Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult.

In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows.

As we continue our CIAG series, let’s take a deeper dive into how it can impact your organization’s cloud environments.

CIAG and IAM Are Crucial For Cloud Security

CIAG deals with processes, policies and supporting infrastructure to manage identities in cloud environments, provide governance for identities and access rights and facilitate integration into an enterprise IAM framework.

When discussing CIAG, our clients often ask why we do not see cloud IAM as part of enterprise IAM. Our answer is that it should be, but in most cases, it is not. CIAG endeavors to close this gap.

How can this be done? These critical capabilities for CIAG can be used to create a roadmap for initiatives and activities for mature CIAG in an organization.

These critical capabilities are not new, but they take on a new character in cloud environments.

CIAG’s Fundamental Capabilities

Coordination with Stakeholders

Coordination and cooperation with stakeholders are critical success factors for controlling cloud environments. It is not enough for security, IAM and cloud experts to work together. They must also coordinate with human resources, compliance and resource management. Cooperation with DevOps engineers, developers and administrators is also essential.

Our clients have had good experiences starting with a workshop to set the expectations and objectives for stakeholders. Such a workshop lays the foundation for fruitful collaboration, such as using working groups on cloud IAM.

Identification of Sensitive Data

While cooperation is essential for cloud security, you can still only protect what you know. That makes identifying sensitive data crucial when creating a secure environment. In addition to defining sensitive data, you must understand and document where it resides in cloud environments.

Integration and Automation

Integration and automation refer to various characteristics of IAM features for cloud environments. The procedural and technical integration of cloud and enterprise IAM is foundational, but not enough on its own. Integration with other security features, such as a security information and event management (SIEM) system, must be established as well.

Automation of IAM functions is essential for a “cloud-able” organization. This requires standardized processes, reduction of manual intervention and use of pre-approved access rights. A control plane will be helpful in managing IAM functions through a central portal with centralized provisioning and de-provisioning of access rights to users.

Now, let’s investigate the next layer of critical capabilities for CIAG.

The Second Tier of CIAG Capabilities

Privileged Access Management

Most accounts and accesses in cloud environments are privileged, not only for administrators but also for developers and DevOps engineers, virtual machines (VMs), containers and application programming interfaces (APIs). These accounts have access to system-level configuration and can alter software program files, configurations and properties of systems like routing tables and access rights. They can directly access data owned by other identities like database tables or file systems, circumventing business processes.

Therefore, privileged access management (PAM) is essential for these vulnerabilities. It also must work at the same speed as the cloud, such as enforcing the least privilege principle while assigning and using access rights with privilege elevation and just-in-time access. The same holds true for other PAM functions, like credential protection and session recording.

Visibility, Monitoring, Analysis and Remediation

Are you aware of what’s happening in your cloud environments? Do you know who and what has access to which resources across your cloud environments? What about how they actually use them? Most organizations cannot fully answer these questions. Therefore, visibility is the first step to answering these questions. The next step is to analyze all the information together with logged and monitored data and to identify possible issues (e.g., outliers and overprivileged accounts). You need to create and implement remediation processes to clean up.

Specialized tools have emerged, such as cloud infrastructure entitlement management (CIEM), to support these functions across cloud environments. Other IAM, PAM and cloud solutions may provide similar functions with specific modules. Still, to keep the cloud entitlements clean and your efforts sustainable, you need a solid maturity level for these other capabilities.

Three Crucial Components of CIAG

Authentication

Authentication is another important step. Single sign-on should be implemented for all users. For users with privileged access to business-critical data, smart authentication must be utilized. Implementing modern identity protocols, such as OpenID Connect, OAuth 2.0 and SCIM 2.0, will increase the maturity as well.

Access

An access control model based on a combination of policy-based, role-based and attribute-based access control will make it easier to work with pre-approved access rights, which is one element of mature authorization. In addition, an owner must be assigned to each access right, and processes and technical support for lifecycle management of access privileges (creating, updating, decommissioning access rights in cloud platforms, automation and DevOps tools) need to be provided.

Access Governance

Access governance also needs to be performed across platforms. This includes recertification of access rights assigned to users, enforcement of business rules (e.g., segregation of duties) and remediation processes (e.g., removal of access rights).

Lifecycle Management: The Pinnacle of the CIAG Pyramid

Lastly, identity lifecycle management is a critical capability. This includes the management of joiners, movers and leavers in and across cloud environments for human identities (employees, externals, customers and business partners) and non-human identities (devices, VMs, containers, automation tools and APIs).

Your roadmap to CIAG should include all these critical capabilities at the maturity level you want, based on your environments and risk appetite.

More from Cloud Security

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…