7 cloud IAM challenges and how to address them

1. Lack of visibility into account inventory

Challenge

Security teams often struggle to understand which users have access to applications and where they're accessing them, especially when distributed across multiple clouds. Proper visibility over user account provisioning helps ensure each account has appropriate access control in place and the organization has accurate reporting for compliance.

Solution

Ensure all accounts created and provisioned -- regardless of cloud model, i.e, SaaS, PaaS or IaaS -- tie back to a central directory service, such as Active Directory, and ideally make use of federation and single sign-on (SSO) for access management. For unique service and admin accounts that need to exist in one or more cloud environments, build processes to create and track these as exceptions with regular auditing and monitoring.

2. Improper service and user provisioning and deprovisioning

Challenge

Proper user provisioning and deprovisioning processes are a must. No central management of the provisioning and deprovisioning of cloud accounts can result in shadow and unmanaged cloud accounts. Additionally, former employees who retain access to business applications and data can cause major security issues.

Solution

Build a centralized process to create and remove all cloud accounts for all types of cloud services when an employee leaves or is terminated. This is ideally done with a single provisioning tool or service that integrates into all federation and SSO capabilities.

3. Zombie SaaS accounts

Challenge

Nowhere is the challenge of inactive assigned users -- known as zombie accounts -- more prevalent than with SaaS offerings. Some SaaS apps don't integrate well, or at all, with federation and SSO, and some might require local users to operate administrative capabilities.

Solution

The challenge of tracking SaaS deployments is well known and goes beyond just the identities and accounts involved. Adopt cloud security posture management, cloud access security broker or security service edge platforms to understand who is doing what and where in regard to SaaS deployments. Regular audits of all SaaS for terminated and inactive employees and other stakeholders are critical to get a handle on zombie accounts. In particular, focus on partners and contractors who might not be integrated with your central identity directories.

4. Lifecycle management

Challenge

While not a new issue for IAM, cloud identity lifecycle management can worsen due to a lack of visibility and insight into what has been created, by whom and where.

Solution

Manage all identities centrally, and try not to generate identities outside a central directory system with SSO and federation. Adapt current lifecycle management practices to the cloud as needed.

5. Changing roles

Challenge

Another common IAM problem happens when users change roles within their company. This is especially problematic in large organizations with numerous cloud deployments.

Solution

Enable logging and auditing for role changes within all cloud environments, and build correlation rules internally to ensure this aligns with approved changes and managerial direction.

6. Too many admin accounts

Challenge

This is a classic privileged user management (PUM) issue: How many admins do you have in your cloud service environments, and why? The proliferation of admin accounts can lead to numerous problems, such as cloud misconfigurations and accidental cloud data exposure.

Solution

As with any privileged user scenario, consider a centralized control that allocates privileges and tracks admin accounts. This can be challenging without a central PUM platform, especially due to the explosion in DevOps pipeline accounts and privileged SaaS accounts. The more cloud services an organization uses, the more it needs a PUM tool that integrates with them and DevOps pipelines. Also, follow the principle of least privilege, and use privileged access management to ensure only a select few users have access to admin accounts and the appropriate permissions.

7. Excessive PaaS and IaaS privileges

Challenge

With the enormous range of privileges and roles available in PaaS and IaaS environments, organizations can lose track of which services and accounts are in place and what they have access to.

Solution

Most major PaaS and IaaS providers, including AWS, Microsoft and Google, offer automated cloud-native IAM monitoring and reporting capabilities. Services such as AWS IAM Access Analyzer help determine where identities could have too many privileges based on industry best practices and observed behavioral patterns. Build processes around monitoring, and use them to inform access audits and rights management activities. Another option is to adopt third-party tools that provide more granular details and capabilities, such as attack path visualization and role and access modeling.

General cloud IAM mitigations to consider

A plethora of IAM challenges can plague cloud deployments. Most can be partially or fully mitigated with centralized controls and monitoring, such as cloud identity brokering, SSO, federation and strong MFA, as well as auditing and monitoring controls within the respective cloud environments in use. It's also important to build processes and governance to create, manage and remove cloud accounts at all levels of the organization.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.