By: Hassan Zaheer, Director of Digital Solutions
While cloud providers such as AWS, Azure, and GCP strive to offer secure infrastructure and arm clients with resources to bolster security management, the responsibility ultimately falls on those same clients.
It’s time to put identity management at the forefront of your cloud security strategy.
Today, cloud identity management encompasses more than simple SSO solutions—the next generation of Identity and Access Management (AIM) has arrived and represents a holistic shift of the entire identity infrastructure to the cloud.
New IAM platforms include modern adaptations of traditional, on-prem, and legacy solutions such as Microsoft Active Directory (AD) and lightweight directory access protocol (LDAP), along with add-ons that can include web application single sign-on, multi-factor authentication, privileged access management, and more.
These upgraded directory services are optimized to be used across any device, on any operating system, with any on-prem or web-based application, or any cloud or remote resource. These modern cloud IAM solutions are also multi-protocol, enabling virtually any IT resource to connect in their ‘native’ authentication language.
Here are some essential elements to consider as you move forward:
- Adopt the Principle of Least Privilege: The principle of least privilege essentially ensures that users are provided only the access and privileges necessary to execute their duties. In this way, DevOps and security teams can significantly reduce the blast radius during a data breach by restricting threats to the specific permissions linked to an account. This includes continuously monitoring your approved users against the baseline of least privilege and alerting when a deviation occurs.
- Centralize IAM: By ensuring that privileges are issued in accordance with the policies and controls within your organization’s governance framework, centralized IAM makes it easier to gain the visibility necessary for effective oversight and enforce policies governing identity and access. As a result, you can align privileges with your business requirements and fully leverage a cloud security platform.
- Due Diligence: It is vital for organizations to protect the powerful set of permissions linked to administrator credentials—and cloud users should consider additional security tools to help this process. Administrator credentials should strictly belong to administrator identities. Organizations should restrict administrator accounts to necessary functions and discourage daily usage, yes, but security can go much further with the power of the cloud: Organizations should consistently inventory all identities and associated entitlements, certifying those that are truly known admin accounts and remediate the ones that aren’t.
- Separation of Duties: Separation of duties (SOD) involves the sharing of a set of responsibilities and privileges among multiple users with the intention of preventing fraud and error. Separation of Duties has two areas: The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse, and errors. The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls. It is designed to ensure that identities—human and otherwise—don’t have conflicting responsibilities or are in a position of opening the organization to risk. Separation of Duties can be difficult to achieve with limited staff members, but controls should be put into place in accordance with SoD.
- Categorize Identity Management: Without complete visibility into all identities, any individual identity may receive more access than needed, leaving your organization open to unnecessary risks. This is where a third-party cloud security platform comes in: Systematic identity management will help organizations optimize identity and access controls. DevOps can achieve this by sorting identities into groups and roles according to their functions and permissions and then creating policies that are applied to the grouping. Through this method of categorization, they can effectively manage similar identities without tediously sorting through every single one, which likely leads to misconfigurations. These IAM misconfigurations often introduce hidden risks in your cloud.
- Delegate Permissions by Roles: Rather than use an admin identity to complete everyday tasks, create new roles for different tasks that are assumed when needed. Assuming a role requires using a token or creating a session—which are only temporary, and therefore less risky than long-term credentials.
- MFA Activation: Multi-factor authentication (MFA) provides critical accounts with added security that mitigates cyber threats by complicating the hacking process. As the name suggests, MFA requires more than just remembering some passwords—it involves having both physical devices and personal knowledge for an individual’s identity to be confirmed. Fundamental access controls can prevent intrusions by most bad actors. These controls verify the valid identity and then monitor the identity’s usage to ensure they remain within the mandated security parameters and permissions. As a general security best practice, activate MFA for all accounts.
- Protect Root User Account: If you choose to keep the key, you should change it on a regular basis—a 90-day rotation period is recommended. The root account has control over everything in your environment and, so, should also follow the best practices of password creation and management, including activated MFA. It is not possible to reduce the permissions that AWS root user keys provide, so it is paramount that these keys are protected just as you would any other sensitive information: Do not create access keys for the root users if you haven’t already unless you absolutely need to. Instead, use the account email and password to enter the Management Console and create an IAM user for yourself, granting it administrative privileges. Moreover, if you have an access key for any root user, it’s best to delete it.
So, what features should a modern cloud identity management solution ultimately include?
- connect users to applications that leverage either LDAP or SAML-based authentication.
- have remote system management for Mac, Windows, and Linux devices.
- securely connect employees to their devices (systems, mobile, servers), IT applications (on-prem or the cloud), files (cloud hosted or on-prem) and networks via VPN or WiFi.
- leverage best-in-class security using zero trust principles.
- limit management overhead and improve security and user manageability.
- possess one touch provision users to virtually all of their IT resources and with HRIS integration.
- connect your cloud servers (hosted at AWS, Google Cloud, Azure, or elsewhere) to your existing AD or LDAP user store.
- extend your existing AD or LDAP directory to the cloud.
- manage your Linux, Mac, laptops, and Windows regardless of the location.
- be system-based and application-level multi-factor authentication (MFA).
Preserving data integrity requires IAM policies designed to clearly define user roles and privileges and control access to applications within all major cloud platforms such as Amazon, Microsoft, and Google. Businesses planning to invest in cloud platforms and move more computing infrastructure to the cloud must carefully assess the security controls available and seek PaaS solutions designed to integrate with, supplement, and strengthen existing security frameworks.
As businesses move into the future and embrace updated technologies, flexibility in cloud environments will become more important and security concerns will continue to evolve. Today’s top cloud platform providers offer scalable, customizable solutions with built-in IAM tools, and it’s up to IT specialists to identify the unique concerns of the businesses for which they work and choose the best solution to address workflow needs and security requirements.
Regardless of where you are on your digital transformation journey, OZ will help you bring to bear the power of the cloud to transform your organization, save money, increase scalability, gain competitive advantage, and improve business efficiency and operations. Find out more about our cloud services and assessment offerings here.