Avoiding the turn on, sign in, drop out dilemma
Unmanaged cloud adoption without identity integration can undermine agency governance.
Many years ago, as agencies moved away from a monolithic mainframe architecture and applications proliferated on the corporate network, each agency used its own authentication policy… resulting in end users managing dozens of passwords.
Given how poor most people are at remembering infrequently used, complex jumbles of characters, the rational response was to recycle simple passwords or to write them down. Both techniques significantly undermined security.
Recognising the difficulties of multiple passwords, agencies implemented identity management solutions to allow common credentials to be used across applications. When only one password is required, and it is used several times daily, muscle (or finger) memory will aid user recall and password complexity is easier to enforce.
While the aim of a single password for everything remained largely an aspirational goal, considerable progress had been made on improving the security posture of internal applications. Additionally, as organisations converged on a single user account, removing access on separation became increasingly automated. Gone were the bad old days of networks having hundreds, if not thousands, of dormant accounts for staff long since departed.
However, while the recent rapid adoption of cloud solutions is improving the cost-effectiveness and responsiveness of IT, unmanaged adoption has the potential to undo all that previous good work. Rather than a single account to disable, there could be a different credential for every SaaS application. Even worse, if point solutions are procured in an unmanaged fashion by groups who just want to ‘get the job done’, the CIO may have no visibility that they even exist.
It has been argued that unmanaged cloud solutions are generally of little importance or risk compared to core business functions, such as finance and payroll, which tend to remain under IT’s purview. But this is somewhat naive.
We have only to consider the scenario of a departing ministerial advisor — whose access to the core systems is revoked but who retains access to a cloud-based press-release application — to understand the potential organisational risk.
While much has been written about the financial implications of the move to cloud, such as the ability to fund services from operational rather than capital funds, we have regularly highlighted that the improvement in organisational agility is as, or more, important.
To ensure that this key benefit is not undermined, agencies must avoid the tendency to implement a rigid, costly and time-consuming governance model in response to governance concerns. Rather, the aim should be to design a minimalist model that enables quick adoption of services that comply with a small number of core requirements.
One of these should be to interface with the agency’s directory management services — providing end users with the usability of single sign-on and the organisation with the assurance that access to every service a user touches can be reliably terminated when required.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...