Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
In this article, we discuss another vital set of cloud security controls: Identity and Access Management (IAM).
All these questions are answered in Identity and Access Management 101.
In 2020, 80% of hacking-related breaches involved the use of stolen credentials. This means that a hacker who gets access to valid credentials, say via a brute force attack or a phishing campaign, can cause all kinds of havoc in your cloud environment. That’s why it’s vital that you verify all user identities and control user access to cloud resources. Here’s where identity access management (IAM) comes in. Through various tools, policies and processes, IAM can help you strengthen your cloud-native security posture.
Identity and Access Management or IAM is a set of technologies, processes and policies that enable organizations to create, manage and control all their digital identities. The IAM framework enables network administrators and managers to control user access, and thus, protect the company’s sensitive and business-critical assets and data.
IAM involves both authentication (“authn”) to confirm that a user is who they say they are, and authorization (“authz”) to ensure that they can only perform the tasks they’re authorized to perform. Both aspects are crucial to control access to cloud resources, and secure them from bad actors.
In addition to authentication and authorization, IAM also involves other steps that are equally important in a cloud-native environment. These are part of the identity and access lifecycle that enables your organization to:
Automated identity governance with cloud-based services systems helps simplify the lifecycle for all kinds of organizations – even smaller firms with limited IAM budgets, few requesters and even fewer approvers.
The IAM lifecycle addresses the creation and deletion of digital identities, as well as the creation and deletion of access rules for these defined identities. Whether identity and access are handled by the same or different systems; the below steps are important to ensure the robustness of the organization’s IAM framework, and to ensure reliable access control.
In this first step, an entity (human or non-human) makes a request to the IAM system. This could involve one or more of the following:
Anonymous access requests are difficult to trace, control and audit, so ideally, the identity should be authenticated to prevent them. Access requests made by outsiders such as the general public, say, to access your web applications, should be linked to some other identity factor like an email address or phone number. In a cloud environment, the request process may happen “out of band”, meaning it may not involve the cloud IAM system.
The approval process may differ by user and access type. For instance, it’s acceptable to implicitly and automatically approve access requests to a publicly-available web application, as long as they satisfy certain anti-fraud requirements and don’t originate from anonymizing locations.
However, inside organizations, access requests to cloud resources should always be explicitly approved by one or two approvers to ensure that only authorized personnel can access these resources. The IAM system and approvers determine if the request is reasonable and necessary without the cloud provider’s involvement.
The next step is to create or delete identities, and grant or revoke those identities’ access to cloud resources. These actions may happen automatically via the cloud provider’s APIs, or manually via an email, ticket or other notification. In latter cases, an admin may log into the cloud portal to manually create an identity and/or grant it a specific level of access.
For the authentication stage, many cloud providers provide cloud identity services at no additional charge. With such systems, you can centrally manage the identities of cloud administrators, as well as the access types and levels to all cloud services and resources.
The most popular cloud provider identity services include:
Regardless of the identity service or provider you use, it’s important to distinguish between the identity store and the authentication protocol. The former is a database that stores identities. The latter is what verifies user identities and authenticates them. It could be OpenID, SAML (Security Assertion Markup Language), LDAP (Lightweight Directory Access Protocol) or something else.
It’s also vital to understand who is being authenticated and how:
Identity-as-a-Service (IDaaS) offerings like Amazon Cognito, Google Compute Cloud Firebase and Auth0 Customer Identity Management are all good ways to manage business-to-employee and business-to-consumer authentication and identity management. For business-to-employee cases, IDaaS services may use employee information stores like your employee directory.
To strengthen your cloud IAM process, follow some best practices related to:
IAM in the cloud is as critical as on-premise IAM, if not more. The IAM lifecycle and technologies provide fine-grained access control and enhanced visibility, allowing organizations to effectively manage and secure their business-critical cloud assets and data.
Magalix empowers organizations to secure their cloud-native workflows with governance-as-code across their entire Kubernetes infrastructure. We leverage a robust Open Policy Agent (OPA) policy execution engine so you can easily define, manage, and deploy your cloud governance policies. To know how we can help you streamline your cloud security.
Prevent Kubernetes NetworkPolicy misconfigurations by enforcing policy as code