Some organizations with multicloud environments opt for a cloud service provider with native identity access management (IAM). However, these same people often struggle when it comes to adding the cloud-native controls into a larger enterprise IAM program.

In part 1 of our cloud-native IAM controls blog, we explored why these controls are not enough for managing identity and access risk at an enterprise level. In this article, we will offer insight into governance concerns and a potential approach to help bridge the gaps.

Setting Up Cloud-Native IAM Controls Properly

Most businesses need help with their approach to entitlements management for their clouds. Your goal should be to deliver a blueprint to your developers and IT admins with the roles, policies and entitlements needed to connect cloud-native controls to an enterprise-level program. Once you’ve established a blueprint, the next step is to automate IAM controls to provide something like ‘IAM as code’ so that you can reduce risk and streamline the work.

Learn more on IAM

Diving Deeper

The approach starts with setting up specific policies and roles for governance. The policies dictate how to deal with cloud-native IAM controls. Defining IAM roles at the enterprise level helps provide specific permissions for users on what they can and cannot do. In other words, you need to create a repeatable pattern for groups of users assigned to a specific role — contractors, project managers, admins, etc.

Each role needs specific IAM access so that the agility of these cloud-native landscapes is preserved. What does this mean? Let’s break it down.

Different Options for Different Governance Needs

To begin with, you need a mix of roles and rules set up within the enterprise governance solution. They should reflect the native IAM functional controls.

You should further define the rules by case or the context in which a user needs more approval when they request access. For example, if you are talking about a DevOps use case, you often have in the DevOps team a ‘sprint master’ or project manager. This role can request cloud-native IAM privileges that are assigned to someone else in the project team.

You should align the DevOps-specific role at the enterprise level. Through the classical identity governance path, your environment will capture the access request for auditing and recertification.

Multicloud environments demand a multilayered IAM approach. You need to automate most of these layers in the sense they should be approved and agreed upon in advance with the relevant stakeholders. Only when you have that stakeholder approval can you automate.

An identity and access governance program comes configured with predefined roles, rules and use cases. The enterprise IAM program provides automation and enables the client to move from a reactive manual state to a proactive state. As you automate, you can expect less risk. The more manual a process, the more potential for human error, such as misconfiguration of privileges or forgetting to remove users when they leave.

Reducing Risk With Cloud-Native IAM

In our first blog, we discussed how security failures are often the result of mishandling of identities, access and privileges. Automation can help reduce this type of risk. But you need the right policies, rules and role templates to get IAM security right.

Manual processes in identity and access governance do introduce risk. The goal of identity management is to reduce risk. Whenever possible, you will want to automate role selection and privileges. Make sure users adhere to those roles so you don’t inject any undue risk.

A blueprint to integrate the enterprise identity and access governance tools with the cloud-native IAM features will help guide you through automation. This is the most efficient option because you can review the roles and policies across multiple cloud environments.

If you’re an enterprise looking to scale your enterprise IAM program, start with these three principles of designing modern IAM programs:

  • Enhance identity assurance,
  • Integrate identity intelligence, and
  • Address compliance mandates with identity governance.

Stay tuned for our third and final blog post in this series to learn more about blueprints and how to connect cloud-native IAM controls to an enterprise IAM program.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…