Some organizations with multicloud environments opt for a cloud service provider with native identity access management (IAM). However, these same people often struggle when it comes to adding the cloud-native controls into a larger enterprise IAM program.

In part 1 of our cloud-native IAM controls blog, we explored why these controls are not enough for managing identity and access risk at an enterprise level. In this article, we will offer insight into governance concerns and a potential approach to help bridge the gaps.

Setting Up Cloud-Native IAM Controls Properly

Most businesses need help with their approach to entitlements management for their clouds. Your goal should be to deliver a blueprint to your developers and IT admins with the roles, policies and entitlements needed to connect cloud-native controls to an enterprise-level program. Once you’ve established a blueprint, the next step is to automate IAM controls to provide something like ‘IAM as code’ so that you can reduce risk and streamline the work.

Learn more on IAM

Diving Deeper

The approach starts with setting up specific policies and roles for governance. The policies dictate how to deal with cloud-native IAM controls. Defining IAM roles at the enterprise level helps provide specific permissions for users on what they can and cannot do. In other words, you need to create a repeatable pattern for groups of users assigned to a specific role — contractors, project managers, admins, etc.

Each role needs specific IAM access so that the agility of these cloud-native landscapes is preserved. What does this mean? Let’s break it down.

Different Options for Different Governance Needs

To begin with, you need a mix of roles and rules set up within the enterprise governance solution. They should reflect the native IAM functional controls.

You should further define the rules by case or the context in which a user needs more approval when they request access. For example, if you are talking about a DevOps use case, you often have in the DevOps team a ‘sprint master’ or project manager. This role can request cloud-native IAM privileges that are assigned to someone else in the project team.

You should align the DevOps-specific role at the enterprise level. Through the classical identity governance path, your environment will capture the access request for auditing and recertification.

Multicloud environments demand a multilayered IAM approach. You need to automate most of these layers in the sense they should be approved and agreed upon in advance with the relevant stakeholders. Only when you have that stakeholder approval can you automate.

An identity and access governance program comes configured with predefined roles, rules and use cases. The enterprise IAM program provides automation and enables the client to move from a reactive manual state to a proactive state. As you automate, you can expect less risk. The more manual a process, the more potential for human error, such as misconfiguration of privileges or forgetting to remove users when they leave.

Reducing Risk With Cloud-Native IAM

In our first blog, we discussed how security failures are often the result of mishandling of identities, access and privileges. Automation can help reduce this type of risk. But you need the right policies, rules and role templates to get IAM security right.

Manual processes in identity and access governance do introduce risk. The goal of identity management is to reduce risk. Whenever possible, you will want to automate role selection and privileges. Make sure users adhere to those roles so you don’t inject any undue risk.

A blueprint to integrate the enterprise identity and access governance tools with the cloud-native IAM features will help guide you through automation. This is the most efficient option because you can review the roles and policies across multiple cloud environments.

If you’re an enterprise looking to scale your enterprise IAM program, start with these three principles of designing modern IAM programs:

  • Enhance identity assurance,
  • Integrate identity intelligence, and
  • Address compliance mandates with identity governance.

Stay tuned for our third and final blog post in this series to learn more about blueprints and how to connect cloud-native IAM controls to an enterprise IAM program.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today