In many cases, one business unit sets up its own cloud-native identity and access management controls differently from another. One of your customers’ business units may need Red Hat, while another may need controls from a specific public cloud provider. The business unit may or may not be using the cloud-native identity and access management (IAM) controls properly. It’s easy to spin up infrastructure and apps with these cloud-native IAM controls without any overall governance. But that makes it challenging for an enterprise IAM program to fit in. Let’s take a look at the importance of cloud governance blueprints in a cloud-native IAM landscape.

In Part 2 of this series, we discussed the importance of adding cloud-native IAM controls into a larger enterprise IAM program. In some use cases, the cloud-native controls make the enterprise IAM program more agile. On one hand, native controls could make business units more efficient if properly set up. But on the other hand, not everyone needs to reinvent the wheel when other business units might benefit from pre-configuration. This is why having good IAM blueprints or templates helps your teams stay consistent. Indeed, it also helps to meet compliance needs and creates a proper cloud governance framework.

Cloud Governance Blueprints for Enterprise IAM

At an enterprise level, having different custom programs for varying business units can be a real challenge. The newness of the public cloud and its dynamic changes create confusion for project managers and devs. So, they assign the basic controls that meet the needs of the moment, or give devs and admins more privileges than they need. This might introduce problems, such as compromised accounts, unknown or unwanted access to data and configuration errors.

Cloud-native IAM roles and policies are specific to each cloud service provider (CSP). You need oversight of those policies and roles. When someone is setting up a new open-source environment or a public cloud instance, they will have guidance.

Learn more

Blueprints Across Multicloud IAM

You ought to have programmatic guidance and policies that come with automated provisioning of identities, roles and privileges to target resources from an identity governance and administration (IGA) solution. Otherwise, you’re going to struggle to have a holistic view of the landscape.

These challenges can grow exponentially for multicloud projects where the same people have different privileges using each CSP’s IAM solution.

Let’s look a bit deeper into a DevOps example. Let’s say someone is working on one project that is built on a DevOps environment in one cloud and on another related project in another cloud. This setup could be done in each of the clouds one by one, by hand. But then, a breach of the principle of least privilege or a separation of duty conflict cannot be easily detected. Instead, they could run this setup through an IGA framework at the enterprise level. With this, it’s more likely to detect possible problems in advance and help prevent them.

A key success factor aligning with the IGA is to adapt to the agility and dynamic nature of spinning up cloud-based projects and adding developers or admins at will, while still maintaining compliance processes for auditing purposes. This would require a higher level of automation of IGA processes than what we see in many enterprises today.

Why Cloud Governance Blueprints?

The truth is that enterprise IGA programs still rely on too many manual processes that slow down the expected outcomes. Keep in mind that developers or the scrum master will not go through tedious manual processes; instead, they’ll find workarounds that negate the oversight.

Therefore, you need to be proactive about defining blueprints for policies, roles and rules on an enterprise level to leverage cloud-native IAM. Pre-approve and pre-configure these policies, roles and rules to enable the implementation and automation for agile environments.

Point tools cannot resolve these challenges. They’ll require a holistic understanding of the outcomes for managing identity risk and the pathways to an integration framework.

Cloud Governance Services for IAM Controls

Is identity governance a cause for concern? Yes, and there are many reasons for concern, but governance is a major part of it. One reason identity governance is such a challenge is that it can be seen as a technical problem when setting up an IGA program. Identity and cloud governance are not technical problems; they are organizational and process challenges. You will need to involve many stakeholders to properly capture delegations, rules, separation of duties and policies. The technical staff is often not used at this level, and this creates problems for risk management.

Learning how to structure identity governance along with assurance and intelligence is a helpful path toward IAM modernization.

Register for our upcoming webinar on cloud-native IAM controls happening May 5, 2021, at 11am EDT. IBM Security Services has the guidelines and blueprints to help guide you through the layers of IAM controls for effective cloud computing governance and enterprise compliance.

More from Identity & Access

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today