Realizing the vast potential of the cloud enables organizations to innovate and undergo digital transformations. The last two years have demonstrated the importance of ensuring sound cybersecurity, especially as many enterprises have migrated to the cloud. A key part of the cloud, however, is ensuring that enterprises utilize proper identity management. Increased cloud adoption has resulted in a deluge of new human, and even non-human, identities that threat actors can compromise. Enterprises that don’t take this seriously can find themselves the latest victims of a breach.
One should look no further than Okta, a popular identity management platform used by many enterprises. Earlier this year, the Lapsus$ criminal organization claimed to be in possession of a super-user account at Okta. While the full extent of the breach isn't yet known, having these high-level credentials potentially means the criminal organization has the figurative "keys to the kingdom" regarding access, along with the ability to obtain the data of users who rely on the Okta platform. When an identity and access management (IAM) provider is the victim of an identity-based attack, you know that threat actors are playing hard.
That said, IAM isn't a new issue and will certainly become more important in the foreseeable future. A report from Cider Security ranked IAM as the second biggest problem in continuous integration/continuous delivery environments. These concerns relate to both the permissions granted to identities across an enterprise and ensuring that permissions are deprovisioned in a timely manner.
Difficulties of Managing Identities in the Cloud
Managing identities in the cloud is difficult due to a confluence of factors. Often the structure of a cloud provider's notions of projects and organizations don't map well to how an enterprise structures itself. This can lead to things like a single enterprise user trying to manage multiple "identities" within the cloud in order to do their job. Downstream, this results in few, if any, people having any real visibility into who has access to what within the cloud.
As problems like this grow, they're further exacerbated as the company hires employees and then experiences turnover. Also, moving from on-premises to the cloud can create similar challenges. Enterprises spend years operating in one way that works for them with their own hardware, and then as they move to the cloud, they need to adjust that older way of working to the cloud provider's structures.
Consequences of Improperly Managed Identities
From a security perspective, failure to properly manage IDs in the cloud opens up enterprises to a lack of command and control of who can do what within their infrastructure. It also makes it very difficult to recognize when something is askew with IDs or permissions for those identities.
From a non-security perspective, poorly managed identities can lead to friction in an enterprise's processes and then may lead to undesirable outcomes. These outcomes could include employees having to log in to cloud assets using multiple identities, or employees continually finding that they must request new permissions that they should have had from the outset. Ultimately, this slows down an enterprise's processes.
Two Common IAM Missteps
Customers regularly fail to build out cloud-based solutions where identity management is concerned. Ultimately, the cloud resources being accessed by identity holders don't care if you're a person, a machine, or a dog. If you have the right credentials, you're authenticated and authorized. Before they know it, a mission-critical service is running 24/7/365, and some key piece of that service is talking to other critical services via a human employee's identity. What happens when that employee leaves? Ensuring the continuity of services is imperative for enterprises and their identity and access management in the cloud.
Another potential pitfall comes with users sharing credentials. It doesn't take long for that key to get used without anyone having any capability to track down exactly who is really accessing the cloud resources. This lack of accountability can lead to big problems, including security concerns, for enterprises.
How Organizations Can Mitigate Security Concerns
First and foremost, treat identity management as a first-priority problem, not something to figure out later while you get your business up and running in the cloud. Create your own well defined policies on identity management with an eye toward ensuring the principle of least privilege, in which identities can only access what they need.
Don't let the tools from cloud providers determine how you run your business. A great way to ensure that your enterprise is in the driver's seat is to find people that know the cloud and know it well. Bringing in outside assistance from those who know it best not only puts it in the hands of those who are the most qualified to do so, but it can also help to mitigate common IAM problems that you may not even have on your radar. Additionally, it's important to gain organizationwide visibility into your cloud infrastructure. This valuable insight into your cloud infrastructure provides numerous benefits, not just for IAM but for compliance and financial management as well.