Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult.
In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows.
As we continue our CIAG series, let’s take a deeper dive into how it can impact your organization’s cloud environments.
CIAG and IAM are crucial for cloud security
CIAG deals with processes, policies and supporting infrastructure to manage identities in cloud environments, provide governance for identities and access rights and facilitate integration into an enterprise IAM framework.
When discussing CIAG, our clients often ask why we do not see cloud IAM as part of enterprise IAM. Our answer is that it should be, but in most cases, it is not. CIAG endeavors to close this gap.
How can this be done? These critical capabilities for CIAG can be used to create a roadmap for initiatives and activities for mature CIAG in an organization.
These critical capabilities are not new, but they take on a new character in cloud environments.
CIAG’s fundamental capabilities
Coordination with stakeholders
Coordination and cooperation with stakeholders are critical success factors for controlling cloud environments. It is not enough for security, IAM and cloud experts to work together. They must also coordinate with human resources, compliance and resource management. Cooperation with DevOps engineers, developers and administrators is also essential.
Our clients have had good experiences starting with a workshop to set the expectations and objectives for stakeholders. Such a workshop lays the foundation for fruitful collaboration, such as using working groups on cloud IAM.
Identification of sensitive data
While cooperation is essential for cloud security, you can still only protect what you know. That makes identifying sensitive data crucial when creating a secure environment. In addition to defining sensitive data, you must understand and document where it resides in cloud environments.
Integration and automation
Integration and automation refer to various characteristics of IAM features for cloud environments. The procedural and technical integration of cloud and enterprise IAM is foundational, but not enough on its own. Integration with other security features, such as a security information and event management (SIEM) system, must be established as well.
Automation of IAM functions is essential for a “cloud-able” organization. This requires standardized processes, reduction of manual intervention and use of pre-approved access rights. A control plane will be helpful in managing IAM functions through a central portal with centralized provisioning and de-provisioning of access rights to users.
Now, let’s investigate the next layer of critical capabilities for CIAG.
The second tier of CIAG capabilities
Privileged access management
Most accounts and accesses in cloud environments are privileged, not only for administrators but also for developers and DevOps engineers, virtual machines (VMs), containers and application programming interfaces (APIs). These accounts have access to system-level configuration and can alter software program files, configurations and properties of systems like routing tables and access rights. They can directly access data owned by other identities like database tables or file systems, circumventing business processes.
Therefore, privileged access management (PAM) is essential for these vulnerabilities. It also must work at the same speed as the cloud, such as enforcing the least privilege principle while assigning and using access rights with privilege elevation and just-in-time access. The same holds true for other PAM functions, like credential protection and session recording.
Visibility, monitoring, analysis and remediation
Are you aware of what’s happening in your cloud environments? Do you know who and what has access to which resources across your cloud environments? What about how they actually use them? Most organizations cannot fully answer these questions. Therefore, visibility is the first step to answering these questions. The next step is to analyze all the information together with logged and monitored data and to identify possible issues (e.g., outliers and overprivileged accounts). You need to create and implement remediation processes to clean up.
Specialized tools have emerged, such as cloud infrastructure entitlement management (CIEM), to support these functions across cloud environments. Other IAM, PAM and cloud solutions may provide similar functions with specific modules. Still, to keep the cloud entitlements clean and your efforts sustainable, you need a solid maturity level for these other capabilities.
Three crucial components of CIAG
Authentication
Authentication is another important step. Single sign-on should be implemented for all users. For users with privileged access to business-critical data, smart authentication must be utilized. Implementing modern identity protocols, such as OpenID Connect, OAuth 2.0 and SCIM 2.0, will increase the maturity as well.
Access
An access control model based on a combination of policy-based, role-based and attribute-based access control will make it easier to work with pre-approved access rights, which is one element of mature authorization. In addition, an owner must be assigned to each access right, and processes and technical support for lifecycle management of access privileges (creating, updating, decommissioning access rights in cloud platforms, automation and DevOps tools) need to be provided.
Access governance
Access governance also needs to be performed across platforms. This includes recertification of access rights assigned to users, enforcement of business rules (e.g., segregation of duties) and remediation processes (e.g., removal of access rights).
Lifecycle management: The pinnacle of the CIAG pyramid
Lastly, identity lifecycle management is a critical capability. This includes the management of joiners, movers and leavers in and across cloud environments for human identities (employees, externals, customers and business partners) and non-human identities (devices, VMs, containers, automation tools and APIs).
Your roadmap to CIAG should include all these critical capabilities at the maturity level you want, based on your environments and risk appetite.
CTO for Identity & Access Management, IBM Security Europe