With a vibrant market of software-as-a-service applications on offer, business managers no longer need to go through IT to procure the application functionality they require.

Despite being dubbed ‘shadow IT’, the infiltration of the enterprise by cloud-based apps is not all doom and gloom. Business users are more likely to select a tool that meets their requirements if they pick it themselves.

But it does raise issues for the IT department. One of the most immediate concerns is identity and access management (IAM).

Employees may lock themselves out of critical applications if they forget their passwords. Or, more worryingly, they may reuse their passwords from personal web services for corporate applications. In theory, this could expose organisations to attack if those services are compromised – as in the case of LinkedIn’s recent password breach.

There is also the issue of ensuring that workers can only access functionality that is appropriate for their duties and of promptly removing application access when employees leave. If the IT department is not privy to the accounts and log-in details of a given cloud application, this may not get done. Nor will they be able to track application usage across the organisation – an essential requirement for cost control when paying for SaaS apps ‘by the seat’.

The solution

So how can the IT department claw back control of identity and access management in the face of cloud applications?

One approach is for IT to become an internal ‘cloud service provider’ –a central resource that provides identity and access services to business departments, making it easy for users to gain access to cloud applications, while at the same time ensuring that security and compliance requirements are met.

The idea is that, rather than looking out on the web for cloud applications that suit their store, where they can browse applications that have been pre-approved by the IT department, and initiate the deployment in full view of IT.

The beauty of this approach is that it allows IT to insert an identity and access management layer between the users and the cloud applications, addressing many of the above concerns.

It can, for example, introduce single sign-on (SSO) for all cloud apps, giving business units ease of use, removing the security concerns of password reuse, and giving IT control of access rights when an employee leaves.

IT can also take a risk-based view of cloud applications based on the kind of data that they are being used for – e.g. customer or financial data, versus marketing collateral – and adjust security policies and restrictions accordingly. And it also allows them to keep tabs on cloud application usage, meaning that ‘cloud sprawl’ does not lead to some surprisingly high bills down the line.

The challenges

The most immediate challenge for any CIO seeking to implement cloud access management is the cost justification. Cost savings include : tracking cloud application usage to ensure the company is not paying for subscriptions that are not being used; improving employee productivity by enabling single sign-on; accelerating the speed to deployment for cloud apps; and reducing support calls when employees run into an access problem.

But the real benefit is in risk reduction. By establishing itself as the conduit through which access to these applications is granted and managed, the IT department can significantly reduce the information security risk by assessing the risk of each application and asserting identity and access control.

Perhaps the biggest challenge, however, is the cultural shift required to become a cloud services provider. The IT department must move from being an organisation that implements and supports technology to being a service provider and integrator. This requires far greater engagement with the business, and a focus on customer service that many IT departments have yet to muster.

After all, the IT department is now competing with external cloud providers for the attention and loyalty of their users. That means that the service it provides must as good as – if not better than –what is commercially available via the cloud.