Managing identity and access management (IAM) in the cloud is a complex problem—far more complex than it is in traditional, on-premises IT environments guarded by an explicit firewall. As the number of data breaches attributed to illicit or improper access continues to grow, it’s clear that this problem is here to stay. But what makes identity and access management (IAM) an ongoing obstacle for many organizations? And what can organizations do to reduce their risk in this capacity?
Let’s start with the basics. First and foremost, what is IAM? According to Gartner, IAM is “the discipline that enables the right individuals to access the right resources at the right times for the right reasons.” Outside of the cloud, identity is almost inextricably linked to users or people, whether they are employees of an organization or customers using or purchasing an organization’s products and services. Within the cloud, identity is much more. In addition to users, roles, and groups, identity pertains to applications, services, and systems. In other words, pretty much everything in the cloud has an identity. And everything with an identity must be managed.
What makes cloud IAM even more difficult is understanding the final level of access, referred to as effective access, of a given principal, application, or resource.
- Principals: The federated users, IAM roles, and IAM users that define identity and access to cloud resources.
- Applications: The assembling of cloud assets via tagging and naming schemes to illuminate critical applications.
- Resources: The underlying resources supporting applications that define the relationships between all the cloud assets.
Determining effective access involves untangling a confusing web and often confounding permission rules, sometimes referred to as policy evaluation. These layers include:
- Permissions boundaries: Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.
- Identity-based policies: Attach CSP managed, customer managed, or inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
- Resource-based policies: Attach inline policies to resources. Resource-based policies grant permissions to a principal entity that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
- Service control policies: Define the maximum permissions for account members of an organization or organizational unit. SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
- Session policies. Pass advanced session policies to assume a role or a federated user.
There are, potentially, five layers of policy that determine the effective access of a given application, resource, or principal. Even within a small cloud environment, untangling (let alone understanding or managing) this web of policies to determine effective access is extremely difficult. On a larger scale, it is impossible.
Organizations, particularly those using more than one cloud service provider, should be investing in tools that help them understand their identity and access landscape. DivvyCloud by Rapid7’s IAM Governance Module can put you back in control and simplify cloud IAM. This module provides visibility into all cloud resources and services, regardless of which cloud service providers you use. It can ultimately allow you to prioritize and remediate improper permission combinations granting unintended access that could result in a breach.
Listen to what DivvyCloud founder and CEO Brian Johnson had to say about cloud IAM on the CISO/Security Vendor Relationship podcast.
DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation, DivvyCloud customers achieve continuous security and compliance, and can fully realize the benefits of cloud and container technology.