If you do only one thing with Cloud, get your identity management strategy right. Even if your organization’s IT environment is all on-premise, you have to know how to handle identity management for cloud applications. Here is why.

Enterprise use of cloud based applications has increased dramatically in recent years. For example, a report on cloud apps by Netskope showed that in the last quarter of 2014, enterprises on average use 613 cloud applications per organization. Business units often see IT as an inhibitor to providing business solutions quickly, so end users will access Software as a Service (SaaS) applications, even if corporate IT doesn’t endorse it. According to the recent Cloud Adoption, Practices and Priorities Survey Report by the Cloud Security Alliance (CSA), “nearly 72 percent [of surveyed executives and IT managers] admitted that they did not know the number of shadow IT apps within their organization, but certainly want to.”

The CSA survey also lists the most user-requested types of cloud services based on Line-of-Business requests to IT departments, including File Sharing and Collaboration (80 percent), Communication (41 percent), Social Media (38 percent), Content Sharing (27 percent), Enterprise Content Management (20 percent) and Development (20 percent). At the same time, only 16% of the same respondents stated that their organization has a governance policy for cloud usage.


Here are some of the most prominent Shadow IT issues that can emerge when your IT strategy ignores end user-driven cloud adoption:

  • Multiple SaaS applications are serving the same function deployed in the enterprise, for example different CRM software in different business units.
  • Identity management for the SaaS applications is not integrated with the organization’s Active Directory
  • Lack of single sign on (SSO) integration for cloud apps  results in a poor experience where users have to manage  multiple identities and passwords
  • Sensitive corporate data is being stored in SaaS applications that has not vetted based on corporate IT requirements
  • Business performance and continuity may be threatened if SaaS vendor has a disaster or goes out of business

Even if your enterprise IT environment isn’t ready for large-scale use of cloud services, or the majority of your IT infrastructure needs to stay on-premises, get started on an identity management strategy for the cloud now. To get going, consider the following three best practices:

1. Create a centralized IT group that ensures fast SaaS adoption with proper controls
ig-identity_repositoryA centralized IT group will provide a go-to resource for the business units and help establish the right control and enablement processes. This includes creating a procurement process to negotiate with cloud app vendors in case an enterprise solution is required. SaaS vendors like Dropbox or Evernote initially sold consumer offerings to business customers, until business user demand and collaboration with IT departments led to the addition of hardened enterprise-ready solutions. Instead of multiple business units approaching the same vendors, an orchestrated approach will provide security, privacy and usability benefits for everyone in the organization. Cloud vendors will appreciate this approach because they too prefer a centralized go-to resource they can deal with for the implementation of specific, large-scale requirements.

The centralized group will also be able to take care of implementing SSO and integrating the cloud applications with the organization’s existing Active Directory. If data needs to be provided to the SaaS vendor, the centralized group can also execute a risk review before proceeding. Finally, this group will take care of proper legal contracts to cover SLAs, disaster recovery, termination of business, and data privacy/recovery.

2. Address key scenarios when managing identities
ig-cloud_automationBest practice identity management requires tackling all the relevant scenarios. This includes creating one identity repository for many applications, and enabling access and management for identities used in cloud applications. It also includes monitoring and protecting the access to enterprise applications as to avoid making SaaS the weak spot in your IT risk management. If your organization goes to great lengths to secure and restrict access to confidential corporate data, this protection needs to be extended into the cloud.

But identity management scenarios aren’t all about security and risk management, they also include offering a personalized user experience and more convenient access to cloud solutions, which will help win over business units and end users. By creating self-service capabilities, users will be able to manage many parts of their cloud usage without draining IT resources. For example, some enterprise IT organizations now offer a self-service portal with approved cloud solutions.  If the organization has an agreement with a CRM vendor such as Salesforce or a file sharing service such as Box, users can get started with these SaaS apps right away, and they don’t have to worry about the details of SLA’s or security.

3. Use Azure Active Directory to enable key cloud governance and management capabilities for enterprises
ig-azure_active_directoryIn a Microsoft IT environment, the best way to integrate identity management for the Cloud is to use Azure Active Directory (AD). Azure AD “provides a robust set of capabilities to manage users and groups and help secure access to on-premises and cloud applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications.”

Azure AD lets you connect SaaS identities with their on-premises Active Directory users, and seamlessly associate with a huge variety of cloud applications. As of February 2015, more than 2,400 cloud applications are listed with pre-integration capabilities for Azure AD in the Azure Marketplace. Connectable SaaS applications include anything from CRM and data services to e-commerce, ERP, project management and web design. With Azure AD, you get SSO capabilities for these cloud apps for all your enterprise users. You can also integrate with various web protocols. Lastly, Azure AD also helps your organization scale around the globe to authenticate your users in any location, from any device, in a way that integrates simply with their existing identities.

An integrated identity management strategy that addresses both on-premises and cloud environments with a single solution is the best way fight cloud-driven Shadow IT. In her 2012 Harvard Business Review article titled “Shadow IT is out of the closet“, Jill Dyche proposed that “IT can transform itself from ‘we build everything’ to ‘here’s how to build it,’ and thus be viewed as a competency center focused not on technology, but on process creation and refinement.”

The rapid adoption of business cloud solutions – inside and outside of the IT department – will soon make the transformation to “competency center” a mandatory requirement for IT organizations. Developing an identity management strategy for the cloud is an important step in this direction and a big component of proper IT governance and operations in an increasingly cloud-first business world.