Top 8 cloud IAM best practices to implement

1. Inventory and assess cloud IAM roles and permission assignments

For organizations moving into PaaS and IaaS clouds, an uncomfortable moment often occurs where teams -- both IT operations and security -- realize every asset has an identity of some type. Fairly quickly, the number of identity roles and policies can spiral out of control.

Organizations, especially those with a big cloud footprint, should consider cloud infrastructure entitlement management tools to monitor and control identities -- and reduce security headaches.

2. Define and enforce separation of duties and least privilege in cloud

With the growth of DevOps, it's common to find privileges converging. Security teams must be involved in and aware of how these privileges are being created and used going forward.

Develop internal standards and account creation practices that govern how DevOps and other teams integrate identities and privilege models into cloud deployments. Include account rationale, authentication and authorization methods and controls, and lifecycle parameters. Incorporate the principle of least privilege to ensure each cloud account can only access what a user needs to do their job.

3. Automate deprovisioning

Deprovisioning remains a classic IAM challenge, both on premises and in the cloud. Deprovisioning user accounts should occur immediately after a user leaves the organization, the account becomes inactive or the account expires. Automate deprovisioning and provisioning processes to reduce the workloads for admins, as well as improve security.

4. Use MFA for privileged admins

Implementing MFA for privileged admin accounts is the simplest control on this list of cloud IAM best practices. Adding an extra step to log in to privileged accounts makes it more difficult for attackers to gain access to these accounts and renders traditional credential attacks ineffective.

5. Log privileged access to resources

Log all privileged access -- admins, DevOps, etc. -- to ensure no illicit activity occurs. While enabling logging in most major cloud environments is not difficult, it can be hard to coordinate and distill into meaningful activities in busy and complex environments.

6. Implement bastion services for administration

While not all cloud services lend themselves to jump hosts or bastion services that act as intermediaries between privileged users and critical workloads and services, use them whenever possible. Microsoft Azure Bastion, for example, is a native option that provides a secure access point between public and private clouds that contain an organization's applications and data. It's also relatively simple to set up bastion hosts in AWS or Google Cloud Platform.

7. Control secrets for DevOps

With the growth in automated pipeline activities in DevOps, it's critical to centralize and control cloud IAM accounts and access keys, as well as internal DevOps privileges, including keys, passwords and certificates. This could require using an encrypted secrets vault.

8. Centralize cloud IAM with single sign-on

Centralize authentication and authorization for end-user accounts through a single sign-on (SSO) portal that also accommodates federation. This creates a secure "front door" to all apps and services -- protect it accordingly.

The realm of cloud IAM continues to evolve. It is one of the most critical areas of security controls to focus on -- and also one that is notoriously difficult to manage at scale. Organizations should double down on cloud IAM controls and oversight.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.