Reading Time: 7 minutes

Today, Identity and Access Management is at the forefront of security strategies in the cloud, as organizations big and small migrate to this new frontier. However, what is considered an ‘identity’ looks very different in the cloud than it did in the data center. Why?

Well, the person identity (i.e. a user) has taken a back seat to non-person identities. These non-person identities are critical entities in day-to-day operations in the cloud, where identity is defined as the new security perimeter. They include pieces of compute, serverless functions, roles, service principles, access keys and more. A recent Forrester snapshot study commissioned by Sonrai Security and AWS found 56% of cloud-decision maker respondents felt non-person identities were out of control in their cloud. This new reality demands a change in the way we address risk.

Identity is an undeniable player involved in almost every attack and breach in the public cloud. It’s time to build an identity-centric security strategy.

While cloud providers like AWS, Azure, and GCP do their best to offer secure infrastructure and arm their customers with resources to bolster their security management, the responsibility ultimately falls on the customer. It’s time to put identity management at the forefront of your cloud security strategy.

Below, we’ll outline the top cloud Identity and Access Management best practices your organization can fall back on to better lock down the stepping stones to your sensitive data.

12 iam cloud best practices
cloud iam
Centralize IAM

By providing centralized management of all identities and their effective permissions, your organization gains the visibility needed for proper oversight. Centralized IAM makes it easier to enforce policies governing identity and access. This is because an effective centralized approach ensures that privileges are issued in accordance with the policies and controls within your organization’s governance framework. As a result, you can align privileges with your business requirements. This can be extremely difficult when your cloud has several accounts, groups or even multiple cloud platforms. The best way to ensure you’re getting the full picture is leveraging a cloud security platform.

cloud iam
Enforce Least Privilege

The Principle of Least Privilege ensures that users receive the minimum permissions required to fulfill their roles. Through least privilege, DevOps and security teams can significantly reduce the blast radius in the event of a data breach by restricting threats to the specific permissions linked to an account. 

Ultimately, best practice is to only give identities the exact amount of privileges they need to get their job done. It doesn’t end there, a better practice is to maintain the least privilege by continuously monitoring your identities against the baseline of least privilege and alerting when a deviation occurs.

cloud iam
De-provision IAM Accounts

Ideally, all identities should be de-provisioned when they are no longer needed. These may be identities that were never used, or perhaps an employee who has left the business. These dormant accounts pose serious risk as they only add to your attack surface, or exploitable entities in your environment. A better practice is to automate the detection of and subsequent deprovisioning of dormant accounts. A CIEM tool is able to detect such identities and provide intelligent workflows and automation to delete them.

cloud iam
Separation of Duties

Separation of duties (SoD) involves the sharing of a set of responsibilities and privileges among multiple users with the intention of preventing fraud and error. Separation of Duties has two areas. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse, and errors. The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls. It is designed to ensure that identities (people and non-people) don’t have conflicting responsibilities or are in a position of opening the organization to risk. Separation of Duties can be difficult to achieve with limited staff members, but controls should be put into place to be in accordance with SoD.

cloud-iam
Due Diligence of Administrator Credentials

Administrator credentials should strictly belong to administrator identities. A well-known practice is for organizations to restrict administrator accounts to necessary functions and discourage daily usage, but we can take that much further with the power of the cloud. Organizations should consistently inventory all their identities and associated entitlements. From there they should certify those that are truly known admin accounts and remediate the ones that aren’t. This forms an identity baseline which they continuously monitor against for deviations in both entitlements and usage. It is vital for organizations to protect the powerful set of permissions linked to administrator credentials and cloud users should consider additional security tools to help this process.

cloud iam
Categorize Identity Management 

Systematic identity management will help organizations optimize identity and access controls. DevOps can achieve this by sorting identities into groups and roles according to their functions and permissions and then creating policies that are applied to the grouping. Through this method of categorization, they can effectively manage similar identities without tediously sorting through every single one, which likely leads to misconfigurations. These IAM misconfigurations often introduce hidden risks in your cloud. 

It is best to have complete visibility into all of your identities and their effective permissions. Without this visibility, any identity may receive more access than needed leaving your organization open to unnecessary risks. This sort of visibility comes only from a third-party cloud security platform.

cloud iam
Delegate Permissions by Roles

As opposed to using an admin identity to complete everyday tasks, create new roles for different tasks that are assumed when needed. Assuming a role requires using a token or creating a session, which are only temporary, and therefore less risky than long-term credentials.

cloud iam
Protect User Access Keys

Access keys provide programmatic access to a cloud environment. It is best practice to not share these access key credentials between identities in your account or embed them in code for anyone to find. This access key approach does come with a downside, it provides long-term access for as long as the key exists. Often, we see keys that are created and then forgotten about. If you need to use access keys, a best practice is to put automation in place to delete old and/or inactive keys. If you are looking for an even better practice, create a non-person identity, like an AWS Role, with short-lived access.

iam
Protect Root User Account

The root account has control over everything in your environment, and therefore should be under strict protection. It is not possible to reduce the permissions that AWS root user keys provide, so it is paramount that these keys are protected just as you would any other sensitive information. For starters, do not create access keys for the root users if you haven’t already unless you absolutely need to. Instead, you can use the account email and password to enter the Management Console and create an IAM user for yourself, granting it administrative privileges. Moreover, if you have an access key for any root user, it’s best to delete it. If you choose to keep the key, you should change it on a regular basis–a 90-day rotation period is recommended. The root user account should also follow the best practices of password creation and management, including activated MFA.

cloud
MFA Activation 

MFA (multi factor authentication) provides critical accounts with added security that mitigates cyberthreats by complicating the hacking process. As the name suggests, MFA requires more than just remembering some passwords – it involves having both physical devices and personal knowledge for an individual’s identity to be confirmed. Fundamental access controls can prevent intrusions by most bad actors. These controls verify the valid identity, then monitor the identity’s usage to ensure they remain within the mandated security parameters and permissions. As a general security best practice, activate MFA for all of your accounts.

cloud iam
Use Temporary Credentials

Access keys provide long-lived access to your environment programmatically as opposed to logging in via the Console using a good old user/password combo. As a general best practice, temporary credentials should be used whenever and wherever possible, not long-lived access. This can be achieved by using IAM roles.

cloud iam
Rotate Access Tokens  

Users should regularly rotate access tokens to minimize the risk of compromised credentials. The process involves creating new tokens, switching applications that use the new token, and deleting the old token. Like passwords, regularly changing an API token will limit the damage a leaked or misplaced API token can cause.

Solutions for IAM in the Cloud

With a laundry list of best practices, and hundreds of identities to secure, you might be looking for a tool to help with your IAM. If that’s the case, consider looking for a solution that helps your organization:

Manage passwords: Tools like password managers and single sign-on prevent your users from using the same weak passwords across applications, protecting your organization from a potential breach.

Automate workflows: You can create automated workflows for processes like onboarding and offboarding users, providing specific roles with different levels of access, and approving user access to applications and systems.

Manage permissions: Businesses can streamline the review and verification of user access to various apps and resources and automatically provision and de-provision access permissions at the user and application levels. Furthermore, they can specify and verify the actions users can carry out in various applications and define and manage access through user roles.

Ensure compliance: With logging, reporting, and analytics functionalities, organizations can remain compliant with industry-specific and general data-focused regulations. These tools can also help identify potential optimization opportunities or risks.

Scale your organization: Centralized policies for identity management help streamline processes across various applications—whether on-premises or on the cloud. This allows your own developers to focus on the work they do best, enhancing your custom application and organically growing your customer audience. 

Together, these components work together to enhance how you manage identities.