Issues arise with managing identity in the cloud when IT administrators fail to follow tried and true best practices
The task of managing a single enterprise network gets tougher when companies add cloud networks and services to its arsenal of identifying, provisioning and tracking end users and their devices. In addition to maintaining all authorizations in a centralized system to facilitate their management, we recommend implementing the following best practices:
Provide clear guidance to employees on approved software
Most companies have long addressed this for desktop and laptop environments. However, this control has often been relaxed in the rush to adopt personally owned mobile devices. In many cases BYOD users may not realize that the use of personally owned software may result in corporate data being stored in the cloud. Employers need to clearly delineate the process to obtain approval to use new software and services.
An important aspect of a data handling / information classification policy is data labeling. Employees should be able to clearly identify what data may be appropriately stored to specific cloud services, and what data should not be stored in specific cloud services.
Unique employee identifiers
Never recycle or reuse your employee identifiers or usernames. If these identifiers are re-used, you may find that over time a new employee will accidentally have access to more data in the cloud than was intended.
Termination policies and process should be adjusted to ensure that authorizations to cloud services are disabled in a timely manner.
Data leak/loss prevention (DLP)
Some data leak/loss prevention (DLP) vendors address cloud based services. Note, that to be effective for mobile devices, the mobile device must be configured to always route all traffic through the DLP device. That is typically achieved by using a VPN all the time, and not allowing the VPN to perform split routing.