Getty Images

Security Think Tank: Going beyond IAM for cloud security

Managing access and privilege across complex and powerful cloud tooling is not a straightforward task; but there are some key considerations that can help security teams stay on top of identities in the cloud

The cloud has become a great tool for business, enabling organisations to benefit from its accessibility, fast deployment options, operational resilience, and lower-cost maintenance. The ability to run applications and services in public and private clouds on multiple device technologies, from traditional desktops to the latest mobile devices, has enabled companies to embrace flexible working practices across the workforce – with the pandemic and subsequent hybrid working patterns emphasising the importance of this.

However, the accessibility and capability that cloud technology provides, along with its ever-accelerating speed of innovation, make companies increasingly vulnerable to cyber attack as exploitation techniques become more and more sophisticated. Threats such as phishing, malware, denial of service (DoS) attacks, identity theft, and zero-day threats put companies under pressure to invest in additional cyber security solutions on top of the more traditional firewalls and antivirus software.

The cloud also has the capacity to integrate with third-party services or applications, with traditional security paradigms potentially unable to provide sufficient protection for these integration points. In addition, a shared responsibility model can be introduced and, while the cloud provider is responsible for securing its application and the data within it, the customer is also obligated to ensure their data remains secure and available. This increases logistical complexity, and each party must maintain awareness of the duties they hold.

Ultimately, the cloud’s dynamic nature, which allows resources to be added, removed, and scaled up and down as required (thereby driving its popularity with businesses), means that the more standard ‘static’ security measures (such as firewalls, intrusion detection systems, and access controls lists) can still leave a cloud environment vulnerable.

Overall, the diversity of deployment options, sparsity of some solutions and the reliance on external service providers to support data security, can lead to a lack of visibility and control over the cloud environment, making it a challenge to manage and keep secure. An increased focus on Identity and Access Management (IAM) offers a solution, but managing access and privilege across complex and powerful tooling is not a straightforward task; the following key considerations may help security teams stay on top of identities in the cloud.

The principle of least privilege

In general, as a best practice principle, this is relevant for all systems. If users can only access what they need to do their jobs, there is limited scope for misuse of access to perform malicious activities elsewhere in the estate. Also referred to as role-based access control (RBAC), it means that if an account is compromised, an attacker’s subsequent movement is limited to a set job function, making it less likely that they will be able to perform operation-stopping actions.

Understanding IT estates

With cloud solutions often spread across multi-cloud environments or operating on hybrid cloud models, it is increasingly important to understand the security operations of each of these cloud vendors and how they differ from each other. A knowledge of where systems sit within the broader IT landscape, and knowing who needs access to each one, is also the best starting place from which to configure access and assign privileges appropriately.

Multifactor authentication (MFA)

MFA mitigates against weak or compromised passwords (which can happen easily through various methods including phishing attacks, social engineering, and password guessing) by requiring users to supplement their initial sign-in with additional validation of their identity such as a PIN, second password or biometrics. MFA is a popular way to add layers of security to cloud-based applications and data, and by requiring an extra stage of verification, it also helps to limit the potential for brute-forcing login credentials.

Protection of important accounts

As with any other system, the most privileged accounts should be a top security priority as a breach of one could compromise the operational viability of the organisation. This requires increasing the visibility of their use through undertakings such as activity monitoring, unlimited privileges removal, and the review of audit logs. The number of people with access to privileged or important accounts should also be limited; this is especially important for superusers (also known as root, or admin, users) due to the extremely high-level access required for system administration and their criticality for continued system operation. Ideally these accounts should be kept from regular use and should never have their credentials shared.

Single Sign On (SSO)

This method of authentication allows users to access multiple apps and systems with a single set of (highly secure) credentials. Typically, a user signing into an application is redirected to a central identity provider (IDP); once authenticated by the IDP they are issued with a security token that contains information about their identity and permissions. The token is passed on to the relevant applications, which grant access without requiring further proof of identity.  By limiting the number of passwords and logon credentials that need to be memorised by an end user, the attack surface is narrowed. This in turn lowers the likelihood of reused or weak passwords, and generally reduces detrimental security practices caused by enterprise fragmentation.

Zero-trust security

Zero-trust security, which requires every user and device to be verified before being granted access to cloud-based applications and data, is becoming increasingly popular in cloud environments because it ensures that only authorised users and devices can access sensitive data. It is based on a model that automatically doesn’t trust anything (inside or outside of its perimeters); instead, it verifies every request before granting access.

Continuous authentication

Continuous authentication is a way of monitoring identity-confirming user behaviour in real time to assist in the detection of potential security threats. Markers such as passwords, MFA, biometrics, key-stroke pressure, and location can all be used throughout user sessions to help identify and prevent unauthorised access to applications and data. By monitoring even the most subtle change in behaviour, continuous authentication can trigger alerts in response to any suspicious activity. However, the cost and complexity of this monitoring solution when deployed across multiple apps, as well as concerns about privacy and compliance, may deter security teams from prioritising this approach.

Artificial intelligence (AI) and machine learning (ML)

AI and ML are increasingly used in IAM systems to enhance the organisation’s security posture. They offer advanced analytics capabilities, complex pattern recognition, and shorter response times; these tools can help to detect anomalies, automate identity verification, and reduce the risk of unauthorised access.

Identity as a Service (IDaaS)

IDaaS is an increasingly popular way for security teams to manage identities on the cloud, providing as it does a single view of user identities, access controls, and other security features across their estates. IDaaS systems can help to reduce the risk of security breaches by consolidating a number of the previously mentioned control trends, including SSO, MFA, password complexity requirements, and user access provisioning.

Read more on this topic

    Read more on Cloud security