December 13, 2022 By Angelika Steinacker 4 min read

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult.

In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows.

As we continue our CIAG series, let’s take a deeper dive into how it can impact your organization’s cloud environments.

CIAG and IAM are crucial for cloud security

CIAG deals with processes, policies and supporting infrastructure to manage identities in cloud environments, provide governance for identities and access rights and facilitate integration into an enterprise IAM framework.

When discussing CIAG, our clients often ask why we do not see cloud IAM as part of enterprise IAM. Our answer is that it should be, but in most cases, it is not. CIAG endeavors to close this gap.

How can this be done? These critical capabilities for CIAG can be used to create a roadmap for initiatives and activities for mature CIAG in an organization.

These critical capabilities are not new, but they take on a new character in cloud environments.

CIAG’s fundamental capabilities

Coordination with stakeholders

Coordination and cooperation with stakeholders are critical success factors for controlling cloud environments. It is not enough for security, IAM and cloud experts to work together. They must also coordinate with human resources, compliance and resource management. Cooperation with DevOps engineers, developers and administrators is also essential.

Our clients have had good experiences starting with a workshop to set the expectations and objectives for stakeholders. Such a workshop lays the foundation for fruitful collaboration, such as using working groups on cloud IAM.

Identification of sensitive data

While cooperation is essential for cloud security, you can still only protect what you know. That makes identifying sensitive data crucial when creating a secure environment. In addition to defining sensitive data, you must understand and document where it resides in cloud environments.

Integration and automation

Integration and automation refer to various characteristics of IAM features for cloud environments. The procedural and technical integration of cloud and enterprise IAM is foundational, but not enough on its own. Integration with other security features, such as a security information and event management (SIEM) system, must be established as well.

Automation of IAM functions is essential for a “cloud-able” organization. This requires standardized processes, reduction of manual intervention and use of pre-approved access rights. A control plane will be helpful in managing IAM functions through a central portal with centralized provisioning and de-provisioning of access rights to users.

Now, let’s investigate the next layer of critical capabilities for CIAG.

The second tier of CIAG capabilities

Privileged access management

Most accounts and accesses in cloud environments are privileged, not only for administrators but also for developers and DevOps engineers, virtual machines (VMs), containers and application programming interfaces (APIs). These accounts have access to system-level configuration and can alter software program files, configurations and properties of systems like routing tables and access rights. They can directly access data owned by other identities like database tables or file systems, circumventing business processes.

Therefore, privileged access management (PAM) is essential for these vulnerabilities. It also must work at the same speed as the cloud, such as enforcing the least privilege principle while assigning and using access rights with privilege elevation and just-in-time access. The same holds true for other PAM functions, like credential protection and session recording.

Visibility, monitoring, analysis and remediation

Are you aware of what’s happening in your cloud environments? Do you know who and what has access to which resources across your cloud environments? What about how they actually use them? Most organizations cannot fully answer these questions. Therefore, visibility is the first step to answering these questions. The next step is to analyze all the information together with logged and monitored data and to identify possible issues (e.g., outliers and overprivileged accounts). You need to create and implement remediation processes to clean up.

Specialized tools have emerged, such as cloud infrastructure entitlement management (CIEM), to support these functions across cloud environments. Other IAM, PAM and cloud solutions may provide similar functions with specific modules. Still, to keep the cloud entitlements clean and your efforts sustainable, you need a solid maturity level for these other capabilities.

Three crucial components of CIAG


Authentication is another important step. Single sign-on should be implemented for all users. For users with privileged access to business-critical data, smart authentication must be utilized. Implementing modern identity protocols, such as OpenID Connect, OAuth 2.0 and SCIM 2.0, will increase the maturity as well.


An access control model based on a combination of policy-based, role-based and attribute-based access control will make it easier to work with pre-approved access rights, which is one element of mature authorization. In addition, an owner must be assigned to each access right, and processes and technical support for lifecycle management of access privileges (creating, updating, decommissioning access rights in cloud platforms, automation and DevOps tools) need to be provided.

Access governance

Access governance also needs to be performed across platforms. This includes recertification of access rights assigned to users, enforcement of business rules (e.g., segregation of duties) and remediation processes (e.g., removal of access rights).

Lifecycle management: The pinnacle of the CIAG pyramid

Lastly, identity lifecycle management is a critical capability. This includes the management of joiners, movers and leavers in and across cloud environments for human identities (employees, externals, customers and business partners) and non-human identities (devices, VMs, containers, automation tools and APIs).

Your roadmap to CIAG should include all these critical capabilities at the maturity level you want, based on your environments and risk appetite.

More from Cloud Security

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today