In the Cloud, Devices Don’t Matter, Right?
We hear this every day from people: “We don’t need to worry about controlling access or managing individual devices. After all, we just put everything in the cloud.”
That’s great in theory, but in practice it doesn’t work (unless maybe if you are using Virtual Desktop Infrastructure (VDI) or Chromebooks as your primary desktop).
We’ll start by guiding you through the faulty thought pattern at work here and then show you what a genuine device management solution looks like in the cloud.
Why People Think Devices Don’t Matter
No on-site infrastructure – many companies now exclusively leverage cloud-based applications and infrastructure. They start with Google Apps (now known as G Suite) or Office 365 as their core productivity solution and then branch out to other SaaS-based solutions as needed.
The data lives in the cloud – there is no need for local storage of data when you have cloud-based applications. All of your work as a salesperson is done within Salesforce. If you are a finance person, perhaps you leverage Xero or Quickbooks Online. All of your transactions are stored in their cloud-based platform.
Access to SaaS-based applications can be controlled at the application level – instead of worrying about controlling all of the devices, the IT organization can just control user access at the application level. If needed, IT can employ a Single Sign-On (SSO) solution to support their web-based application level access control efforts.
The on-premises network is just Internet access – there is no equipment housed at the organization’s facility, just wireless access points and a connection to the Internet. If a device is compromised, there is nothing to access. If the device is stolen, there is no data on the device and access can be shut off at the application level.
IaaS cloud servers can just use root or the ec2-user – you can do this, if you don’t care about any audit logging, sharing passwords and/or keys, or getting locked into AWS IAM for your user management. Each user on a server should have their own account: if something happens to your infrastructure, you’ll need to know who did what.
IaaS cloud servers can be managed by Puppet or Chef – configuration management tools like Puppet or Chef work well for user provisioning when you’ve got few users or few servers. Once you have multiple user roles, different access requirements, and auditors reviewing your security practices, Puppet and Chef fall apart.
And so the story goes: “There’s no need to worry about authenticating users to the device or managing the device itself because there is nothing on it. If it is compromised, there’s nothing anybody can really do with the device because all of the control is central with IT.”
Unfortunately, that line of thinking doesn’t work and isn’t a reality. Let’s analyze the core problems with the thought process.
Ignoring Security for Devices in the Cloud: a Risky Approach
Credentials are often on the device – if your employees uses a password manager, then their credentials to most if not all of their applications are on the device. Many users end up having the same password for the device as their password manager. Others leave the password manager ‘logged in’ perpetually. All of these aid in productivity, but can be a killer in terms of security.
If a device is stolen and IT learns of it quickly enough, then terminating access may blunt the hacker. But what if IT wasn’t able to terminate access quickly enough before the hacker could get in and grab data, create backdoor accounts, or even delete data? Did IT disconnect the user from all of the IT resources that the employee had access to? In an ideal world, a device would never have any credentials stored on them. But in the real world, that happens every day with just about every device.
Data is on the device – its idealistic to think that your users won’t download data from their web-based applications. It’s easier to review data, manipulate it, share it, and generally do your work when the data is at your fingertips. Sales people download their prospect and customer lists. They might have their pipelines local on their machine. Finance teams don’t make massive Excel spreadsheets in the cloud. They build and manage them locally. Your developers download code into their IDE locally, not in the cloud.
Data lives on devices. Understanding and believing that will help you avoid falling into the trap of thinking that all of your data is secure in the cloud.
Devices are conduits to other systems – even if you are able to terminate SaaS-based applications, some of your users may have access to your cloud server infrastructure. They may get access through a VPN or SSH keys stored on the device. A compromised device exposes those connections.
As with SSO solutions, there are methods that make it easy to reach cloud infrastructure. But those methods work against you when the device is compromised.
True Device Management on the Cloud
There are so many benefits to the cloud that we all have drunk the “Cloud Kool-Aid”. Organizations that make the leap to the cloud are more agile, efficient, and productive. There is very little doubt about that.
Taken to the extreme, though, there are risks involved. An IT organization that believes they don’t need to control and manage devices is asking for a breach. Devices do matter and need to be controlled and managed.
The DaaS Solution
JumpCloud’s Directory-as-a-Service® offers their clients the ability to seamlessly control users and manage devices. The solution is ideal for organizations that do not want the overhead of device management, but understand that eschewing that control would mean significant risk.
Since DaaS is a cloud-based directory services solution, the overhead to IT is minimal. Every device will have a small agent on it and connect to the central cloud directory. Admins can manage user access to the device and subsequently manage the device.
Access control ensures that if the device is stolen, access can be terminated instantly and remotely. Device management ensures that the device can be locked, remote wiped, or effectively rendered useless. The level of control is ideal for IT and the overhead is minimal.
Don’t fall into the trap of thinking that devices don’t matter in the cloud era. They do. Be smart and lock down your devices to ensure that your organization stays safe. Drop us a note if you would like to learn more, or give JumpCloud a try for free. Your first 10 users are free forever.