Key Considerations for IAM in the Cloud

Embedding mature identity and access management (IAM) practices into every stage and layer of cloud implementation is a necessity to address the risks inherent in cloud architecture. These risks are many and include:

  1. unintentional exposure of sensitive data, unauthorized access to sensitive data, and data exfiltration;
  2. compliance and legal risks;
  3. security risks of the cloud vendor;
  4. compromised credentials and account hijacking;
  5. inadequately protected application programming interfaces and endpoints;
  6. advanced persistent threats;
  7. denial of service attacks; and
  8. shared technology can mean shared dangers.

To plan for and mitigate these risks at retailers, manufacturers, financial institutions, government agencies, and others, we asked several Sila subject matter experts (SMEs) to examine the key considerations for IAM in the cloud. Below are their thoughts.

Why focus on IAM during cloud implementations?

  • IAM has always played an important security function, but now that the borders of the data centers have been extended or dissolved, IAM must play a considerably larger role in the defense process than it did previously. It is a generally accepted phrase that “identity is the new perimeter”.
  • Almost all application and technology implementations have an access component, including the cloud. The more critical the target systems, the more tightly you need to control the access.
  • Depending on a company’s business, and intended use of the cloud, new IAM installations are likely needed at every layer of the implementation: customer facing applications, enterprise facing applications, systems infrastructure, and cloud infrastructure.
  • The cloud offers improved capabilities and cost efficiencies. With those benefits, however, comes the need to properly implement security measures such as IAM to protect customer and business data. Effective implementation and maintenance of a comprehensive IAM strategy reduces the risks of data exposure by controlling who is on the network and the data/applications they can access.
  • As systems grow more complex to meet customer needs, IAM increases in complexity as well. That means success in the cloud is dependent on secure implementation. Understanding what key considerations should be applied, as well as what IAM capabilities cloud service providers (CSPs) have available, can help not only uncover key, and perhaps previously overlooked requirements, but also can serve as additional navigational guiderails for a successful and long-lived design concept for your application or system.

Why is security compromised if you don’t properly implement IAM?

  • Most organizations have been embedding layered IAM into their data center and enterprise practices for years, and they rely on these controls to protect them from a myriad of cyber threats and compliance exposures. When a company moves to the cloud, there are three critical considerations:

    • The company MUST fully understand the current IAM process/controls environment so that they understand what is likely going to break or introduce gaps and vulnerabilities when adding a cloud environment (or multiple cloud environments) into the mix.
    • The company MUST have a plan to raise IAM in the cloud environment to AT LEAST the same level of maturity as the existing data center and on prem implementation.
    • The company MUST plan to take advantage of unique processes and advantages that are available within the ever-evolving cloud world.
  • You might be able to perform IAM functions in a similar fashion to how you’ve done it on premise, but there are new options and new functionality available that should be considered for functional, efficiency, performance, compliance, and security reasons.
  • Risks are high for companies that fail to adequately implement or under scope IAM in the cloud. With today’s ever-changing compliance and regulatory landscape, companies face substantial fines for exposing customer data, reputational loss, and loss of revenue if they fail to act appropriately. In addition, hackers are financially motivated to use extortion tactics to hold companies’ hostage by threatening to encrypt or publicly release important data.

At what stages does IAM belong when architecting a roadmap for a secure cloud?

  • IAM intersects with all phases of architecting for the cloud—plan, build, test, deploy, and operate. The key is to identify and architect for security and compliance requirements up front, while continuing to add/refine those elements as you iterate through the development and deployment process.
  • Architects, developers, and security teams should be reminded that when planning, designing, building, and running a system or application, IAM should be part of all requirements considerations if they want to avoid 11th-hour scenarios where less effective security measures must be bolted on.
  • While cloud providers work hard to simplify offerings and embed security into their fabric, a cloud implementation will always add complexity out of the gate. Until a cloud migration is 100 percent complete, or until old processes are retired, an organization needs to be particularly diligent about ensuring IAM is a core partner every step of the way—from strategic planning to sustainment activities.

Should you buy identity as a service (IDaaS) from the cloud provider, or use a third-party tool?

  • There are more IAM products, services, and capabilities available than ever before. Many of these services are available directly within a specific cloud environment. Gone are the days when you can choose a best-of-breed product in a specific category and cover your business needs. It is critical that companies understand their business needs, priorities, exposures, and landscape so that they can choose IAM practices, products, and services that effectively meet their needs.
  • Many of the newer identity tools are offered as a service or embedded into a cloud environment. Many of the existing on prem services are extending their capability to support the cloud. Also, there are IAM vendors relying on platform-neutral solutions with the desire to ensure continuity across various cloud environments.
  • A sound IAM strategy is more important that it has ever been. Tactically jumping from one solution to the next without a holistic view is going to cause headaches, wasted work, and decrease trust in your IAM program partnerships. Because there are so many nuanced choices to be made, we believe human and cultural process management is the most important part of the security process. Looking at IAM as a technology problem is more likely to cause problems than to result in solutions.

What are the challenges associated with embedding IAM into the cloud?

  • It is challenging to accomplish sufficient due diligence in eliciting requirements and adequate planning to meet business requirements, while balancing rapid time to value. Execution and program management is key. An IAM program needs to be able to keep projects on track and ensure they fully meet the intended goals.
  • There are many challenges associated with embedding good IAM processes into a project and perception is one of the biggest. Many technologists and business people still think IAM should be easy despite it being one of the major process, cultural, and technological challenges an organization will face. In 2017, IAM professionals need to do a better job marketing the complexities, bumps, bruises, and overall journey that the company has been on to date. In addition, technology stakeholders need to invest in good, process-oriented, IAM professionals that can take them on the rest of the journey in an effective way.
  • Most technologists have a general or broad knowledge of IAM, but don’t have a detailed or targeted understanding of what it really takes to be successful. Hiring the right IAM SMEs in your organization and choosing the right consulting partners is key to ensuring that you find the correct balance for your IAM priorities and that you keep your customer’s data safe and sound.