2020 was a turning point for businesses across the globe as they were forced to accelerate their digital transformation processes and accommodate an unprecedented and rapid shift to remote work. With this, they rushed long standing plans to upgrade cloud applications and services to solve a core set of immediate problems – keeping displaced workers connected without compromising data exchange. Now that we’ve learned this dependency on the cloud will continue to grow, there are new challenges that organizations have to solve in the year ahead – starting with making these cloud infrastructures more secure.
To do this, organizations must reroute the security perimeter to focus on identity. While cloud-based identity can be a complicated concept for a number of reasons, there are a few simple steps organizations can take to evolve their identity access management (IAM) strategies. By moving beyond “effective permissions,” they should instead focus on threats and risks, following a cloud IAM lifecycle approach.
Address the Complexities of Cloud Identity
Unlike using a firewall in a traditional data center, relying on identity in the cloud is substantially more complex because everything in the cloud has an identity – applications, services and systems – and each of these identities has to be managed. Adding an extra layer of work, each of these identities has to also be assigned a level of “effective permissions”, which involves untangling a web of confusing permission rules. For example, factors such as permissions boundaries, identity-based policies, service control policies and session policies also have to be considered when determining effective access.
Additionally, visibility drops as cloud deployments grow and security and operations teams are often lost navigating through thousands or even tens of thousands of cloud assets and principals with all different types of identity and access rules. As a result, organizations lose their ability to not only assign and manage cloud least privileged access (LPA), but also lose their ability to understand the underlying permissiveness of their cloud access. Security and operations teams can still determine whether an actor (user or application) should have access to a particular asset, but they are unable to assess the potential domino effect that access may have. Because of this, effective permissions, when used alone, no longer work in a modern IAM context.
Optimize Infrastructure by Reassembling Cloud IAM Policy Stacks
To execute IAM in the cloud effectively, organizations must start by reassembling cloud IAM policy stacks to align risk context, true identity, and effective permissions. The first step in this process involves laying out all of the stack’s assets, permissions, rules and accounts. This will allow teams to then match these elements to their IAM source of truth, which could be in the Active Directory, LDAP or third-party identity stores. From there, they should match applications and their respective resources, business metadata and historical context from a configuration management database (CMDB).
When taking these steps, teams can better construct an IAM boundary view to analyze and simulate all of their cloud environments. This also allows them the opportunity to quickly identify all the resources users have access to and why, giving them the background needed to accurately map out permission boundaries and identify where risk lies.
Take a Cloud IAM Lifecycle Approach
The dynamic nature of cloud infrastructure requires continuous permissions updates to manage risk and, as such, teams must take a lifecycle approach. Taking a lifestyle approach requires organizations to focus on four critical steps: assessing risk, prioritizing and remediating threats, establishing and managing cloud LPA, and automating for scalability.
Above all else, organizations must use available tools to assess effective permissions and identify risk. Historical data can be used to compare current efforts to previous actions, helping to address false permission alerts and highlight anomalous activities that could represent IAM policy risks or indicate areas of noncompliance.
Once the risk is calculated, it’s important to then understand the true cost of these threats to better prioritize the order in which they should be resolved. Teams should perform what-if analyses via simulation tools to model the impact of potential outcomes. Simulation can help teams understand the reach a possible exploit could have so that they can then remediate excessive and unused permissions to avoid a future incident.
Next, teams need to focus on establishing and managing cloud LPA by setting the minimum privilege possible to achieve the organization’s risk goals. Teams should take note that LPA is an ongoing process, requiring continuous assessment of privilege levels against organizational roles and permissions.
Lastly, automating remediation of common high-risk IAM alerts, such as anomalous behaviors, permission bloat, and under- or over-provisioning of LPA, is necessary to help save teams’ time as their cloud footprint expands. Doing so allows them the freedom to trust that their environments are secure despite growing activity.
As we dive deeper into 2021 and continue remote work, it’s encouraging that organizations are beginning to understand the need to secure their cloud environments. By focusing on potential threats and risks previously unexplored in cloud applications and services, implementing these three steps will help teams establish identity as the new security perimeter in the cloud and improve their ability to identify and reduce risk.