Cloud Security
December 13, 2022 By Angelika Steinacker 4 min read

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult.

In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows.

As we continue our CIAG series, let’s take a deeper dive into how it can impact your organization’s cloud environments.

CIAG and IAM are crucial for cloud security

CIAG deals with processes, policies and supporting infrastructure to manage identities in cloud environments, provide governance for identities and access rights and facilitate integration into an enterprise IAM framework.

When discussing CIAG, our clients often ask why we do not see cloud IAM as part of enterprise IAM. Our answer is that it should be, but in most cases, it is not. CIAG endeavors to close this gap.

How can this be done? These critical capabilities for CIAG can be used to create a roadmap for initiatives and activities for mature CIAG in an organization.

These critical capabilities are not new, but they take on a new character in cloud environments.

CIAG’s fundamental capabilities

Coordination with stakeholders

Coordination and cooperation with stakeholders are critical success factors for controlling cloud environments. It is not enough for security, IAM and cloud experts to work together. They must also coordinate with human resources, compliance and resource management. Cooperation with DevOps engineers, developers and administrators is also essential.

Our clients have had good experiences starting with a workshop to set the expectations and objectives for stakeholders. Such a workshop lays the foundation for fruitful collaboration, such as using working groups on cloud IAM.

Identification of sensitive data

While cooperation is essential for cloud security, you can still only protect what you know. That makes identifying sensitive data crucial when creating a secure environment. In addition to defining sensitive data, you must understand and document where it resides in cloud environments.

Integration and automation

Integration and automation refer to various characteristics of IAM features for cloud environments. The procedural and technical integration of cloud and enterprise IAM is foundational, but not enough on its own. Integration with other security features, such as a security information and event management (SIEM) system, must be established as well.

Automation of IAM functions is essential for a “cloud-able” organization. This requires standardized processes, reduction of manual intervention and use of pre-approved access rights. A control plane will be helpful in managing IAM functions through a central portal with centralized provisioning and de-provisioning of access rights to users.

Now, let’s investigate the next layer of critical capabilities for CIAG.

The second tier of CIAG capabilities

Privileged access management

Most accounts and accesses in cloud environments are privileged, not only for administrators but also for developers and DevOps engineers, virtual machines (VMs), containers and application programming interfaces (APIs). These accounts have access to system-level configuration and can alter software program files, configurations and properties of systems like routing tables and access rights. They can directly access data owned by other identities like database tables or file systems, circumventing business processes.

Therefore, privileged access management (PAM) is essential for these vulnerabilities. It also must work at the same speed as the cloud, such as enforcing the least privilege principle while assigning and using access rights with privilege elevation and just-in-time access. The same holds true for other PAM functions, like credential protection and session recording.

Visibility, monitoring, analysis and remediation

Are you aware of what’s happening in your cloud environments? Do you know who and what has access to which resources across your cloud environments? What about how they actually use them? Most organizations cannot fully answer these questions. Therefore, visibility is the first step to answering these questions. The next step is to analyze all the information together with logged and monitored data and to identify possible issues (e.g., outliers and overprivileged accounts). You need to create and implement remediation processes to clean up.

Specialized tools have emerged, such as cloud infrastructure entitlement management (CIEM), to support these functions across cloud environments. Other IAM, PAM and cloud solutions may provide similar functions with specific modules. Still, to keep the cloud entitlements clean and your efforts sustainable, you need a solid maturity level for these other capabilities.

Three crucial components of CIAG

Authentication

Authentication is another important step. Single sign-on should be implemented for all users. For users with privileged access to business-critical data, smart authentication must be utilized. Implementing modern identity protocols, such as OpenID Connect, OAuth 2.0 and SCIM 2.0, will increase the maturity as well.

Access

An access control model based on a combination of policy-based, role-based and attribute-based access control will make it easier to work with pre-approved access rights, which is one element of mature authorization. In addition, an owner must be assigned to each access right, and processes and technical support for lifecycle management of access privileges (creating, updating, decommissioning access rights in cloud platforms, automation and DevOps tools) need to be provided.

Access governance

Access governance also needs to be performed across platforms. This includes recertification of access rights assigned to users, enforcement of business rules (e.g., segregation of duties) and remediation processes (e.g., removal of access rights).

Lifecycle management: The pinnacle of the CIAG pyramid

Lastly, identity lifecycle management is a critical capability. This includes the management of joiners, movers and leavers in and across cloud environments for human identities (employees, externals, customers and business partners) and non-human identities (devices, VMs, containers, automation tools and APIs).

Your roadmap to CIAG should include all these critical capabilities at the maturity level you want, based on your environments and risk appetite.

 |  |  |  |  |  | 
Angelika Steinacker
CTO for Identity & Access Management, IBM Security Europe

More from Cloud Security
November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

October 3, 2023

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

September 14, 2023

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature