It's common for organizations to use multiple clouds, including a mix of public, private and hybrid. The multi-cloud model introduces added complexity to cloud identity and access management, however, especially with identity now at the forefront of the modern security perimeter.
A number of tips and best practices have emerged that help alleviate these challenges and ensure identities and access controls are secure and effective across cloud environments.
IAM challenges introduced by multi-cloud adoption
Many cloud deployments with single sign-on (SSO) require multiple sets of credentials. This can lead to huge security challenges, including issues with account lifecycles, monitoring and enforcement of use and behaviors, lack of support for MFA and more.
Additionally, when organizations use multiple IaaS and PaaS clouds, each has its own roles, privileges and access models. Managing each one separately can prove challenging, if not impossible, for many security and operations teams. Monitoring for user, group and role permissions and role assignments can also be difficult.
How to solve multi-cloud identity management challenges
Organizations that use multiple clouds should consider the following multi-cloud identity management best practices.
1. Use common industry IAM standards and technologies
Ensure cloud applications don't use a different set of standards and technologies than those for other applications and general infrastructure. Avoid custom identity and access management (IAM) tools or platforms that aren't built on standards, such as Security Assertion Markup Language or OAuth, because it can lead to vendor lock-in problems. Another standard growing in popularity is System for Cross-domain Identity Management.
2. Monitor cloud identity roles and privileges across multi-cloud
Look at controls and services within IaaS and PaaS environments to track and monitor identity roles and privilege assignments. AWS IAM Access Analyzer, for example, discovers all identities and resources accessible from outside an AWS account, as well as validates public and cross-account access before deploying permissions changes. Other cloud service providers, including Microsoft and Google, offer similar services.
With the ability to rapidly scale up resources in the cloud, organizations need to quickly discover assets, assess resource policies and identify any cloud resources with unintended public or cross-account access that could introduce new risks to the environment. Consider deploying integrated identity scanning and analysis tools that continuously monitor for any new or updated policies and analyze permissions granted for numerous resource types in their respective cloud environment. Also, investigate third-party tools that go beyond these capabilities to include advanced visualization, attack path analysis and more.
3. Evaluate in-house identity standards usage
Adding new services with standards that in-house application development teams aren't familiar with can cause performance issues. When evaluating cloud IAM services, such as identity as a service (IDaaS), have a discussion with app dev teams to ensure they can support any standards required to integrate applications and data with the cloud IAM environment.
4. Investigate IAM service provider security
Thoroughly investigate the security controls in place at IAM providers. Ensure they maintain stringent security controls, including encryption, logging and monitoring, and role-based access control, especially if user identity data is stored within their environment or trust boundaries extend into their own cloud. Check that the provider also can meet any industry-specific compliance requirements associated with identity data.
5. Adopt IDaaS and implement where possible
Most organizations shifting into multi-cloud need, at minimum, an identity source of record, such as Active Directory, Microsoft Entra ID or another core repository, as well as some type of federated SSO for end users. To accomplish these goals, many turn to IDaaS providers that broker identity transactions related to zero-trust evaluation, authentication, authorization, and logging and monitoring all activities and behaviors.
Information owners should integrate IDaaS interaction into the software development lifecycle (SDLC), especially for partners. This requires a commitment to using IDaaS during the requirements development phase of the SDLC to ensure it doesn't cause any challenges down the line.
6. Integrate multi-cloud IAM into other initiatives
Consider current and planned user scenarios where cloud IAM features will or can be used and how those scenarios will affect cloud IAM deployment. For example, BYOD initiatives that support a broad range of mobile devices might require special considerations to adopt multi-cloud IAM.
Also, assess how other security initiatives can integrate with multi-cloud identity management. Zero-trust network access, for example, can help a diverse end-user population access cloud resources through a brokered user/machine identity validation and policy control model.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.