Organizations of every type and size are looking to the cloud for a multitude of benefits, including agility, quick time-to-value, cost savings and scalability. But enterprise-scale deployments can make this process complex, more so as it relates to identity and access management (IAM). Protections through the cloud are often a web of permissions that, if your team does not maintain them properly, can lead to a costly data breach. Let’s take a look at how exactly cloud-native IAM works. Next, check back for the second in this series of three articles on cloud-native IAM controls.

According to the 2020 Cost of a Data Breach Report, nearly 20% of the companies that suffered a malicious attack found that it was due to stolen or compromised credentials. Alongside these compromised credentials, misconfigured cloud servers were the most frequent threat vector. These survey results show how poor management of identities, access and privileges can impact your business. When it comes to public cloud environments, much of the onus for defensive configuration and management is on you, not the cloud provider.

Learn more

Cloud Identity Means a Perimeter-less Landscape Demanding Stronger Controls

I want to avoid the impression that cloud-native IAM from a specific cloud service provider is not helpful. That isn’t the case at all. Native IAM controls found in public cloud offerings and open environments can offer unique benefits such as agility for DevOps processes and developer-friendly IAM features. In contrast, an enterprise IAM program delivers advanced features that go beyond these controls and conform to corporate governance policies.

I see many of the same customer challenges across these complex, multiple cloud environments that enterprise IAM programs have resolved. Many of the public cloud providers offer native IAM controls for target environments but lack the connection to larger programs of work. In addition, the concept of enforcing least privilege through proper governance and privileged access with these native controls becomes quite difficult. When you start to look at trying to use these controls across multicloud setups or at an enterprise level, it becomes even more difficult.

IT and IAM teams must go beyond native controls and think about the IAM governance program from a broader, programmatic perspective. You should leverage these native controls according to a unified corporate governance policy that includes a predefined access model.

Getting the Work Done with Cloud-Native IAM Controls

In various cloud environments, the native IAM controls are commonly called identity management. But what’s confusing is that these controls are not truly enterprise-level identity management as we know it. They are simple access control. For instance, there’s no life cycle for digital identities. You can assign users to specific accounts, but you cannot really manage the life cycle of people — joiners, movers and leavers. The critical auditing needs for action on organizational and other changes are handled at an enterprise level.

The cloud-native IAM controls are not intended to manage a full identity life cycle. They are intended for specific use cases. For example, with the Red Hat platform, you have two main use cases. The primary ones are DevOps and IT operations. In these specific use cases, you can set up predefined roles and policies using native controls. But these stay where you put them. They don’t extend beyond the specific platform used.

IT also plays a part in the DevOps chain. For example, if you are going through the entire DevOps chain at some point in time, you are setting up new permissions and roles. This is where the DevOps use case connects to IT. Even in open-source environments, you will often need to use more than just one basic IAM function.

Can Cloud-Native IAM Controls Work in Multicloud Environments?

If you are working in multicloud environments, then the answer is no. Every provider has its own unique set of IAM functions. IAM controls are specific to each cloud service provider. They don’t talk to or operate with one another or in other cloud platforms. So, with the native controls, you have different components that provide piecemeal IAM functions.

The specific entitlements from cloud environments often do not align with the enterprise roles. They may be similar, but the details are very different. In the end, you need to define specific roles at an enterprise level that contain entitlements for cloud environments.

In the next article, I will share a few strategies for how to broaden these cloud-native IAM controls. Until then, learn how to design an IAM program optimized for your business.

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…