By Abhiram Shindikar

Why IAM in the Cloud needs attention?

The history of cloud IAM can be traced back to the early 2000s due to the rise in managing identities in digital environments. With emerging cloud platforms like AWS, managing user access across distributed resources was complex using basic access control lists (ACLs) and access using usernames and passwords. Access management tools had to be evolved to manage specific users and permissions for specific cloud services.

Keeping all the possible complexities in mind, IAM services like AWS IAM, Azure IAM, and GCP IAM were developed offering services like centralized control over user access, policies for all the resources for that particular cloud, and required permissions.

Why does Identity and Access Management need attention?

Although cloud providers are doing a pretty good job when it comes to securing their portals, you have to jump through a couple of hoops to get your IAM security right. You may want to argue that cloud providers are taking care of securing the portals so why does it need attention?

Earlier, when organizations were on-prem and used firewalls or network security in place. Fast-forward to today, If you are a cloud practitioner or a developer, you must know that “Security is not a one-time practice”. Also in the cloud, the network is not the perimeter. IAM is the new perimeter in the cloud.

Thus it makes complete sense to think about “Who has access to what” in your cloud environment; and if you have the right security controls and procedures in place.

Companies like MGM got breached because of IAM, paying the ransomware of $110+ Million. Bad actors legitimately enter into systems pretending to be the real ones! Pretty scary, right?

IAM - Curse or a Blessing?

Recently, in one of our podcasts at ScaletoZero with Joseph South, Joe exclaimed that the ability to create users and roles at will is the advantage of the cloud as well as the security pitfall of cloud IAM!

To understand this, think about the cloud as a blank slate where developers and engineers can develop and design software, applications, and whatnot. As the cloud gives support to the required resources or support, developers can completely focus on development without worrying.

What about IAM here? Organizations often grant excessive permissions and overly permissive roles to individuals including developers, engineers, third-party vendors, etc just to speed up the development and deployment process. This is one of the important reasons why understanding how IAM works and getting the IAM architecture right becomes crucial even before other aspects of security come into the picture.

To conclude, we realized that IAM plays a major role in keeping your organizational workloads safe and secure by granting required permissions and roles.

How to deep dive into Identity and Access Management?

Joe recently shared an interesting case study from his friend's company. They migrated to the cloud without a dedicated security team in place. Initially, they estimated having around 40,000 user accounts.

After a thorough review of their cloud environment, it turned out the organization had over 400,000 user accounts – a significant discrepancy from their initial estimate. This raises a crucial question: what would be the best course of action in such a scenario? We can help you navigate this situation!

In a cloud environment, tagging is important. Thus, a good security program in the cloud should have tags enforced on each asset of the cloud. Tagging will show you details such as who created the asset, who owns it, etc. This will help you find the owner of the accounts.

The next big move is to find all the accounts that have not been used in a specific time and have over-permissions. For example; A account that has global admin permission and has not been used in a year.

Prepare a list of such roles and accounts, reach out to these teams, and ask them questions like;

  • What accounts do you own?
  • What roles are required of this particular user group?
  • Can we combine any roles?
  • Can we combine any group here?
  • Can we have certain accounts and roles for a limited time period?

How to prioritize between identities?

Organizations should understand that “not all identities are user-generated identities i.e. human identities”. There are machine identities, human identities, third-party identities, etc. Resolving all of these requires a lot of time. But, before even organizations start to act on these identities how can they prioritize their identities?

Organizations can start by prioritizing human identities first. After all, humans are the weakest link. From the list of identities, preparing a list and prioritizing active human identities is crucial. This will help you understand the permissions they carry, level of access and roles, etc. Discuss with teams if combining several roles and identities can help.

Following these things will help you secure the attack surface from preventing someone from getting access to your cloud or workload.

Machine identities (non-human) should also undergo scrutiny. You cannot deny the fact that every single cloud has a different term for how IAM gets set up.

Last but not least, third-party identities! Reviewing access of the third party (vendors) to your organization’s environment, why they have it, if you are still in contract with them, and whether these third parties still need access, will help you determine if the permissions need to be kept or closed.

We have seen that organizations often have forgotten to act on these permissions and roles from third-party vendors.

Conclusion

In the dynamic world of cloud computing, Identity and Access Management (IAM) has emerged as a critical component of security. While cloud providers offer robust IAM services, organizations must take proactive steps to ensure their cloud environments are adequately protected. By understanding the importance of IAM, identifying potential risks, and implementing effective security measures, organizations can safeguard their sensitive data and prevent unauthorized access.

Remember, IAM is not a one-time fix; it requires ongoing attention and continuous improvement. By prioritizing IAM and adopting best practices, organizations can build a strong security foundation and protect their cloud infrastructure from emerging threats.

Cloudanix IAM JIT is revolutionizing the way organizations manage and review their IAM internally as a team and with their regulatory authorities.

Know more about