In many cases, one business unit sets up its own cloud-native identity and access management controls differently from another. One of your customers’ business units may need Red Hat, while another may need controls from a specific public cloud provider. The business unit may or may not be using the cloud-native identity and access management (IAM) controls properly. It’s easy to spin up infrastructure and apps with these cloud-native IAM controls without any overall governance. But that makes it challenging for an enterprise IAM program to fit in. Let’s take a look at the importance of cloud governance blueprints in a cloud-native IAM landscape.
In Part 2 of this series, we discussed the importance of adding cloud-native IAM controls into a larger enterprise IAM program. In some use cases, the cloud-native controls make the enterprise IAM program more agile. On one hand, native controls could make business units more efficient if properly set up. But on the other hand, not everyone needs to reinvent the wheel when other business units might benefit from pre-configuration. This is why having good IAM blueprints or templates helps your teams stay consistent. Indeed, it also helps to meet compliance needs and creates a proper cloud governance framework.
Cloud Governance Blueprints for Enterprise IAM
At an enterprise level, having different custom programs for varying business units can be a real challenge. The newness of the public cloud and its dynamic changes create confusion for project managers and devs. So, they assign the basic controls that meet the needs of the moment, or give devs and admins more privileges than they need. This might introduce problems, such as compromised accounts, unknown or unwanted access to data and configuration errors.
Cloud-native IAM roles and policies are specific to each cloud service provider (CSP). You need oversight of those policies and roles. When someone is setting up a new open-source environment or a public cloud instance, they will have guidance.
Learn more
Blueprints Across Multicloud IAM
You ought to have programmatic guidance and policies that come with automated provisioning of identities, roles and privileges to target resources from an identity governance and administration (IGA) solution. Otherwise, you’re going to struggle to have a holistic view of the landscape.
These challenges can grow exponentially for multicloud projects where the same people have different privileges using each CSP’s IAM solution.
Let’s look a bit deeper into a DevOps example. Let’s say someone is working on one project that is built on a DevOps environment in one cloud and on another related project in another cloud. This setup could be done in each of the clouds one by one, by hand. But then, a breach of the principle of least privilege or a separation of duty conflict cannot be easily detected. Instead, they could run this setup through an IGA framework at the enterprise level. With this, it’s more likely to detect possible problems in advance and help prevent them.
A key success factor aligning with the IGA is to adapt to the agility and dynamic nature of spinning up cloud-based projects and adding developers or admins at will, while still maintaining compliance processes for auditing purposes. This would require a higher level of automation of IGA processes than what we see in many enterprises today.
Why Cloud Governance Blueprints?
The truth is that enterprise IGA programs still rely on too many manual processes that slow down the expected outcomes. Keep in mind that developers or the scrum master will not go through tedious manual processes; instead, they’ll find workarounds that negate the oversight.
Therefore, you need to be proactive about defining blueprints for policies, roles and rules on an enterprise level to leverage cloud-native IAM. Pre-approve and pre-configure these policies, roles and rules to enable the implementation and automation for agile environments.
Point tools cannot resolve these challenges. They’ll require a holistic understanding of the outcomes for managing identity risk and the pathways to an integration framework.
Cloud Governance Services for IAM Controls
Is identity governance a cause for concern? Yes, and there are many reasons for concern, but governance is a major part of it. One reason identity governance is such a challenge is that it can be seen as a technical problem when setting up an IGA program. Identity and cloud governance are not technical problems; they are organizational and process challenges. You will need to involve many stakeholders to properly capture delegations, rules, separation of duties and policies. The technical staff is often not used at this level, and this creates problems for risk management.
Learning how to structure identity governance along with assurance and intelligence is a helpful path toward IAM modernization.
Register for our upcoming webinar on cloud-native IAM controls happening May 5, 2021, at 11am EDT. IBM Security Services has the guidelines and blueprints to help guide you through the layers of IAM controls for effective cloud computing governance and enterprise compliance.
CTO for Identity & Access Management, IBM Security Europe
Sr. Offering Manager, Identity and Access Management Services