In a world of cloud-based users and devices accessing public cloud-based services, the relevance of the legacy enterprise perimeter declines. Identity is the new perimeter. Specifically, the identities of users, administrators, devices, workloads, services, APIs and containers become key to establishing policies and monitoring security and compliance. The built-in identity and access management (IAM) capabilities of the cloud providers are the foundation for this.
6 Cloud Identity and Access Management Best Practices
1. Federate to Enterprise and/or Cloud Identity Providers for User Authentication
There is no need to create a separate island of authentication for the cloud. Authentication via single sign-on (SSO) and identity federation via SAML provide users with a consistent identity across clouds, ideally exchanging attribute information as well, providing additional granularity in setting permissions.
2. Use Identity as a Perimeter by Using Accounts to Segregate Business Units
IaaS/PaaS provider infrastructure is designed to be multitenant to keep one tenant strongly isolated from another. Use this to your advantage by having different groups use different IaaS account structures. In the event one group experiences an attack or outage, it won’t affect other accounts, improving overall resilience. Leading IaaS providers support this with consolidated billing and the use of read-only accounts for security
3. Require Strong Authentication For All Cloud Access
In no case should a login to a cloud service or access to a cloud-based API be enabled based solely on username/password alone. Stronger authentication should be considered mandatory, and the leading cloud providers offer this capability built in. Ideally, an enterprise privileged access management system would be used for tighter visibility and control of administrative access.
4. Use Granular Permissions and Use IAM Roles
Other than initial setup, no all-powerful administrative accounts should be used. Fine-grained permissions should be used to reduce the scope of capabilities of a specific user and used to meet separation of duties requirements of auditors and regulators. Further, cloud security can be greatly simplified through the use of standardized identity and access management (IAM) roles and their use should be mandatory.
5. Evaluate Permissions Granted Versus those Us
Continuous monitoring of permissions used by all IAM principles (users, network, storage and so on) at runtime versus the permissions that were initially provisioned should be reported to administrators for review. This is done to proactively trim permissions to reduce the surface area for attack.
6. Expand the Scope of Your IAM Program
Many other entities other than users in public cloud IAM will be security principals as well (meaning they have rights defined in the cloud provider’s IAM system). All VMs, containers, serverless functions, APIs, etc., in cloud-native applications will need an identity and associated permissions defined. Your IAM program must embrace this.
Gartner recommendations to – Minimize time to value and required effort for identity and access management (IAM) initiatives by focusing on people and processes before selecting technologies. Establish and develop a successful identity and access management (IAM) program by aligning IAM practices with the operational and business needs of stakeholders across and outside the organization and its ecosystem.
Gartner also recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.