Brian Jackson - Fotolia
Amazon, Google and IBM all offer identity and access management products as a part of a cloud subscription, but organizations should evaluate these services carefully before they start using them.
IT pros should get to know the features, advantages and disadvantages of cloud-based identity and access management (IAM) products from three major cloud vendors.
Pros of built-in cloud IAM
Cloud-based IAM products from major cloud providers are typically pre-integrated into the cloud platform's services, making it easier for IT to implement and manage IAM controls across the cloud environment.
Because a provider's IAM tool is part of a larger cloud infrastructure, it can also deliver higher levels of reliability and scalability than an on-premises product can. In many cases, the cloud platform can also deliver a greater level of security because service providers can invest substantial resources to protect customer data. Larger cloud platforms, however, are often bigger targets for cybercriminals, which means that the provider needs to be more diligent to protect resources.
In general, a cloud service is more flexible and adaptable than an on-premises product. Service providers can more easily and quickly apply patches and upgrades, address security threats and implement new and enhanced features. Cloud-based IAM can offload mundane administrative tasks, allowing IT to focus on higher-priority tasks.
Cons of built-in cloud IAM
Major cloud providers specifically design and optimize their IAM products for their own platforms. This might be fine for organizations that run all of their operations on that platform, but many IT teams also manage on-premises applications, multiple cloud services, hybrid environments, distributed data stores and customized legacy systems. In these situations, IT must either balance multiple IAM products or find a single product that supports multiple environments, such as tools from Ping Identity or RSA.
The RSA SecurID Suite, for example, provides IAM services that can protect both cloud and on-premises applications, including legacy and custom tools, while incorporating technologies such as threat intelligence and business context. Organizations that already use these products will likely want to extend them to their cloud platform, rather than manage multiple IAM tools. A comprehensive IAM product should expand beyond the boundaries of a single cloud environment.
Many organizations have implemented user environment management (UEM), enterprise mobility management (EMM), or mobile device management (MDM) tools that include IAM capabilities or integrate with other IAM tools, which can further complicate the deployment of a provider's cloud-based IAM.
IAM from major cloud providers
Amazon offers its free AWS Identity and Access Management tool to control access to Amazon services such as Redshift, DynamoDB, Elastic Compute Cloud (EC2) and Simple Storage Service (S3). Administrators can assign specific permissions to both users and groups, allowing them to control who can access which resources and the level of access they have to those resources. Amazon provides a variety of tools for working with its IAM services, including command-line utilities, the AWS Management Console, and AWS software development kits (SDKs).
Amazon's IAM product supports features such as multifactor authentication and identity federation and incorporates a highly available infrastructure. It comes pre-integrated into many AWS services and complies with the Payment Card Industry Data Security Standard (PCI DSS).
Google also offers a free IAM product, Cloud Identity and Access Management, with a Google Cloud Platform subscription. It enables administrators to authorize who can take specific actions on specific resources. It also offers multiple options for IT to control resource permissions both directly and remotely, and it automatically provides IT with a full audit trail.
Google introduced context-aware access for organizations that use the Cloud Identity-Aware Proxy service. The new feature allows IT to enforce granular access to resources based on user identity and the context of their requests, without requiring remote-access virtual private network (VPN) gateways. For example, an administrator can specify that a web application is accessible only from Windows devices.
IBM also offers a free IAM product, Cloud Identity and Access Management, which provides unified user management across the IBM Cloud. IT can consistently control access to all of the platform's resources. Administrators can add and delete users, or they can organize users into groups to simplify access assignments.
IBM's cloud-based IAM service includes Security Access Manager to proactively enforce access policies for web and mobile. The IAM tools also includes IBM's Security Identity Governance and Intelligence service, which provides a set of tools to analyze, define and certify user access.