Managing identity in the cloud

by | Sep 15, 2020 | Business, Cybersecurity

Right now, how many cloud applications are being used in your small business? You may be surprised by the quantity and the potential lack of security that is exposing you and your business to risks. Fortunately, I have an effective solution and a set of easy-to-understand tips to share.

Real life example

I met with the manager of a local firm a few months ago who was overseeing their own IT and had done so for several years. The firm’s management was happily running Google Docs, Slack, QuickBooks Online and several other cloud applications. In addition to these organizational applications, their employees had complete autonomy over the applications that they were using daily — but the business had no oversight.

The manager asked me, “what kind of security concerns should we be having?” 

The first thing that came to mind was that they probably have zero control over their online identities.   

cloud management

What do I mean by that?  

If, for example, you have 10 employees with five cloud applications each, then there are 50 combinations of usernames and passwords out there on the Internet; and in most cases (at least with small companies), they will have no idea about the quality of those credentials or whether MFA is turned on (MFA is by far the most important security practice for protecting online accounts). This is a difficult problem to deal with as the identity crisis starts when the company is small and can grow into a monster very quickly. The fable of the boiling frog fits this situation perfectly.

An effective solution

Luckily, there are effective solutions to this very common problem. First, some fundamental security training would help here. 

Employees need training on how to set secure passwords and avoid reuse by utilizing a password manager (within a business account). On top of that, MFA should be encouraged. But this alone is not a complete approach. For example, you don’t know if your employees are setting complex and unique passwords.

You can insist that they do, but you just can’t know for sure. What works best (in addition to education) is Single Sign On (SSO) services. With SSO, you tie multiple cloud accounts back to a single identity, thus consolidating your cloud accounts and returning some control back to your organization. A commonly used SSO provider is Microsoft (there are others). If you setup your Microsoft 365 account securely (with MFA enabled), you can then link other cloud applications to your Microsoft account by configuring their respective SSO settings.

For example, if you use the program Slack on top of Microsoft 365, both could be accessed with the Microsoft account by configuring SSO within Slack.

This makes signing on secure and tremendously simple for staff: one account, one set of credentials, one MFA code, and one account to disable if the employee ever leaves!  

Of course, reigning all of this in is not always easy. Not all cloud apps support SSO and sometimes there are fees involved with SSO. You may also not even know about all the cloud apps that are in use. But by consolidating accounts, where possible, in addition to educating your users, you can make a huge dent with this problem of  having a lack of control over online identities.

Email us with your questions about Single Sign On or anything mentioned in this article to: