After 8+ years of being on the auditing side of the compliance fence, I leapt over to the ‘other side’ last week and joined OneLogin as Director of Risk and Compliance. OneLogin provided me with an opportunity to help them at a key stage of their journey and tackle compliance challenges that many cloud service providers and customers, from startups to Fortune 500, are contending with.
The compliance field for off-the-shelf software solutions has been pretty static over the past several years and held very little mystery, but with the advent of cloud applications, a whole different world of risks, and how to address them has opened up. Granted, some cloud concepts aren’t new (thin clients anyone?), but the birth of SOX has had a significant impact on how we view risks and the controls that address them.
Enterprises are adopting SaaS applications en masse. A recent Forrester survey noted companies are more than doubling the number of SaaS applications in use over the next two years. In our own survey of 200 business and IT leaders, the main drivers for adopting cloud applications were lower costs, speed, an increasingly mobile workforce, and simplicity. The main impediments were data privacy concerns, single sign-on and trust. Surprisingly, 44% of respondents admitted that they manage their passwords in spreadsheets or on sticky notes and 34% share passwords for public applications like twitter with their colleagues. So it comes as no surprise that according to Forrester and other sources, close to 40% of all data breaches have to do with employees.
Both cloud service providers and the enterprises that consume these services are struggling to make sure they are sufficiently mitigating risks in a world where data, applications, and users can be anywhere, and the regulatory environment is ever changing. At the same time, many of these same enterprises, 50% by the end of 2014 according to Forrester, are developing their own applications in the cloud. So how important is SAML-based single sign-on? Should we be ISO 27001 certified? Is a SOC 1 or SOC 2 report the right answer? Should we invest the time and effort pursuing FedRAMP? How about CSA STAR? Do we need to worry about Singapore’s cloud standards? And what about privacy and data residency in the EU?
This is where I enter stage right; to help OneLogin and our customers navigate the seas of compliance and use the momentum of our compliance efforts to reach even more enterprises looking to simplify and strengthen their identity and access management strategy. Our success is closely linked to our customers’ success, and navigating these waters together is in our best interest. Thankfully, we are not starting with a blank canvas, or to stay with the same analogy, a dinghy. Security and availability are the backbone of the OneLogin service, so with a caravel under our feet and a strong wind at our backs, we are off to a great journey.
Alvaro J Hoyos
OneLogin, Inc. | Director, Risk and Compliance