The mutation of Cloud Identity and Access Management
IAM, a pillar of IT Security
Identity and Access Management (IAM) is one of the oldest and most pervasive security controls. It is required for controlling who (user) or what (entity[1]) is trying to establish communication, for what purpose (read, write, modify…) and if it is entitled to.
Whatever the evolution of the IT in the coming decades, it will always be mandatory to control identities and their access rights to company data.
The Broken Hybrid Cloud IAM
However, as Thierry Winter, Atos Evidian Chief Technology Officer, explained in his blog post, identity management in hybrid cloud is still behind the curve. It has focused on protecting the front door, by positioning itself as an Identity Provider. The Identity Governance & Administration (IGA) domain of IAM is still a missing piece in the Cloud IAM versus legacy On Premises IAM systems.
First, let’s set the scene by being clear about what Identity Governance and Administration needs to answer. It must answer three simple questions:
- Who (needs access to),
- What (resource, data, application…),
- When (start, end, periodicity…).
They do so by automating access workflows and account provisioning, managing permissions and ensuring reporting compliance.
As of today, every cloud service provider has its own identity management model making the life of their customer’s IT departments a misery when it comes to aligning roles and permissions of their user base across multiple public cloud environments (should they be Infrastructure as a Service IaaS, Platform as a Service PaaS and/or Software as a Service SaaS). Indeed, although the IT department can rely on a single Identity Provider (IdP) for the authentication to all these applications and environments, they will have to configure, set and manage the users, groups and access rights for each of the hundreds of Cloud services used by the enterprise, by logging into each of the applications.
Such a task is impossible when the average organization uses 1,935 unique cloud services, according to the 2019 McAfee Cloud Adoption and Risk Report.
Hybrid Cloud IGA
What’s needed is an Identity as a Service (IDaaS) solution consolidating Web Access Management and Identity Governance and Administration. This will be the place where the customer’s Chief Information Security Officer (CISO) will be able to consistently affect roles to its Business and IT users across multiple Cloud Services (whether IaaS, PaaS or SaaS), periodically review those roles and existing discrepancies, as well as centrally report and manage workflows.
Even better, the system should automatically provision accounts and access rights for newly arrived users and remove recently departed users for all supported cloud services at once.
From a compliance perspective, all changes happening to access rights will be reconciled into IGA for CISO central review. The result of such a review can be an approval of the change, or challenging it to understand the business driver or even raising a Security Incident if the modification could be harmful in any way.
Other IAM Challenges
The continuous evaluation of user context and adaption of authorizations in close to real time is another challenge, which we will address in a follow up blog.
IT is evolving, IAM solutions are keeping pace to better embrace Hybrid Cloud environments.
[1] By entity, I mean all kind of communication sources who are not ultimately a human or group of humans. It could be an application, a bot, a system daemon/agent or any kind of machine/object/thing (server, workstation, smartphone, tablet, IP phone, gateway, printer, camera, network device, firewall, refrigerator, television, …).
[2] There are many different uses of the « Hybrid Cloud » terminology. Here I simply use it as a short cut to describe enterprise Information Systems spread across Public Cloud, On Premises (and/or Private Cloud) and Edge environments, with the ability to serve the Applications in a similar way whatever the environment. I will use the wording “Mutli Cloud” for the simple mix of different Cloud (Public and/or Private) systems, like GCP, AWS, Azure, Alibaba, OVH, VMWare, Openstack, without a common consistent framework…
Read another Blog from Vasco: Leveraging cloud: enhanced security in a multi-cloud environment