In many cases, one business unit sets up its own cloud-native identity and access management controls differently from another. One of your customers’ business units may need Red Hat, while another may need controls from a specific public cloud provider. The business unit may or may not be using the cloud-native identity and access management (IAM) controls properly. It’s easy to spin up infrastructure and apps with these cloud-native IAM controls without any overall governance. But that makes it challenging for an enterprise IAM program to fit in. Let’s take a look at the importance of cloud governance blueprints in a cloud-native IAM landscape.

In Part 2 of this series, we discussed the importance of adding cloud-native IAM controls into a larger enterprise IAM program. In some use cases, the cloud-native controls make the enterprise IAM program more agile. On one hand, native controls could make business units more efficient if properly set up. But on the other hand, not everyone needs to reinvent the wheel when other business units might benefit from pre-configuration. This is why having good IAM blueprints or templates helps your teams stay consistent. Indeed, it also helps to meet compliance needs and creates a proper cloud governance framework.

Cloud Governance Blueprints for Enterprise IAM

At an enterprise level, having different custom programs for varying business units can be a real challenge. The newness of the public cloud and its dynamic changes create confusion for project managers and devs. So, they assign the basic controls that meet the needs of the moment, or give devs and admins more privileges than they need. This might introduce problems, such as compromised accounts, unknown or unwanted access to data and configuration errors.

Cloud-native IAM roles and policies are specific to each cloud service provider (CSP). You need oversight of those policies and roles. When someone is setting up a new open-source environment or a public cloud instance, they will have guidance.

Learn more

Blueprints Across Multicloud IAM

You ought to have programmatic guidance and policies that come with automated provisioning of identities, roles and privileges to target resources from an identity governance and administration (IGA) solution. Otherwise, you’re going to struggle to have a holistic view of the landscape.

These challenges can grow exponentially for multicloud projects where the same people have different privileges using each CSP’s IAM solution.

Let’s look a bit deeper into a DevOps example. Let’s say someone is working on one project that is built on a DevOps environment in one cloud and on another related project in another cloud. This setup could be done in each of the clouds one by one, by hand. But then, a breach of the principle of least privilege or a separation of duty conflict cannot be easily detected. Instead, they could run this setup through an IGA framework at the enterprise level. With this, it’s more likely to detect possible problems in advance and help prevent them.

A key success factor aligning with the IGA is to adapt to the agility and dynamic nature of spinning up cloud-based projects and adding developers or admins at will, while still maintaining compliance processes for auditing purposes. This would require a higher level of automation of IGA processes than what we see in many enterprises today.

Why Cloud Governance Blueprints?

The truth is that enterprise IGA programs still rely on too many manual processes that slow down the expected outcomes. Keep in mind that developers or the scrum master will not go through tedious manual processes; instead, they’ll find workarounds that negate the oversight.

Therefore, you need to be proactive about defining blueprints for policies, roles and rules on an enterprise level to leverage cloud-native IAM. Pre-approve and pre-configure these policies, roles and rules to enable the implementation and automation for agile environments.

Point tools cannot resolve these challenges. They’ll require a holistic understanding of the outcomes for managing identity risk and the pathways to an integration framework.

Cloud Governance Services for IAM Controls

Is identity governance a cause for concern? Yes, and there are many reasons for concern, but governance is a major part of it. One reason identity governance is such a challenge is that it can be seen as a technical problem when setting up an IGA program. Identity and cloud governance are not technical problems; they are organizational and process challenges. You will need to involve many stakeholders to properly capture delegations, rules, separation of duties and policies. The technical staff is often not used at this level, and this creates problems for risk management.

Learning how to structure identity governance along with assurance and intelligence is a helpful path toward IAM modernization.

Register for our upcoming webinar on cloud-native IAM controls happening May 5, 2021, at 11am EDT. IBM Security Services has the guidelines and blueprints to help guide you through the layers of IAM controls for effective cloud computing governance and enterprise compliance.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…