Table of Contents
Share this entry
IAM governance is a priority for DevOps and security teams in the public cloud. Accounts, access, permissions, and privileges have become popular targets in recent cybersecurity attacks on the cloud. A well-established IAM governance policy will significantly reduce the risks of data breaches on the cloud from unauthorized access.
While cloud service providers may offer effective baseline security policies that safeguard users from malicious activities, enterprises may face compromised security when implementing a multi-cloud strategy. However, multi-cloud adoption may seem inevitable for some enterprises as they scale their operations.
DevOps teams can help companies achieve safer data management through a comprehensive IAM strategy that works across multiple cloud platforms. While IAM strategies may differ among enterprises, general guidelines can help cloud users achieve the Principle of Least Privilege and stay there.
Regardless of the complexity of your operations, the aim of our best practice recommendations is to make whatever you are doing work out better, faster, and more efficiently with fewer problems and mistakes. Here are just a few best practices to be aware of when working in the cloud.
Due Diligence of Administrator Credentials
Administrator credentials should strictly belong to administrator accounts. Enterprises should consistently monitor the usage of administrator accounts to eliminate the risks of anomalies. For best practices, enterprises should restrict administrator accounts to necessary functions and discourage daily usage.
It is vital for enterprises to protect the powerful set of permissions linked to administrator credentials. Cloud users should consider additional security measures, such as implementing separate account logins and enforcing encryption, which minimizes the risks of malicious infiltration.
Categorize User Management
Systematic user management will help enterprises optimize account and access controls. DevOps can achieve this by sorting users into groups and roles according to their linked permissions. Through grouped categorization, system administrations can effectively manage similar permissions, roles, and privileges without tediously sorting through individual accounts.
However, it is best practice to have complete visibility into all permissions, roles, and privileges for all users and identities. Without this visibility, a user may receive more access than needed leaving your organization open to unnecessary risks.
MFA Activation
MFA (multifactor) authentication provides critical accounts with added security that discourages cyberthreats by complicating the hacking process. Fundamental access controls, including Role-Based Access Control (RBAC) and Multifactored Authorizations (MFAs), can prevent intrusions by both types of criminals. These controls verify the identity of valid users, then monitor their usage to ensure it remains within the security parameters mandated by their work. As a general security best practice activate MFA for all of your accounts.
Access keys provide long-lived access to your environment programmatically as opposed to logging in via the Console using a good old user/password combo. As a general best practice, temporary credentials should be used whenever and wherever possible, not long-lived access. This can be achieved by using IAM roles.
Enforce Password Hygiene
Enterprises should ensure that users maintain proper password hygiene, which eliminates weak authentications (recommended on top of standard MFA implementations). The NIST SP 800-63-3 Policy provides a comprehensive list of password guidelines for optimized digital data security. Some key suggestions include skipping character composition rules (which burden malicious parties) and only changing passwords in the event of compromised account login.
Rotate Access Tokens
Users should regularly rotate access tokens to minimize the risk of compromised credentials. The process involves creating new tokens, switching applications that use the new token, and deleting the old token. Like passwords, regularly changing an API token will limit the damage a leaked or misplaced API token can cause.
Centralize IAM
By providing centralized management of all identities (whether it’s users, groups, services, and/or roles), your organization gains the visibility needed for proper oversight. Centralized IAM makes it easier to enforce policies governing identity and access. This is because an effective centralized approach ensures that privileges are issued in accordance with the policies and controls within your organization’s governance framework. As a result, you can align privileges with your business requirements.
Enforce Least Privilege
The Principle of Least Privilege ensures that users receive the minimum permissions required to fulfill their roles. Through least privilege, DevOps can significantly reduce the blast radius in the event of a data breach by restricting threats to the specific permissions linked to an account.
Ultimately, as best practice only give individual users or specific pieces of compute the exact amount of privileges they need to get their job done.
Discover and Inventory All Identities
You can’t protect or manage accounts, identities, roles, or assets that you don’t know about. Unfortunately, with so many scripts and so much automation layered all over the DevOps toolchain, it can be tremendously difficult to discover and inventory all of your identities. Some identities are embedded in runtimes or hard-coded into compiled executables making visibility a challenge, but it must be done. Organizations need to get clear visibility into exactly what tools are executing the automation and what the privileges are assigned to them.
Manage Shared Secrets and Hard-Coded Passwords
Unfortunately, even when teams are meticulous about rooting hard-coded passwords out of their finished applications, they often leave them within the IT infrastructure that helps support the development of that software for the sake of expedience. The same goes for account sharing, which is a frequent mistake organizations make to just get the automation working and keep it working with stability. The problem is, this makes it difficult for traceability or auditability of activity within the affected environment.
Best practices for shared secrets are to continuously monitor identifies and manage risks associated with critical systems and data on an ongoing basis. By doing so, all potential access paths to your data, serverless functions, containers, VMs, and users are uncovered and categorized by privilege.
With continuous monitoring, organizations gain an additional layer of oversight over their existing cloud security frameworks and optimize the effectiveness of internal controls. It also maintains a documented record of change control and validation, which improves ongoing compliance and reduces auditing workloads. Also, an organization can gain increased visibility into the changes in their environment: Who made the changes? When did the changes occur? What information was accessed?
End-to-End Visibility
Visibility is key to security, this is why it’s important to know the effective permissions for all Identities (human and non-human) in your organization. You can get true visibility into data and access trust relationships by graphing, classifying, and mapping identities. With end-to-end visibility, organizations will detect misconfigurations and changes — and respond effectively.
Summary
DevOps practices allow for incremental implementation so enterprises do not need to make required changes and updates from the beginning. Following the above-mentioned DevOps best practices, your organization can ensure to develop and deliver robust software solutions that help companies to achieve their business object effectively without additional security risks.
Sonrai Dig has been developed to help organizations improve security, ensure compliance and increase operational efficiencies for their AWS, Azure, GCP, and other cloud platforms. Core to the platform is the ability to gain a centralized and consistent view into cloud identity and data relationships, activity, and data movement across cloud accounts, cloud providers, and third-party data stores. Read our blog to learn more about our solution.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditRead the latest news and insights
Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.