Avoiding the turn on, sign in, drop out dilemma


By Al Blake, Principal Analyst, Ovum’s Australian Government practice
Thursday, 22 June, 2017


Avoiding the turn on, sign in, drop out dilemma

Unmanaged cloud adoption without identity integration can undermine agency governance.

Many years ago, as agencies moved away from a monolithic mainframe architecture and applications proliferated on the corporate network, each agency used its own authentication policy… resulting in end users managing dozens of passwords.

Given how poor most people are at remembering infrequently used, complex jumbles of characters, the rational response was to recycle simple passwords or to write them down. Both techniques significantly undermined security.

Recognising the difficulties of multiple passwords, agencies implemented identity management solutions to allow common credentials to be used across applications. When only one password is required, and it is used several times daily, muscle (or finger) memory will aid user recall and password complexity is easier to enforce.

While the aim of a single password for everything remained largely an aspirational goal, considerable progress had been made on improving the security posture of internal applications. Additionally, as organisations converged on a single user account, removing access on separation became increasingly automated. Gone were the bad old days of networks having hundreds, if not thousands, of dormant accounts for staff long since departed.

However, while the recent rapid adoption of cloud solutions is improving the cost-effectiveness and responsiveness of IT, unmanaged adoption has the potential to undo all that previous good work. Rather than a single account to disable, there could be a different credential for every SaaS application. Even worse, if point solutions are procured in an unmanaged fashion by groups who just want to ‘get the job done’, the CIO may have no visibility that they even exist.

It has been argued that unmanaged cloud solutions are generally of little importance or risk compared to core business functions, such as finance and payroll, which tend to remain under IT’s purview. But this is somewhat naive.

We have only to consider the scenario of a departing ministerial advisor — whose access to the core systems is revoked but who retains access to a cloud-based press-release application — to understand the potential organisational risk.

While much has been written about the financial implications of the move to cloud, such as the ability to fund services from operational rather than capital funds, we have regularly highlighted that the improvement in organisational agility is as, or more, important.

To ensure that this key benefit is not undermined, agencies must avoid the tendency to implement a rigid, costly and time-consuming governance model in response to governance concerns. Rather, the aim should be to design a minimalist model that enables quick adoption of services that comply with a small number of core requirements.

One of these should be to interface with the agency’s directory management services — providing end users with the usability of single sign-on and the organisation with the assurance that access to every service a user touches can be reliably terminated when required.

Follow us on Twitter and Facebook

Related Articles

Adapting to new cybersecurity challenges: a roadmap for Australian government agencies

Given the rise in cyber threats against government networks and critical infrastructure sectors,...

Growing fraud trends in Australian health care

As the healthcare landscape evolves, so do the methods of fraud.

Overcoming the top cybersecurity challenges faced by public agencies

With a new cybersecurity strategy out and the right approach to key challenges, the public sector...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd