FRAMINGHAM, Mass. -- As Sallie Mae migrates some of its most important applications to the cloud, the largest provider of U.S. college loans is keeping an eye on compliance.
Sallie Mae, a publicly-traded company whose official name is SLM Corp., uses identity management software from SailPoint Technologies Inc. to ensure that its 6,100 employees have appropriate levels of access to data and applications - regardless of whether it's stored in the cloud or at one of its data centers.
"All of our cloud-based services - all of that access is controlled," says Jerry Archer, chief security officer for Sallie Mae, which uses hosted applications such as Workday for human resources functions. "SailPoint keeps track of roles, access and other workflow processes."
Sallie Mae is in good company. A growing number of organizations including CUNA Mutual Group and the American Red Cross have upgraded their identity and access management (IAM) tools to bolster their security posture as they adopt cloud-based applications.
Identity management in the cloud has become a hot-button issue for CIOs over the last year, says Lina Liberti, vice president of security management at the security business unit for CA Technologies.
"Every customer I talk to is looking at identity management," Liberti says. "There are a lot of very large deals... Companies say they have something that they built that they really shouldn't be managing and it's costing them so much money."
By purchasing the latest IAM tools from such vendors as SailPoint, Courion, IBM, CA, Ping Identity, Aveksa and others, these organizations are ensuring that their employees and business partners have appropriate levels of access to corporate data that's stored by popular cloud-based applications such as Salesforce, Google Apps or Microsoft Office 365.
Today's IAM tools mitigate risks for IT departments by allowing them to comply with federal regulations and successfully pass audits of cloud and network-based applications. They also increase efficiency by eliminating error-prone manual processes for checking access to applications. Increasingly, they offer automated provisioning and de-provisioning of cloud-based applications as well as single sign-on across network-based and hosted applications.
"Identity access management is a market in transition," says Dave Fowler, chief operating officer at Courion Corp. "Corporations are opening up more and more of their data to be accessed by employees, business partners, customers and people outside the organization. This is particularly true in financial institutions, healthcare and retail. But in conjunction with opening up more of their data to be used by business partners, they're facing more and more regulations on securing this information."
As IT departments adopt cloud-based applications to cut their operating costs and speed up the availability of new features, they're also dealing with a flood of personal mobile devices that employees are using to access corporate data stored in the cloud.
"We did a survey of 1,000 organizations, and 69 per cent of them allowed personal mobile devices to access their network," Fowler says. "They don't have security over the devices used to access data in the cloud, and they are typically using dozens of cloud-based applications."
Today's IAM tools help IT departments manage the conflicting pressures of trying to secure data that is stored by someone else - a hosted service provider - and accessed by a device that's not owned or controlled by the company. IAM tools also help manage the constant churn of employees being hired and fired by an organization and its business partners.
"When you put an application in the cloud, you don't have mechanisms for provisioning users in the cloud automatically," Fowler says. "When you terminate an employee or the employee changes jobs, somebody has to manually go into these cloud-based applications and take them out. We're building connectors to applications that allow you to automate on-boarding and off-boarding individuals."