June 7, 2022 By Angelika Steinacker 2 min read

In March 2021, we posted a three-part series about whether cloud-native identity and access management (IAM) controls are good enough for an enterprise. Many of the points we raised at that time are still valid. However, the industry has developed and learned a lot since then.

More companies and analysts now recognize cloud identity and access governance (CIAG) as key. The lack of CIAG is a potential threat to any organization with a cloud environment. This is a big step forward. After all, you can only fix problems you know about.

The challenges of a cloud environment

When you have a cloud environment (or multicloud environment), one of the biggest challenges is to understand what’s really happening with users and access rights. Why? Freely granting undefined access to anyone who needs to manage a cloud device creates uncertainty within and among environments. Therefore, it’s difficult to manage access privilege controls.

If threat actors obtain access rights, they can breach the system. Many of the access conditions in cloud environments hold privileges in such a way that they can create a back door into the business. For example, an administrator might have access to business data. The misuse of these privileged access rights can cause severe damage to your data, people and reputation.

A good example of the impact of unmonitored access is the Lapsus$ group. They used human and non-human identities to get access to cloud accounts and stage further attacks. Once they had the identities, they could then set up virtual machines for nefarious purposes and make other unwanted inroads.

What is CIAG?

The first goal of CIAG is to gain reliable insight into the access rights assigned to users (human or non-human) in your cloud environments. It also shows how these access rights are being used or not used. That’s where various tools come into play to support recognition and remediation. Cloud infrastructure and entitlement management is a combination of processes and solutions that deal with this new breed of IAM.

Tools are an important part of the solution, but you still need to integrate the results and findings into your corporate IAM framework. This integration cannot be a one-time clean-up or creation of some new roles. Instead, it needs to set up an IAM framework that provides the means to maintain these results.

Setting this up is not just about technical implementation, either. CIAG takes people, processes and policies to implement a working IAM framework. People often make light of the hard work needed to coordinate with business stakeholders, as well as developers, admins and DevOps engineers. You can make this easier through strategy boards and joint working groups or communication campaigns. We will discuss these aspects of CIAG further in part two of this blog.

In addition, a different ‘clock rate’ is required for the cloud than for traditional IAM processes. Therefore, automate as much as possible. For example, you might automate approval processes by using pre-defined and pre-approved roles and rules specific to cloud-based use cases.

Learn more about CIAG

As an orchestration layer, CIAG manages identities in cloud environments and provides governance for identities and access rights. It also enables integration into an enterprise IAM framework.

Explore more about CIAG and related topics in the webinar The Cloud Security Maturity Model: Setting Priorities in your Cloud Security Roadmap and in part two of this blog.

More from Cloud Security

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today