Most license models for on premise solutions do involve a once off payment with a yearly maintenance fee. In contrast, almost all cloud services are charged on a monthly basis. While the up front investment may be smaller for cloud services, the mid to long term costs can be significant. To keep these costs under control, a tight management of the accounts should be in place, ideally before the new services are rolled out.
It is clearly not enough to rely on the Administrative tools of the cloud vendors and manually create the necessary accounts, or just extend your SSO solution to trigger a new account creation whenever a user logs into the new system. With this approach sooner or later the number of unused accounts will accumulate and so will your monthly subscription base.
Similar to the license aspects of services, there are some distinct differences between on premise applications and cloud services. The on premise application is primarily only accessible from the intranet. If anyone wants to access these applications from the outside, a VPN connection has to be established and all traffic is routed through firewalls. This architecture makes it hard for your employees to collaborate with your customers. Cloud services on the contrast are much easier to access. No VPN tunnel has to be established to access the application which makes collaboration much more efficient. Obviously these cloud services remove at least one barrier for anyone trying to abuse your valuable company data.
To minimize the risk, a tight security model has to be in place also for the cloud services. Any dormant or orphan accounts in your cloud partition presents a potential entry door for an attack. As a first measure of defense, there should be no orphan or dormant accounts. This leads right to the following questions:
- which accounts should be in the cloud?
- when and under which circumstances should an account be removed?