Light Dark
April 19, 2021 By Angelika Steinacker
Anna Fernezian
3 min read
Identity & Access
Cloud Security

Some organizations with multicloud environments opt for a cloud service provider with native identity access management (IAM). However, these same people often struggle when it comes to adding the cloud-native controls into a larger enterprise IAM program.

In part 1 of our cloud-native IAM controls blog, we explored why these controls are not enough for managing identity and access risk at an enterprise level. In this article, we will offer insight into governance concerns and a potential approach to help bridge the gaps.

Setting Up Cloud-Native IAM Controls Properly

Most businesses need help with their approach to entitlements management for their clouds. Your goal should be to deliver a blueprint to your developers and IT admins with the roles, policies and entitlements needed to connect cloud-native controls to an enterprise-level program. Once you’ve established a blueprint, the next step is to automate IAM controls to provide something like ‘IAM as code’ so that you can reduce risk and streamline the work.

Learn more on IAM

Diving Deeper

The approach starts with setting up specific policies and roles for governance. The policies dictate how to deal with cloud-native IAM controls. Defining IAM roles at the enterprise level helps provide specific permissions for users on what they can and cannot do. In other words, you need to create a repeatable pattern for groups of users assigned to a specific role — contractors, project managers, admins, etc.

Each role needs specific IAM access so that the agility of these cloud-native landscapes is preserved. What does this mean? Let’s break it down.

Different Options for Different Governance Needs

To begin with, you need a mix of roles and rules set up within the enterprise governance solution. They should reflect the native IAM functional controls.

You should further define the rules by case or the context in which a user needs more approval when they request access. For example, if you are talking about a DevOps use case, you often have in the DevOps team a ‘sprint master’ or project manager. This role can request cloud-native IAM privileges that are assigned to someone else in the project team.

You should align the DevOps-specific role at the enterprise level. Through the classical identity governance path, your environment will capture the access request for auditing and recertification.

Multicloud environments demand a multilayered IAM approach. You need to automate most of these layers in the sense they should be approved and agreed upon in advance with the relevant stakeholders. Only when you have that stakeholder approval can you automate.

An identity and access governance program comes configured with predefined roles, rules and use cases. The enterprise IAM program provides automation and enables the client to move from a reactive manual state to a proactive state. As you automate, you can expect less risk. The more manual a process, the more potential for human error, such as misconfiguration of privileges or forgetting to remove users when they leave.

Reducing Risk With Cloud-Native IAM

In our first blog, we discussed how security failures are often the result of mishandling of identities, access and privileges. Automation can help reduce this type of risk. But you need the right policies, rules and role templates to get IAM security right.

Manual processes in identity and access governance do introduce risk. The goal of identity management is to reduce risk. Whenever possible, you will want to automate role selection and privileges. Make sure users adhere to those roles so you don’t inject any undue risk.

A blueprint to integrate the enterprise identity and access governance tools with the cloud-native IAM features will help guide you through automation. This is the most efficient option because you can review the roles and policies across multiple cloud environments.

If you’re an enterprise looking to scale your enterprise IAM program, start with these three principles of designing modern IAM programs:

  • Enhance identity assurance,
  • Integrate identity intelligence, and
  • Address compliance mandates with identity governance.

Stay tuned for our third and final blog post in this series to learn more about blueprints and how to connect cloud-native IAM controls to an enterprise IAM program.

 |  |  | 
Angelika Steinacker
CTO for Identity & Access Management, IBM Security Europe
Anna Fernezian
Sr. Offering Manager, Identity and Access Management Services

More from Identity & Access
April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature