Many security experts view identity as the new perimeter due to the proliferation of the cloud. As such, organizations need to implement cloud identity and access management best practices to secure applications and data outside the traditional network. Not all security professionals are comfortable with cloud IAM, however.
As organizations adopt more cloud services, they face some unique IAM challenges. One of the more pressing problems is the rapid growth of various identities associated with cloud services. The more cloud services in use, the more identities provisioned into these service provider environments. This is problematic for tracking, monitoring and controlling cloud accounts, as well as for accessing cloud resources.
Organizations growing their SaaS, PaaS and IaaS footprints should follow these cloud IAM best practices, in addition to traditional recommendations of enforcing a strong password policy, using role-based access control or conditional access, and adopting zero trust.
1. Inventory and assess cloud IAM roles and permission assignments
For organizations moving into PaaS and IaaS clouds, an uncomfortable moment often occurs where teams -- both IT operations and security -- realize every asset has an identity of some type. Fairly quickly, the number of identity roles and policies can spiral out of control.
Organizations, especially those with a big cloud footprint, should consider cloud infrastructure entitlement management tools to monitor and control identities -- and reduce security headaches.
2. Define and enforce separation of duties and least privilege in cloud
With the growth of DevOps, it's common to find privileges converging. Security teams must be involved in and aware of how these privileges are being created and used going forward.
Develop internal standards and account creation practices that govern how DevOps and other teams integrate identities and privilege models into cloud deployments. Include account rationale, authentication and authorization methods and controls, and lifecycle parameters. Incorporate the principle of least privilege to ensure each cloud account can only access what a user needs to do their job.
3. Automate deprovisioning
Deprovisioning remains a classic IAM challenge, both on premises and in the cloud. Deprovisioning user accounts should occur immediately after a user leaves the organization, the account becomes inactive or the account expires. Automate deprovisioning and provisioning processes to reduce the workloads for admins, as well as improve security.
4. Use MFA for privileged admins
Implementing MFA for privileged admin accounts is the simplest control on this list of cloud IAM best practices. Adding an extra step to log in to privileged accounts makes it more difficult for attackers to gain access to these accounts and renders traditional credential attacks ineffective.
5. Log privileged access to resources
Log all privileged access -- admins, DevOps, etc. -- to ensure no illicit activity occurs. While enabling logging in most major cloud environments is not difficult, it can be hard to coordinate and distill into meaningful activities in busy and complex environments.
6. Implement bastion services for administration
While not all cloud services lend themselves to jump hosts or bastion services that act as intermediaries between privileged users and critical workloads and services, use them whenever possible. Microsoft Azure Bastion, for example, is a native option that provides a secure access point between public and private clouds that contain an organization's applications and data. It's also relatively simple to set up bastion hosts in AWS or Google Cloud Platform.
7. Control secrets for DevOps
With the growth in automated pipeline activities in DevOps, it's critical to centralize and control cloud IAM accounts and access keys, as well as internal DevOps privileges, including keys, passwords and certificates. This could require using an encrypted secrets vault.
8. Centralize cloud IAM with single sign-on
Centralize authentication and authorization for end-user accounts through a single sign-on (SSO) portal that also accommodates federation. This creates a secure "front door" to all apps and services -- protect it accordingly.
The realm of cloud IAM continues to evolve. It is one of the most critical areas of security controls to focus on -- and also one that is notoriously difficult to manage at scale. Organizations should double down on cloud IAM controls and oversight.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.