3 Cloud IAM Security Questions You Must Be Able to Answer
It doesn’t matter if it’s AWS, GCP or Azure IAM, cloud deployment is redefining the work of IAM professionals
Identity access management (IAM) entered the scene as a concept and profession in the early 1990s. At the time, all infrastructure was on premises. IAM professionals and IT departments became experts in the physical and local network aspects of permissions management. Today, many IAM practitioners are increasingly responsible for IAM in the cloud. Cloud IAM is a different animal, with security challenges and requirements to be aware of.
For starters, managing identities and permissions in the cloud requires expertise in one or more cloud provider technologies, like AWS, Azure, GCP and Oracle Cloud. Each provider handles identities differently from on-premises infrastructure – and has its own proprietary model when it comes to entitlements. Also, cloud technologies are constantly changing, requiring identity professionals to invest effort in staying up-to-date.
For IAM professionals looking to better manage and secure their organization’s cloud identities, we’ve compiled three question areas. Follow these questions and the suggested solutions discovery on your path to developing cloud IAM expertise and equipping yourself and team with the cloud IAM security technologies you need. But first, let’s outline the differences between IAM on-prem and IAM in the cloud.
IAM On-Prem vs. IAM in the Cloud
What’s different about managing permissions in the cloud as opposed to on-prem? First and foremost, managing permissions in cloud architecture offers identity professionals flexibility and ease of use. Instead of having to maintain and manage on-premises infrastructure and networks like load balancing, firewalls and more -- the cloud provider takes care of these for IT teams.
However, managing cloud-based permissions has its own set of challenges. Configuring identities and permissions in the cloud is a very complex process that can pose serious security and compliance risks.
In the cloud, it’s not just human users. Instead, every computing resource has an identity that can be assigned permissions. IAM professionals are managing huge numbers of machine and human identities and entitlements, and thousands of components and applications that can be accessed. Properly understanding and governing these access permissions by evaluating their risk is not an easy feat. It requires the ability to determine all entitlements and how they interact.
According to Leo Thesen, Senior Engineer at MOHARA, “In engineering, we say, ‘I’ll clean up IAM later,’ but no one ever does. In reality, enterprises have tens of thousands of policies -- the moment it becomes a tad unmanageable, with excessive permissions, it becomes impossible to deal with. It’s just too hard to start refactoring those excessive permissions one by one. Yet that’s where your risk lies.”
It’s probably no surprise, then, that misconfigured entitlements are a common problem. According to Gartner, by 2023, inadequate identities and privileges management will be the cause of 75% of cloud security failures.
1. How are you auditing IAM and ensuring compliance in the cloud?
Many will try to tackle cloud IAM using cloud-native tools and in-house developed tools, however these typically fall short. Solutions that automatically monitor cloud permissions management can help by enabling identity professionals to easily map out anomalous or risky permissions and IAM policies. This data helps with mitigating the risk and minimizing the blast radius from a hacker’s lateral movement. As a result, identity professionals can single-handedly improve their cloud security posture, manage the permissions process more easily and drive the organization to achieve compliance.
When finding a solution for auditing your cloud permissions, ask yourself:
- How easy is it to quickly understand who has access/permissions to my critical cloud assets?
- How quickly/easily could I do an investigation on how someone has used the access/permissions they have (in the cloud)?
- Is it effective in revealing hidden permission combinations?
- How and when will I be alerted?
- Can permission vulnerabilities be mitigated automatically?
CIEM (Cloud Identity Entitlements Management) and CSPM (Cloud Security Posture Management) are two categories for continuously monitoring cloud security. Both tools are critical to auditing your cloud security posture and complement each other.
- CIEM solutions monitor cloud identities and entitlements, identifying and remediating risky and excessive permissions. Robust CIEM solutions visualize all service and human identities, resources and relationships, enabling you to explore who has access to your data. In the cloud, it is the service identities, whose permissions are granted programmatically so are prone to toxic combinations, that pose the greatest risk.
- CSPM solutions monitor cloud configurations, focusing on mapping to security benchmarks. For example, they correlate your configurations to a given compliance standard. CSPMs provide an important yet broad security view of cloud infrastructure and workloads that lacks the depth and context that CIEM tools offer.
2. How are you handling Privileged Access Management in the cloud?
Privileged Access Management (PAM) came on the scene in the 2000s to handle privileged permissions management on-prem. PAM helped secure admin credentials and prevent them from being used to breach data centers.
However, traditional PAM is not designed for the cloud. Such solutions cannot provide the granularity needed to understand, track and analyze policies and configurations interacting in the cloud. In addition, PAM solutions cannot simultaneously manage “regular” and privileged permissions when they belong to the same identity, as often occurs in the cloud.
As a result, on-prem PAM solutions cannot enforce least privilege and support identity management in the cloud, as they can’t manage identities, identify gaps, visualize relationships, identify risk or generate policy changes.
Some CIEM solutions offer privileged user management capabilities for cloud, just like a PAM solution could if it was fit for the cloud. CIEMs provide previously unavailable visibility and enable granular management of identities, and with the cost benefits of SaaS solutions. They enable monitoring and discovery of excessive entitlements to prevent misuse, easier management of identities and third party governance. Another advantage of CIEM solutions, which are built for the cloud, is that they support multiple cloud environments, integrate with CI/CD pipelines and analyze access paths to data resources.
In other words, CIEMs enable IT teams to stay on top of all permissions granting access to resources in cloud infrastructures.
3. Is Your Identity Organization Driving Least Privilege?
The principle of least privilege (PoLP) is the holy grail of identity security. According to this principle, every user or service is granted only the least amount of privileged access necessary to complete the job.
As we’ve stressed throughout this article, identity management in the cloud is a whole new ball game compared to on-prem identity management. Attempting to manually govern permissions and ensure users only have access to the assets and areas in the application they need, when they need it, is almost impossible.
To achieve least privilege in the cloud, organizations need to organize all the identities and components, map out permissions, gain ongoing visibility and continuously monitor for any excessive permissions that could pose a risk. Doing so manually and/or in a spreadsheet or non-dedicated system is messy, risky and frustrating.
CIEM and CSPM are technologies that provide granular visibility and automated monitoring of cloud permissions and configurations. IT team and IAM professionals can use them to secure their cloud infrastructure by detecting permissions and misconfigurations, including those that violate the least privilege principle, and using the new policies they generate to auto-remediate excessive access.
To successfully govern your cloud identities, consider these four steps [source: The Roadmap to Deploy and Use Cloud Identity Governance, Forrester, 2021]:
- Prepare, by building a governance process involving the right stakeholders and mapping out compliance requirements
- Identify the data and environments needing protection
- Monitor the cloud
- Take action
Whether you seek to expand your expertise into the cloud identities domain or to simply do your job better, you can contribute greatly to securing your organization’s cloud infrastructure.
Get a seat at the table when security teams are choosing cloud security tools. Ensure that you and others handling your organization’s cloud IAM are getting the capabilities you need, namely:
- Visibility - Discovery and visualization of all permissions and entitlements, at a granular level, for every identity and resource
- Risk identification - Automated monitoring and alerts for identity risk that could put your organization in danger of a breach
- Reporting - Detailed reports of findings and activities to be able to track and optimize access management
- Automation - Cloud IAM, and compliance monitoring, risk detection and remediation that secure without human intervention, reducing the risk of manual errors, saving time and eliminating IT overhead
- Integration with identity provider tools and technologies - Seamless connectivity with your access management technologies and tools like MFA, Okta and Azure AD, reducing the need to replace trusted solutions
To learn more about identity access management in the cloud, here are further resources: