“The Cloud” is changing business in many ways. This discussion is mostly targeting B2B and B2C applications and how cloud and SaaS offerings are affecting access control and security.
Cloud and SaaS offerings affect businesses in the reduced time it takes to implement and begin using business relevant applications compared to the traditional way of getting an application up and running. In the past business departments needed to talk to IT, going through all the processes from budget funding to software selection to purchasing and finally the implementation process with IT. Today, you can simply subscribe to software as a service offering that fits your needs and you can start working. This is the “new business agility” that results from a SaaS offering.
The role of IT departments are changing and adapting. Even if the business departments can easily use line-of-business applications in the cloud, companies are still accountable for controlling the access, the use and the security of the data of those applications.
For the IT department this means that they are not necessarily the department implementing, operating and providing the application support itself but the tools and processes on how to govern and control the overall system security. IT departments need to become a real partner of the business and an enabler of the new agility. IT departments have an opportunity to become the internal facilitator or a kind of consultant for the integration of the business relevant SaaS applications. The business and IT need to ensure that the applications are brought into the overall IAG and GRC program and its tools and solutions so the processes like:
Who should have access or not?
How to grant or revoke access and permissions?
How to provision or de-provision access and permissions?
How to attest/recertify access and permissions?
Are not broken and the new applications fits into the overall scenario.
Uncontrolled growth and use of cloud applications by business could lead to uncontrolled systems and violation of internal and external regulatory controls. IT departments are the natural partner of the business for ensuring security and compliance not just for on premise applications but for SaaS applications as well.
A company should develop a best practices IAG/GRC program as a prerequisite to have the appropriate IAG applications in place that can provide all features required for managing both on-premises and off-premises applications.