As organizations increasingly migrate to the cloud, their security and risk management teams have identified identity as the primary security perimeter. This shift has prompted a reevaluation of how to approach identity and access management (IAM) in the cloud. While managing IAM on-premises has its challenges, deploying and maintaining cloud IAM presents unique obstacles.
One of the major issues for organizations migrating to the cloud is the lack of visibility into account inventory. Security teams struggle to understand which users have access to applications and where they are accessing them, particularly when distributed across multiple clouds. Ensuring proper visibility over user account provisioning is crucial to maintain appropriate access control and accurate compliance reporting. To address this challenge, security teams should ensure all accounts created and provisioned tie back to a central directory service, such as Active Directory, and make use of federation and single sign-on (SSO) for access management. Additionally, building processes to create and track unique service and admin accounts with regular auditing and monitoring is recommended.
Improper service and user provisioning and deprovisioning is another challenge faced by organizations during their cloud migration. Without a centralized management process, shadow and unmanaged cloud accounts can proliferate, and former employees who retain access to business applications and data can pose significant security risks. A centralized process to create and remove all cloud accounts for all types of cloud services when an employee leaves or is terminated is crucial to address this challenge.
The issue of “zombie SaaS accounts” is also prevalent in cloud IAM. Inactive assigned users, or zombie accounts, can be problematic in SaaS offerings that do not integrate well with federation and SSO. Adopting cloud security posture management, cloud access security brokers, or security service edge platforms can help organizations understand who is doing what and where in regard to SaaS deployments. Regular audits of all SaaS for terminated and inactive employees and other stakeholders are critical to gain control over zombie accounts.
Lifecycle management of identities is another challenge that worsens in the cloud due to a lack of visibility and insight into what has been created, by whom, and where. Managing all identities centrally and adapting current lifecycle management practices to the cloud as needed is essential to mitigate this challenge.
Changing roles within organizations can also create IAM problems, especially in large organizations with numerous cloud deployments. Enabling logging and auditing for role changes within all cloud environments and building correlation rules internally can help organizations ensure that role changes align with approved changes and managerial direction.
Too many admin accounts is a classic privileged user management (PUM) issue and can lead to cloud misconfigurations and accidental cloud data exposure. Establishing a centralized control that allocates privileges and tracks admin accounts is essential in addressing this challenge. Additionally, following the principle of least privilege and using privileged access management to ensure only a select few users have access to admin accounts and the appropriate permissions is crucial.
With the enormous range of privileges and roles available in PaaS and IaaS environments, organizations can lose track of which services and accounts are in place and what they have access to. Cloud-native IAM monitoring and reporting capabilities offered by major PaaS and IaaS providers can help organizations determine where identities could have too many privileges. Building processes around monitoring and using them to inform access audits and rights management activities is recommended to tackle this challenge.
In general, a plethora of IAM challenges can plague cloud deployments, and most can be mitigated with centralized controls and monitoring, such as cloud identity brokering, SSO, federation, and strong multifactor authentication (MFA). It is also important to build processes and governance to create, manage, and remove cloud accounts at all levels of the organization.
Author and principal consultant Dave Shackleford emphasized the importance of these mitigations to ensure a secure transition to the cloud. By addressing the unique challenges associated with cloud IAM, organizations can better protect their infrastructure and data as they migrate and operate in cloud environments.