In March 2021, we posted a three-part series about whether cloud-native identity and access management (IAM) controls are good enough for an enterprise. Many of the points we raised at that time are still valid. However, the industry has developed and learned a lot since then.
More companies and analysts now recognize cloud identity and access governance (CIAG) as key. The lack of CIAG is a potential threat to any organization with a cloud environment. This is a big step forward. After all, you can only fix problems you know about.
The challenges of a cloud environment
When you have a cloud environment (or multicloud environment), one of the biggest challenges is to understand what’s really happening with users and access rights. Why? Freely granting undefined access to anyone who needs to manage a cloud device creates uncertainty within and among environments. Therefore, it’s difficult to manage access privilege controls.
If threat actors obtain access rights, they can breach the system. Many of the access conditions in cloud environments hold privileges in such a way that they can create a back door into the business. For example, an administrator might have access to business data. The misuse of these privileged access rights can cause severe damage to your data, people and reputation.
A good example of the impact of unmonitored access is the Lapsus$ group. They used human and non-human identities to get access to cloud accounts and stage further attacks. Once they had the identities, they could then set up virtual machines for nefarious purposes and make other unwanted inroads.
What is CIAG?
The first goal of CIAG is to gain reliable insight into the access rights assigned to users (human or non-human) in your cloud environments. It also shows how these access rights are being used or not used. That’s where various tools come into play to support recognition and remediation. Cloud infrastructure and entitlement management is a combination of processes and solutions that deal with this new breed of IAM.
Tools are an important part of the solution, but you still need to integrate the results and findings into your corporate IAM framework. This integration cannot be a one-time clean-up or creation of some new roles. Instead, it needs to set up an IAM framework that provides the means to maintain these results.
Setting this up is not just about technical implementation, either. CIAG takes people, processes and policies to implement a working IAM framework. People often make light of the hard work needed to coordinate with business stakeholders, as well as developers, admins and DevOps engineers. You can make this easier through strategy boards and joint working groups or communication campaigns. We will discuss these aspects of CIAG further in part two of this blog.
In addition, a different ‘clock rate’ is required for the cloud than for traditional IAM processes. Therefore, automate as much as possible. For example, you might automate approval processes by using pre-defined and pre-approved roles and rules specific to cloud-based use cases.
Learn more about CIAG
As an orchestration layer, CIAG manages identities in cloud environments and provides governance for identities and access rights. It also enables integration into an enterprise IAM framework.
Explore more about CIAG and related topics in the webinar The Cloud Security Maturity Model: Setting Priorities in your Cloud Security Roadmap and in part two of this blog.
CTO for Identity & Access Management, IBM Security Europe