Organizations of every type and size are looking to the cloud for a multitude of benefits, including agility, quick time-to-value, cost savings and scalability. But enterprise-scale deployments can make this process complex, more so as it relates to identity and access management (IAM). Protections through the cloud are often a web of permissions that, if your team does not maintain them properly, can lead to a costly data breach. Let’s take a look at how exactly cloud-native IAM works. Next, check back for the second in this series of three articles on cloud-native IAM controls.

According to the 2020 Cost of a Data Breach Report, nearly 20% of the companies that suffered a malicious attack found that it was due to stolen or compromised credentials. Alongside these compromised credentials, misconfigured cloud servers were the most frequent threat vector. These survey results show how poor management of identities, access and privileges can impact your business. When it comes to public cloud environments, much of the onus for defensive configuration and management is on you, not the cloud provider.

Learn more

Cloud Identity Means a Perimeter-less Landscape Demanding Stronger Controls

I want to avoid the impression that cloud-native IAM from a specific cloud service provider is not helpful. That isn’t the case at all. Native IAM controls found in public cloud offerings and open environments can offer unique benefits such as agility for DevOps processes and developer-friendly IAM features. In contrast, an enterprise IAM program delivers advanced features that go beyond these controls and conform to corporate governance policies.

I see many of the same customer challenges across these complex, multiple cloud environments that enterprise IAM programs have resolved. Many of the public cloud providers offer native IAM controls for target environments but lack the connection to larger programs of work. In addition, the concept of enforcing least privilege through proper governance and privileged access with these native controls becomes quite difficult. When you start to look at trying to use these controls across multicloud setups or at an enterprise level, it becomes even more difficult.

IT and IAM teams must go beyond native controls and think about the IAM governance program from a broader, programmatic perspective. You should leverage these native controls according to a unified corporate governance policy that includes a predefined access model.

Getting the Work Done with Cloud-Native IAM Controls

In various cloud environments, the native IAM controls are commonly called identity management. But what’s confusing is that these controls are not truly enterprise-level identity management as we know it. They are simple access control. For instance, there’s no life cycle for digital identities. You can assign users to specific accounts, but you cannot really manage the life cycle of people — joiners, movers and leavers. The critical auditing needs for action on organizational and other changes are handled at an enterprise level.

The cloud-native IAM controls are not intended to manage a full identity life cycle. They are intended for specific use cases. For example, with the Red Hat platform, you have two main use cases. The primary ones are DevOps and IT operations. In these specific use cases, you can set up predefined roles and policies using native controls. But these stay where you put them. They don’t extend beyond the specific platform used.

IT also plays a part in the DevOps chain. For example, if you are going through the entire DevOps chain at some point in time, you are setting up new permissions and roles. This is where the DevOps use case connects to IT. Even in open-source environments, you will often need to use more than just one basic IAM function.

Can Cloud-Native IAM Controls Work in Multicloud Environments?

If you are working in multicloud environments, then the answer is no. Every provider has its own unique set of IAM functions. IAM controls are specific to each cloud service provider. They don’t talk to or operate with one another or in other cloud platforms. So, with the native controls, you have different components that provide piecemeal IAM functions.

The specific entitlements from cloud environments often do not align with the enterprise roles. They may be similar, but the details are very different. In the end, you need to define specific roles at an enterprise level that contain entitlements for cloud environments.

In the next article, I will share a few strategies for how to broaden these cloud-native IAM controls. Until then, learn how to design an IAM program optimized for your business.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…