Table of Contents
Share this entry
According to industry analyst, Forrester, the public cloud market is growing at an astonishing rate, approaching $300 billion in 2020. That migration is understandable since cloud environments are far more agile compared to on-prem and they can provide more comprehensive and updated computing capacities in quicker time and at less cost than most on-prem systems can manage.
However, that growth brings with it a myriad of concerns, each of which adds even more complexity to an already complex computing environment. Too often, enterprise leadership leaps to the Cloud without thoroughly analyzing the long-term impacts of shifting static legacy and on-prem protocols into an elastic cloud configuration. Nor do they fully evaluate how individual cloud assets might integrate with or impede the function of other cloud assets. Further, in their haste to embrace the promise of the cloud frontier, they overlook the fundamental infrastructure that keeps their enterprise safe, most notably, the systems that protect its data and defines those users who are authorized to access it.
Competing Goals Conflict Cloud Migrations
While the desire to access cloud assets to achieve added corporate gain is understandable, it also creates a conflict with the other fundamental corporate mandate: keeping information secure.
- Leaders want to add data, programming, processes, and systems from often innumerable endpoints and information sources. They recognize that the Cloud is the best tool to manage and leverage all that information, computing, user access, etc.
- They also want – and are often required – to keep both existing and incoming data safe from inadvertent or intentional exposure to inappropriate eyes, regardless of their ability to control the threat that may be posed by its source or form of transmission.
Unfortunately, many leaders see the Cloud as the ultimate solution to both prongs of this dilemma:
- They assume their Cloud resources can gather, store, homogenize, and make useful all the data incoming from every source.
- At the same time, keep that information (in all its permutations) forever safe, regardless of where it’s stored, who’s accessing it, or how it’s used.
The truth is that no Cloud resource is capable of providing that level of comprehensive data protection for every data bit all the time. Today’s reality is that every enterprise must strategize its data security model just as it does its overarching business plan, then fluidly manage it as changes occur. And, since data security demands evolve day-by-day, operating the data security model must also be flexible to meet those evolving demands.
These concerns pose daunting challenges to every C-Suite:
- To what degree do they manage the operational and security relationships that arise in the ever-more-complex cloud-computing environment?
- In what way do they protect their crown jewels while also maximizing those values through their integration into cloud-based systems?
- How do they design and implement monitoring and auditing processes needed to oversee the new cloud-enabled configuration without breaking the organization’s budget?
A New Truth Emerges
The complexity of cloud computing reveals that a new truth has emerged about managing data security: it is no longer feasible to protect the ever-growing varieties of information based on their integral formats and structures. There is no existing programming available to provide that level of 100%-comprehensive data security across all those variables, sources, and use cases.
Instead, what is becoming more apparent is that it is not the data itself, but the identity and purpose of the user who has access to it that provides a better platform on which to build the information security architecture demanded by today’s bustling global marketplace. Identity and access management (IAM) programming is offering every enterprise assurance that governance controls over its information – from whatever source and for whatever purpose – will ensure that access is available only to properly authorized persons or entities and for only authorized uses.
Identity and Access Management (IAM) Tools
There are several styles of guidelines and tools available that can provide direction for the development of your organization’s IAM programming:
- One primary source for best-practices IAM design and implementation strategies are those offered by the industry-mandated frameworks that govern most of the world’s industrial sectors. These frameworks not only provide useful insights into data governance in general, but their designers have already parsed out the specifics of data security and how to achieve and maintain it.
- Note, too, that the three largest Cloud services providers, AWS, Google, and Microsoft Azure, each address IAM governance slightly differently from the others. One provider’s methodology may be more advantageous than another’s, based on the user’s need, so it’s important to understand how they differ when choosing that cloud services resource.
Industry Frameworks
In addition to internal corporate data governance, many organizations must (or should) also implement industry-relevant security framework requirements into their infrastructure. These frameworks evolved over time to protect access to consumer data information so it isn’t inappropriately exposed to unnecessary risk of loss or breach.
Examples of major governance frameworks provide information security standards for specific industrial sectors as well as ‘best practices’ guidance for any enterprise that allows access to its data under any circumstance.
- The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for the safety and security of the vast quantities of personal confidential information held by America’s healthcare industry. The Guidelines’ ‘principle of least privilege’ mandates that access to data should be limited to only that information needed by those who use it to perform their specific job or function.
- The Cybersecurity Framework developed by the U.S. National Institute of Standards and Technology (NIST CSF) is another great example. While originally developed for US government agencies they have become widely accepted in companies of all sizes. The primary reason for this is that it provides a rather straightforward framework to follow to help maintain the security of a company’s – and its customers – information.
- The American Institute of Certified Public Accountants (AICPA) devised standards for auditing how an organization manages the availability, accessibility, security, and confidentiality of its financial information systems. It also provides its analysis of compliance with those standards in its Service Organization Control 2 Type II (SOC2) report.
- Center for Internet Security (CIS) Guidelines, devised by a consensus of stakeholders, provides standardized security protocols to secure a wide range of systems and services.
A fully informed IAM policy will include both the protocols for internal data security management, as well as the applicable compliance standards (or appropriate best practices) from all relevant frameworks.
Public Cloud Providers and IAM Protocols
Today’s cloud providers are fully aware of both their customer’s reliance on their security systems as well as the best practices, guidances, and industry mandates issued by frameworks developers. Each of the three major cloud providers addresses its approach to data security in a different way, so one may offer a specific strategy that’s optimal for your business. Each provider also has its own set of IAM policies as well as individualized protocols for accessing them.
Amazon Web Services (AWS)
With this cloud provider, IAM policies attach to either identities (individual users, roles, or groups) or resources, which then define the permissions granted to that identity. Requests for access are permitted or denied based on allowed permissions. You can also attach policies to permissions boundaries, Access Control Lists (ACLs), Organizations Service Control Policies (CSPs), and sessions.
Microsoft Azure
Azure builds its policies based on several best practices. These practices include (among others):
- ‘Identity’ is clarified as the primary security perimeter (as opposed to a firewall or other barrier);
- Identities are managed centrally, so adjunct permissions aren’t inadvertently allowed; and
- Access is conditional, password enabled, and enforces multi-factor verification rules.
Google Cloud Platform (GCP)
Google Cloud Platform parses out its IAM policy by defining who (the identity) can access what data (their role) as that data is contained in what resource. Permissions are granted to groups of roles, and those roles are granted to individual group members.
Utilizing the best practices and policies set out by today’s public cloud providers offers their users the opportunity to reduce the complexity that arises from the marriage of their cloud-based and proprietary computing environments.
IAM Programming helps to unravel Cloud Complexity Chaos
Today’s global network of industries share limitless volumes of data both internally and externally, data that contains both sensitive corporate and confidential consumer information. As that volume of public and private data grows, so does the complexity of its governance. Every organization must keep its information safe from prying eyes to ensure that the organization remains in compliance with its industry regulations, but that also earns much-needed consumer confidence while protecting the enterprise from disasters. IAM programming offers the best data security platform to manage data flow across all enterprise assets, including cloud-based, third-party, and on-prem resources.
Sonrai Dig can help
Our Sonrai Dig platform is built on a sophisticated graph that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. Sonrai Dig, our enterprise identity, and data governance platform, de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditSonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.