Table of Contents
Share this entry
IAM Cloud Best Practices to Protect Your Data
What is IAM?
Identity Access Management (IAM) is a security program enabling you to identify, authenticate, and authorize individuals, groups, and identities and control their access to your applications, resources, services, and networks. IAM tools work by imposing policies and restrictions on their access to protect the data in your environment and even the environment itself.
Cloud Identity vs. Data Center IAM
Today, Identity and Access Management is at the forefront of security strategies in the cloud, as organizations big and small migrate to this new frontier. However, what is considered an ‘identity’ looks very different in the cloud than it did in the data center. Why?
Well, the person identity (i.e. a user) has taken a back seat to non-person identities. These non-person identities are critical entities in day-to-day operations in the cloud, where identity is defined as the new security perimeter. They include pieces of compute, serverless functions, roles, service principles, access keys and more. A recent Forrester snapshot study commissioned by Sonrai Security and AWS found 56% of cloud-decision maker respondents felt non-person identities were out of control in their cloud. This new reality demands a change in the way we address risk.
Identity is an undeniable player involved in almost every attack and breach in the public cloud. It’s time to build an identity-centric security strategy.
IAM Best Practices for AWS, Azure, GCP
Each Cloud Service Provider has its own unique set of IAM best practices, but there are some rules of thumb that should remain consistent no matter what environment you’re in. While cloud providers like AWS, Azure, and GCP do their best to offer secure infrastructure and arm their customers with resources to bolster their security management, the responsibility ultimately falls on the customer. This is the Shared Responsibility Model. It’s time to put identity management at the forefront of your cloud security strategy and hold up your end of the deal.
Below, we’ll outline the top cloud Identity and Access Management best practices your organization can fall back on to better lock down the stepping stones to your sensitive data.
Regulate Access Controls
Separation of Duties
Separation of duties (SoD) involves the sharing of a set of responsibilities and privileges among multiple users with the intention of preventing fraud and error. Separation of Duties has two areas. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse, and errors. The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls. It is designed to ensure that identities (people and non-people) don’t have conflicting responsibilities or are in a position of opening the organization to risk. Separation of Duties can be difficult to achieve with limited staff members, but controls should be put into place to be in accordance with SoD.
By providing centralized management of all identities and their effective permissions, your organization gains the visibility needed for proper oversight. Centralized IAM makes it easier to enforce policies governing identity and access. This is because an effective centralized approach ensures that privileges are issued in accordance with the policies and controls within your organization’s governance framework. As a result, you can align privileges with your business requirements. This can be extremely difficult when your cloud has several accounts, groups or even multiple cloud platforms. The best way to ensure you’re getting the full picture is leveraging a cloud security platform.
Categorize Identity Management
Systematic identity management will help organizations optimize identity and access controls. DevOps can achieve this by sorting identities into groups and roles according to their functions and permissions and then creating policies that are applied to the grouping. Through this method of categorization, they can effectively manage similar identities without tediously sorting through every single one, which likely leads to misconfigurations. These IAM misconfigurations often introduce hidden risks in your cloud.
It is best to have complete visibility into all of your identities and their effective permissions. Without this visibility, any identity may receive more access than needed leaving your organization open to unnecessary risks. This sort of visibility comes only from a third-party cloud security platform.
Enforce Least Privilege
The Principle of Least Privilege ensures that users receive the minimum permissions required to fulfill their roles. Through least privilege, DevOps and security teams can significantly reduce the blast radius in the event of a data breach by restricting threats to the specific permissions linked to an account.
Ultimately, best practice is to only give identities the exact amount of privileges they need to get their job done. It doesn’t end there, a better practice is to maintain the least privilege by continuously monitoring your identities against the baseline of least privilege and alerting when a deviation occurs.
Delegate Permissions by Roles
As opposed to using an admin identity to complete everyday tasks, create new roles for different tasks that are assumed when needed. Assuming a role requires using a token or creating a session, which are only temporary, and therefore less risky than long-term credentials.
Authenticate and Audit
De-provision IAM Accounts
Ideally, all identities should be de-provisioned when they are no longer needed. These may be identities that were never used, or perhaps an employee who has left the business. These dormant accounts pose serious risk as they only add to your attack surface, or exploitable entities in your environment. A better practice is to automate the detection of and subsequent deprovisioning of dormant accounts. A CIEM tool is able to detect such identities and provide intelligent workflows and automation to delete them.
Due Diligence of Administrator Credentials
Administrator credentials should strictly belong to administrator identities. A well-known practice is for organizations to restrict administrator accounts to necessary functions and discourage daily usage, but we can take that much further with the power of the cloud. Organizations should consistently inventory all their identities and associated entitlements. From there they should certify those that are truly known admin accounts and remediate the ones that aren’t. This forms an identity baseline which they continuously monitor against for deviations in both entitlements and usage. It is vital for organizations to protect the powerful set of permissions linked to administrator credentials and cloud users should consider additional security tools to help this process.
Protect User Access Keys
Access keys provide programmatic access to a cloud environment. It is best practice to not share these access key credentials between identities in your account or embed them in code for anyone to find. This access key approach does come with a downside, it provides long-term access for as long as the key exists. Often, we see keys that are created and then forgotten about. If you need to use access keys, a best practice is to put automation in place to delete old and/or inactive keys. If you are looking for an even better practice, create a non-person identity, like an AWS Role, with short-lived access.
MFA (multi-factor authentication) provides critical accounts with added security that mitigates cyberthreats by complicating the hacking process. As the name suggests, MFA requires more than just remembering some passwords – it involves having both physical devices and personal knowledge for an individual’s identity to be confirmed. Fundamental access controls can prevent intrusions by most bad actors. These controls verify the valid identity, then monitor the identity’s usage to ensure they remain within the mandated security parameters and permissions. As a general security best practice, activate MFA for all of your accounts.
Use Temporary Credentials
Access keys provide long-lived access to your environment programmatically as opposed to logging in via the Console using a good old user/password combo. As a general best practice, temporary credentials should be used whenever and wherever possible, not long-lived access. This can be achieved by using IAM roles.
Protect High-Value Data
Rotate Access Tokens
Users should regularly rotate access tokens to minimize the risk of compromised credentials. The process involves creating new tokens, switching applications that use the new token, and deleting the old token. Like passwords, regularly changing an API token will limit the damage a leaked or misplaced API token can cause.
Protect Root User Account
The root account has control over everything in your environment, and therefore should be under strict protection. It is not possible to reduce the permissions that AWS root user keys provide, so it is paramount that these keys are protected just as you would any other sensitive information. For starters, do not create access keys for the root users if you haven’t already unless you absolutely need to. Instead, you can use the account email and password to enter the Management Console and create an IAM user for yourself, granting it administrative privileges. Moreover, if you have an access key for any root user, it’s best to delete it. If you choose to keep the key, you should change it on a regular basis–a 90-day rotation period is recommended. The root user account should also follow the best practices of password creation and management, including activated MFA.
Choosing the Best Solution for IAM in the Cloud
With a laundry list of best practices, and hundreds of identities to secure, you might be looking for a tool to help with your IAM. If that’s the case, consider looking for a solution that helps your organization:
- Manage passwords: Tools like password managers and single sign-on prevent your users from using the same weak passwords across applications, protecting your organization from a potential breach.
- Automate workflows: You can create automated workflows for processes like onboarding and offboarding users, providing specific roles with different levels of access, and approving user access to applications and systems.
- Manage permissions: Businesses can streamline the review and verification of user access to various apps and resources and automatically provision and de-provision access permissions at the user and application levels. Furthermore, they can specify and verify the actions users can carry out in various applications and define and manage access through user roles.
- Ensure compliance: With logging, reporting, and analytics functionalities, organizations can remain compliant with industry-specific and general data-focused regulations. These tools can also help identify potential optimization opportunities or risks.
- Scale your organization: Centralized policies for identity management help streamline processes across various applications—whether on-premises or on the cloud. This allows your own developers to focus on the work they do best, enhancing your custom application and organically growing your customer audience.
Looking For Where to Start?
Sonrai Security offers the new-age solution for cloud IAM — Cloud Infrastructure Entitlement Management. It brings all the old best practices and addresses new identity risks specific to the cloud. Consider a demo to see how the solution uncovers privileges and hidden access paths to data you never knew existed.
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity AuditRequest Your Audit
Read the latest news and insights
- Cloud Security Platform
- By Use Case