Identity and Access Management Overview
Identity and Access Management (IAM) is the process of defining and managing the ever-changing roles and privileges of identities (human users and machine accounts/service principals) across an organization. After the digital identity has been established, it must be maintained, altered and monitored throughout each user’s “access lifecycle”.
In today’s complex multi-cloud and hybrid cloud computing environments, and a never-ending expansion of new machine and human identities, accounts, resources, services and privileges, an effective and scalable IAM solution is more critical than ever. With the acceleration of digital transformation and accelerated adoption of public cloud infrastructure, identity is the most critical security vector that needs to be actively managed.
An effective IAM platform not only keeps the organization safe from security breaches, it also should provide a scalable method to manage identities’ access and authorization across an entire enterprise without costly experts, complicated scripts, or large investments in training.
The Identity Management Challenge
Identity and Access Management is a critical part of an enterprise security plan and Zero Trust strategy because it is linked to a company’s digital security and productivity, especially if the organization is a cloud first enterprise.
A typical enterprise user has access to more data and resources than what is essential to perform their tasks. Often platform providers recommend a pre-defined role as a starting point, with the ability to add more entitlements when needed, eventually creating a custom role for the user.
But often, the unintended result is that companies continuously add entitlements and permissions, but rarely remove unneeded excess privileges. This leads to excessive and unused privileges and permissions. Many enterprise data breaches are related to permission misuse by identities that should have never had access to the data.
An effective IAM platform reduces these gaps and makes security teams more efficient and productive. Some of the benefits of an ideal IAM platform are:
- Operational efficiency
- Simplified regulatory compliance
- Employee satisfaction
- Visibility and control needed for a distributed workforce to an enterprise IT team
- Help administrators consolidate, control, and simplify access privileges in clouds and data centers
- Faster and more efficient access to crucial applications
- Minimizes potential attack surface
- Improved cloud infrastructure stability
- Limits damage that could be a result from non-authorized identities internal and external
- Allows companies to extend access of internal systems to users outside the company without compromising security
- Enhance productivity
Identity and Access Management in the Cloud
Today’s complex multi-cloud and hybrid cloud environments have resulted in significant security challenges for IAM and Security Operation teams. Not only is there a constant flow of new users and machine identities, and threats to manage. Security professionals are just now beginning to ramp up their knowledge and tools to cover this responsibility.
Gartner recently predicted that 75% of all security failures by 2023 will be the result of inadequate management of identities, access, and permissions. In response to this increasing threat, Gartner recently introduced a new cloud security category called Cloud Infrastructure Entitlements Management (CIEM) in its June 2020 Managing Privileged Access in Cloud Infrastructure report.
Most enterprises first try to manage cloud permissions and entitlements using traditional identity and access management (IAM) tools. However, it quickly becomes apparent these solutions are not designed to keep up with the highly automated, dynamic and complex environments that define modern infrastructure.
In addition, most native cloud IAM tools shipped with each cloud platform offer only basic functionality. These built-in traditional mechanisms simply won’t work for enterprises running multi-cloud and hybrid cloud deployments.
The growth of identities in the cloud, both human and non- human, adds incredible complexity to the difficulty of managing permissions. In fact, the prediction is that within five years the ratio of machines to humans will increase from 5:1 to 20:1, further magnifying the magnitude and scope of the problem. These identities, roles and permissions are, in many cases, the result of automation necessary to support cloud transformation.
Overworked security and cloud infrastructure teams are being asked to keep up with the proliferation of new human and non- human identities with roles that give them permissions (in the tens of thousands) to access high-value resources.
The number of permissions organizations are being asked to manage is growing daily and is estimated to be around 40,000 across the four key cloud platforms (and that number is growing daily). Of those 40,000 permissions, over 50% are considered high-risk, implying they could cause catastrophic damage if used improperly.
Many organizations don’t have the protocols and capabilities in place to correctly assign, manage, and monitor the exponential growth of permissions across their growing cloud footprints. Security and cloud infrastructure teams at companies are being asked to keep up with managing new identities as well as thousands of permissions including high risk which can cause major damage if used improperly.
Potential Threats Organizations Face
With the explosive growth of cloud technology, multiple cloud providers, and remote workers, companies face the challenge of maintaining a consistent experience for employees connecting to corporate resources without sacrificing security.
Most data breaches occur as a result of inadequate management of identities, access, and permissions, including:
Insider Threats, such as
- Former employees having access to company’s info and resources
- Employees storing the organization’s business assets on their personal computers and personal mobile devices
- IAM system failure
- Employees using unapproved technology
- Moving to a cloud platform
- Acquisitions and divestitures
- Expansion of the workforce, especially remote workers
Outsider Threats, such as
- Data breaches
- Data exfilteration
Identity and Access Management and the Principle of Least Privilege
The principle of least privilege is one of the most fundamental and important concepts in cloud infrastructure security, and unfortunately it is also elusive to most organizations.
The standard method of access for organizations is using the default roles that cloud providers give. These are typically based on a particular job function. For example, in AWS the S3FullAccess role allows read and write access to objects in an S3 Bucket. Platform providers recommend that organizations use these pre-defined roles as a starting point and then customize the role as per there need.
At first glance, this recommendation seems both reasonable and actionable but real-world evidence tells a different story. Most customers end up using the default roles. In the rare cases where the customization is applied it is typically done to add privileges. Seldom do the customers customize a pre-defined role to remove excess privileges. The end result is roles that have excessive and unused privileges – a direct violation of the Principle of Least Privilege.
Excess and unused privileges is a major gap in data security, and the main cause of data breaches today.
Although it is essential to the success of an organization, the principle of least privilege is a complex concept that is difficult to implement across a cloud infrastructure. The best way to incorporate the principle of least privilege is through a continuous process.
- Have a single method of getting visibility of permissions across all your cloud infrastructure aka across AWS, GCP and Azure deployments in your organization.
- Monitor what permissions are being used or attempted to be used and what resources they are used on, by comparing logs and identity activity to permissions and figure out what permissions are regularly used.
- Remove any inactive identities or remove any associated permissions from those identities that have not been utilized over a period of 90 days.
- Identify permissions that are only needed for short periods of time and implement workflow and automation to provision these permissions for only the period required.
- Remove unused permissions from all other identities that have not been utilized for an extended period.
- Implement on-demand or just-in-time processes to rapidly (and potentially self-service) elevate permissions or privileges on specific cloud infrastructure resources where required to reduce impact of restricted privileges.
- Investigate any abnormal activities by identities, and particularly unusual usage or attempted usage of privileges and where possible — auto remediate.
- Ensure continuous compliance controls are in place across all the infrastructure.
- Leverage best practices for permissions management across the organizations’ multi-cloud or hybrid-cloud infrastructure.
All of these steps add to the overhead of security teams. A truly effective IAM strategy that realized the Principle of Least Privilege requires a new approach and tools that will leave your organization confident that it meets security best practices.
Fortunately, there is an answer.
Role-Based Access Controls (RBAC) and Identity and Access Management
The use of roles to indicate authorization allows users to be allocated to different groups with specific access rights based on their needs. Known as RBAC, Role-Based Access Controls today are frequently too complex to meet using only a single data point of role membership. Modern RBAC is usually based on far more than someone’s role memberships.
Customers are looking for an authentication solution that works across their existing datacenter infrastructure and their cloud infrastructure, that doesn’t have a huge administrative overhead. Modern authentication architecture and strategy is intended to focus on either the concept of “Trust but Verify” OR the concept of “Verify but Never Trust” in all authentication processes.
How do you get started with a modern approach to managing identities and access? Firstly, multi-factor authentication is no longer negotiable — it needs to be implemented for all cloud native services and infrastructure, so stop delaying and get it in implemented for all your identities.
Where Authorization Intersects with Access Control
Authorization is the MOST overlooked permission management control in the security organization, because in a cloud world, basic visibility requires deep knowledge on the underlying infrastructure. Meanwhile, there are tens of thousands of permissions and resources to manage. Imagine if every cloud infrastructure identity, human or machine, had the same ability to perform tasks and access to the same information, systems, and data.
Authorization is essential to restrict the actions of identities to only what they absolutely need to perform, thereby reducing unwanted, avoidable risk significantly. It should form the basis for every security program but can be daunting in complexity.
The key to getting the basics right is “right sizing” permissions and focusing on the permissions that an identity requires based on what they require do their job on a daily basis compared to identifying all the permissions they might possibly need. This is different from the usual practice, where companies typically allow users the default access and control given by the cloud providers.
Augment the use of permissions, with delivering any additional permissions or privileges on demand when and only when identities need them. This delivers a comprehensive authorization model based on permissions used as opposed to permissions granted.
Auditing Is Just As Critical
It is surprisingly complicated and difficult to determine all the activities that identities have executed on especially if you consider the thousands of resources that these identities can access across multiple cloud infrastructure platforms.
However difficult or complex it may be, it is essential to have auditing capabilities as a key building block to build a robust cloud infrastructure security framework. Knowing what resources are being accessed or attempted to be accessed is not enough. Knowing what every identity is doing or attempting to do your cloud infrastructure resources is a mandatory requirement for detecting threats and for robust incident response.
This is also critical for continuous security and compliance controls across all your cloud infrastructure platforms.