IAM for Multi-Cloud Environments

When organizations began moving operations to the cloud, it quickly became clear that the practices used to secure on-premises networks would be inadequate. Networks once defined by physical locations were now geo-agnostic; users needed to access data from anywhere, anytime from geographically distributed cloud applications using both personal and company-issued devices.

Digital transformation has impacted every facet of the enterprise—cloud builder teams are diligently developing applications for departments companywide using high-risk elevated privileges, third-party vendors and contractors need to be quickly onboarded and fully offboarded so they don’t maintain access to operational critical systems after they leave and users of all types need ready access to internal documents and processes. More often than not, these users report to a decentralized leadership team, which makes managing and monitoring network behavior difficult.

AWS Builder Community Hub

As a result, traditional network firewalls, once the benchmark of an organization’s perimeter security, have been supplanted by identity and access management (IAM). How can you secure a network’s edge when it does not have one? How can you ensure CloudOps teams operate inside a secure environment and only use permissions necessary to complete assigned tasks without impacting the operational speed of cloud automation?

The answer is obvious. If you are using manual processes or many of the traditional IAM and privileged access management (PAM) solutions currently available—you cannot.

The New Perimeter

For the modern enterprise operating in the public cloud, identity is the new perimeter. When every device and server, user and client machine carries its own unique identity and uses it to access an organization’s network, it blocks outside access to your data and environment.

As such, IAM and PAM deserve credit for ushering in new and dynamic ways of securing the cloud. It allowed organizations to establish a cohesive barrier, regardless of an employee’s location, and underscored the need for security teams to grasp the fundamental shift in how they monitored and controlled user access. Network access moved from the “implicit trust” associated with on-premises security, to zero-trust, the concept behind modern cloud security strategies which, in the context of securing identities and privileges, improves least-privilege enforcement by implementing zero standing privileges.

The problem is organizations often rely on more than one public cloud platform, each with its own permissions logic, necessitating that security platforms provide a unified access model. Additionally, the volume of users—both human and non-human—grows every year. IAM, at its core, is a viable and trusted security strategy, but it has become increasingly complex and untenable for teams, especially when they are decentralized, to proactively monitor and authenticate all users. Couple that with multi-cloud environments that tend to function in silos, CloudOps teams that need to build at the speed of automation and it is clear that a stark challenge awaits, one that must soon be addressed by organizations.

Welcome to Multi-Cloud

Due to the forces driving business in multi-cloud environments, users are too often granted privileged access they neither need nor use. Speed, integration and user experience compel organizations to issue standing privileges that do not expire to myriad accounts across the entire public cloud ecosystem. Consequently, thousands of over-privileged accounts–some active, many inactive–retain access to an organization’s network and therefore increase the size of the attack surface.

To combat the problem, organizations should adopt ephemeral just in time (JIT) privileges, where permissions to approved accounts are granted only when they are needed; when the task is complete, the permissions expire. Additionally, zero standing privileges (ZSP) can help mitigate the problem. Rather than granting unnecessary, standing privileges that put organizations at risk, ZSP dictates that admins revoke all privileges until users request them to complete a task.

JIT and ZSP are two solutions organizations should strive to adopt. When appropriately used, the solutions can help you regain control of user access and cloud security. However, there is another obstacle to overcome: Integration and automation.

Security at the Speed of CloudOps

Since enterprises are more frequently operating in multi-cloud environments, and given the rapid proliferation of users, how can teams efficiently and effectively authenticate and monitor behavior? JIT and ZSP are great in theory, but how can they be put into practice under such dynamic circumstances? What’s more, how should privileged access management maintain ZSP without impeding the speed and productivity CloudOps teams require to succeed?

Options are limited. Many teams simply hire experts to manage each platform or decide to develop a homegrown solution. But that kind of experience is expensive and, rather than integrate the process, can segment it more. Further, the answer is not a traditional IAM or PAM tool—when you are trying to develop and run your business at the speed of automation, these solutions slow you down and increase overhead, which is why they have garnered a negative reputation in CloudOps circles.

Instead, teams charged with solving this problem should seek out an IAM/PAM solution that incorporates temporary JIT access to resources as part of the CI/CD build process. Automation tools like Jenkins and Terraform are essential drivers but can leave organizations exposed. To overcome this, teams should secure their CI/CD process with role right-sizing and by enforcing zero standing privileges. A unified access model that provides holistic visibility, is cloud-native—and compatible with Iaas, DaaS, SaaS and PaaS—is the modern solution organizations require. Human and machine IDs need to be authenticated and proactively monitored. If over-privileged accounts exist, the permissions should be revoked.  

True Cloud Management

True cloud management is not only possible; it is mandatory. The digital transformation and adoption of multi-cloud environments has fundamentally changed the way enterprises operate. For enterprises committed to success, it is imperative to implement cross-cloud security that operates at the speed of CloudOps.

To determine if your current multi-cloud identity and access management posture is sufficient, start by asking these five questions:

1. Do I have visibility into which accounts – human and non-human – have privilege access?

2. Can I automatically, without disrupting business operations, grant and revoke privileges on the fly?

3. Are my various cloud environments operating in a silo, and if so, can I integrate them into a unified access model?

4. Do any of my cloud environments have accounts with standing privileges?

5. How can I secure access to resources as part of the CI\CD build process?

Avatar photo

Art Poghosyan

Art Poghosyan is CEO and Co-founder of Britive. Art is an entrepreneur with 20+ years InfoSec experience. Prior to Britive he co-founded leading Identity and Access Management (IAM) consulting company Advancive, acquired by Optiv in 2016. There, he shared the confidence of enterprise execs as they wrangled with protecting growing cloud landscapes.

art-poghosyan has 4 posts and counting.See all posts by art-poghosyan