in enterprises. Conversely, OIDC is easier to establish, but is not widely adopted in enterprises.
Cloud identity provides administrators with the option to use the protocol that works best for their deployments.
Cloud identity and multi-factor authentication
Cloud identity allows organizations to implement MFA in several ways and at varying levels.
Levels include:
- Optional
Users opt-in to the use of MFA rather than it being required - Mandatory
Users select which MFA method to use - Security keys mandatory
Users are required to use a security key as an authentication factor
Cloud identity MFA options include:
- Backup codes provided to users in advance of needing them for cases where users will not have connectivity to receive codes
- One-time codes delivered via text message or phone call
- Prompts sent to a mobile device to verify that the login attempt is legitimate
- Security keys (e.g., physical key inserted into a USB (universal serial bus) port on users’ computers)
Cloud identity and the principle of least privilege
Cloud identity supports the enforcement of the principle of least privilege. That is, cloud identity helps ensure that a person or system only has access to resources limited to the minimal amount required to do their jobs.
Cloud identity helps enforce the principle of least privilege in a number of ways, including with:
- The ability to evaluate the risks of identities, human and non-human, across multiple public clouds
- Continuous monitoring of identities and access for activities that conflict with governance rules and normal operational behavior
- End-to-end visibility
Cloud identity and just-in-time access
Just-in-time access is an approach to applying the principle of least privilege. For users who need privileged access, just-in-time access limits rights to only when they are required.
Just-in-time privileged access rights range from permanent (i.e., applicable until revoked) to eligible (i.e., approved for access on an as-needed basis). Cloud identity uses just-in-time access to:
- Conduct audits and assessments of past activities
- Create a record of why privileges were activated
- Minimize the chance of a user compromising resources (i.e., modifying or deleting resources)
Cloud identity and regulatory compliance
Cloud identity helps organizations meet the compliance requirements of key regulations, including the following.
California Consumer Privacy Act (CCPA)
Functions included with cloud identity that support CCPA compliance are:
- Access governance to control where the data is housed and who can access it
- Centralized administration of access management and identity governance
- Identity management capabilities that tie individual consumers to their data and privacy requests
- Strong authentication
Family Educational Rights and Privacy Act (FERPA)
Cloud identity helps meet FERPA compliance requirements with:
- The ability to delegate education data access to third parties
- Accurate, complete, and time-stamped logging of users
- Automated reporting with access management evidence to meet audit standards
- A federated infrastructure that allows secure access based on the principle of least privilege
General Data Protection Regulation (GDPR)
GDPR requirements supported by cloud identity include:
- Access governance
- Access management
- Authentication
- Authorization
- Identity governance
- Identity management
Gramm-Leach-Bliley Act (GLBA)
GLBA compliance requirements that cloud identity addresses are:
- Automated provisioning and de-provisioning of users as roles and employment status change
- Enforcement of the principle of least privilege
- Multi-factor authentication
- Role-based management that grants access according to users’ roles rather than direct assignment
- Separation of duties controls
Health Insurance Portability and Accountability Act (HIPAA)
Among the HIPAA compliance requirements addressed with cloud identity are:
- Automatic access logging and automated reporting to facilitate auditing
- Centralized access governance across organizations’ infrastructure, including human and non-human users (e.g., IoT (Internet of Things) devices)
- Credential protection with single sign-on
New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
Cloud identity capabilities that support compliance with the NY SHIELD Act include:
- Automated provisioning and de-provisioning of users as personnel change roles
- Entitlement management to limit permissions to the least privileges
- Federated identity management to simplify integration and tracking of business partners
- Multi-factor authentication to increase the difficulty of stealing credentials to access data illicitly
Sarbanes-Oxley Act (SOX)
SOX compliance requirements addressed with cloud identity are:
- Automatic logging and tracking tools that generate clear reports for compliance audits
- Centralized administration of access management and identity governance
- Enforcement of separation of duties rules
- Verification of user rights and permissions across the infrastructure
Why cloud identities must be governed
To protect cloud environments, cloud entities must be governed by rules that tightly manage access privileges and permissions. Cloud infrastructures include thousands of human and machine entities that create a growing attack surface. Cloud identity governance solutions automate the management of identity, permissions, and access risks at scale to effectively and efficiently secure cloud infrastructures.
Modernize and strengthen security with cloud identity
Cloud identity solutions typically provide features and functionality that is purpose-built for modern infrastructures. Identities can be managed and protected from exploitation in complex cloud environments.
Organizations that leverage cloud identity reap numerous benefits, including adherence to many compliance requirements and support for enforcing the principle of least privilege, which is regarded as a must-have for mitigating risk and defending against threats.
Take control of your cloud platform.
Learn more about SailPoint Identity Security.