Managing both human and non-human identities, and their access to digital resources, is a fundamental pillar of information security for any organization. According to a recent article from Forbes, a survey stated 74 percent of data breaches start with abuse of privileged access. The role of identity access management (IAM) takes on an increased level of importance as you move to the Cloud.
Managing security in the Cloud is a paradigm shift from on-premise where the organization was responsible for protecting all its digital assets from the bare metal of servers to the applications that run on them. With Cloud security, the public Cloud provider is responsible for protection for its infrastructure, but an organization has to guard its workloads and applications. This is commonly known as the “shared responsibility model”.
With on-premise security, the network perimeter was traditionally your boundary. Here you had control over access to your information and applications; firewalls could block unwanted traffic and network monitoring systems could spot suspicious activity. In the Cloud, your resources are often accessed from a variety of endpoints, devices and identities. With this, the network boundary has eroded and identities have become the new perimeter. Thus, to effectively protect your Cloud environments you need to secure who and what has access to them, as well as their privileges within them.
Identity Access Management (IAM) systems allow you to identify, authenticate, and authorize individuals, groups, and identities, both human and non-human, and control their access to your applications, resources, services and networks by imposing rights and restrictions on their access protect the data in your environment and even the environment itself.
An identity access management solution includes all the necessary controls and tools to capture identity information. It has the ability to orchestrate the end-to-end lifecycle of your identities, from assignment to removal of privileges and everything in between. Without effective IAM, these functions are often performed manually, which can lead to significant security risks. Two of the most commonly seen risks include direct over-provisioning giving identities entities more access than they need to do their job, and indirect over-provisioning, where an identity’s effective permissions are far greater than what it was provisioned to be originally.
Identity access management is essentially a framework. As such, it's a structure for organizing a myriad of services, policies, concepts, and more. While no one framework fits all organizations, there are several popular frameworks and guidelines you can use for guidance when setting up your IAM scheme.
• NIST. The U.S. National Institute of Standards and Technology has a series of publications, SP 800, designed to address the security needs of the federal government. They include guidelines on digital identity management, identity proofing, strong authentication, and password policies. Although designed for federal agencies, the guidelines are considered best practices for companies serious about securing their digital assets.
• HIPAA. The 1996 Health Insurance Portability and Accountability Act gives the U.S. Department of Health and Human Services the power to set standards for the handling of personal health information. The department's guidelines emphasize the principle of "least privilege." That means an individual's or entity's privileges should be limited to what's needed to do their job or function.
• SOC2. This is a framework developed by the American Institute of Certified Public Accountants. Its framework is based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. Unlike some compliance vehicles, SOC2 isn't a "check the box" tool. Businesses use it to demonstrate how they can continuously instrument, identify, and remediate control deficiencies in a timely manner.
• CIS Guidelines. These best practices—developed with the Center for Internet Security—are used by Amazon Web Services to help its clients incorporate security into their server setups. Because the standards were created through a consensus of stakeholders, they've gained traction among many governments, businesses, industries, as well as universities and research facilities.
A major benefit of IAM is that it provides centralized management of your identities, be it users, groups, services and/or roles, and enables the visibility needed for proper oversight. With this centralized management, it makes it easier to enforce policies governing identity and access, as well as keep a finger on "privilege creep"; where an identity’s access exceeds its boundaries. Effective IAM also ensures that privileges are issued in accordance with the policies and controls as part of your organization's governance framework to align with your business’ requirements.
Thus, with an effective IAM in place, you can lower the risk of data breaches in your environment by establishing, and maintaining, permission boundaries. Should a breach occur, these boundaries help to significantly limit the damage.
While identity access management (IAM) solutions provide a great deal of functionality, this comes at the cost of simplicity. Cloud native IAM offers the ability to view permissions for all your identities, it is often difficult to determine their effective permissions in those native tools. This can create a scenario where the effective permission of an identity can be far greater than what it is thought to be. This leads to scenarios ranging from negative audit observations to breaches of sensitive data. While these can be big challenges, there is a way to effectively manage identities in the public Cloud.
Sonrai Security delivers an enterprise cloud security platform focused on identity and data protection inside AWS, Azure, and Google Cloud. We can show you all the ways data has been accessed in the past and can be accessed in the future. Our platform delivers a complete risk model of all identity and data relationships, including activity and movement across cloud accounts, cloud providers, and third-party data stores.
Sonrai Security enables you to protect the "family jewels" by continuously monitoring critical data inside object stores and databases. You can constantly see where your data is and its classification, what has access to your data and from where as well as what has accessed your data and what has changed. Sonrai Security can help with identity security and identity access management across your public cloud.
How would you know if your company had an open cloud resource? If you’re not yet a Sonrai Security client, then you might find this webinar interesting. Watch as Dan Woods, technology analyst and founder of Early Adopter Research, and Eric Kedrosky, Director of Cloud Security Research & CISO at Sonrai Security, explore how to find and fix an exposed S3 bucket as they review preventing data loss.