Common cloud IAM challenges

In addition to standard identity management issues plaguing enterprises today, such as user password fatigue and managing a distributed workforce, there are several cloud-specific challenges enterprises face, including the following:

• improper service and user provisioning and deprovisioning -- for example, companies not deprovisioning formeremployee SaaS accounts;
• zombie SaaS accounts -- inactive assigned users;
• too many admin accounts; and
• users bypassing enterprise IAM controls.

What these issues illustrate is a lack of control over the account lifecycle that many SaaS scenarios present. But account management and lifecycle maintenance aren't the only issues when it comes to
IAM in cloud settings -- the creation of roles and management of privileges within all types of cloud environments can also be challenging.

For large organizations that may have hundreds or even thousands of defined roles across numerous accounts, just gathering an inventory of the role assignments can be a huge undertaking.

For example, one case study on the impact of cloud IAM by the security research team at Rhino Security Labs found a large number of incredibly common privilege escalation techniques in AWS in early 2018 that took advantage of poorly defined roles and privilege models. For large organizations that have hundreds or even thousands of defined roles across numerous accounts, just gathering an inventory of role assignments can be a huge undertaking. Fortunately, the research team at Rhino created a free tool that can remotely pull an inventory of all users with a breakdown of possible privilege escalation susceptibility.

Best practices for meeting IAM challenges in the cloud

To combat cloud IAM challenges, organizations need to develop a governance strategy for identities. While some may have enterprise IAM strategies in place internally, they will likely need to be adapted for cloud environments. For all actual human users, accounts should be directly linked to central directory services, such as Active Directory, which facilitate the provisioning, auditing and deprovisioning of accounts from a central store.

All SaaS applications should require the use of single sign-on linked to this central directory with federation technology. For PaaS and IaaS environments, identity governance can be somewhat trickier as all assets -- servers, serverless code, storage nodes and so on -- can have roles and privileges assigned to them. Some of these identities -- whether simple users and groups or more complex role assignments -- may not easily align with a central directory store. As such, DevOps teams may find it easier to use cloud-native tools to manage accounts and identities in some scenarios.

There are several aspects of identity governance to focus on in these cases, including the following:

• Enterprises should develop internal standards and account creation practices that govern how DevOps and other teams integrate identities and privilege models into cloud deployments. This should include account rationale, authentication and authorization methods and controls, and lifecycle parameters.
• Companies should use cloud-native or third-party tools to regularly pull lists of users, groups, roles and privilege assignments from cloud service environments. PowerShell for Azure and AWS Command Line Interface can collect this type of data, which will still need to be sorted, stored and analyzed by security admins.
• Organizations must ensure logging and event monitoring mechanisms focus on all IAM activity in cloud provider environments and then monitor for any unusual activity or unauthorized changes.

Developing a governance plan for cloud IAM can be a tedious and lengthy process, but there are significant risks involved if enterprises don't. Also, don't forget to involve all relevant stakeholders as this can get political quickly.