Gartner has defined Identity and Access Management as “the discipline that enables the right individuals to access the right resources at the right times for the right reasons”.
Identity and Access Management (IAM) allows identification, authentication, and authorisation of individuals, groups, and identities; and control their access and impose restrictions to protect data. While the term “Identity” commonly indicates individuals; in the cloud universe, identity can be both human and non-human and deals with access to applications, services, resources, and networks.
With the increasing usage of cloud services, one can see unprecedented growth in the number of privileges that identities have across platforms, devices, services, etc. These identities have privileges that allow them to easily create or destroy, making them demi-gods of sorts.
Governing identities and their access in the cloud is a very complex task. In the cloud, when a user is trying to access a resource or an application, there are many overlapping layers of access concerning the user and that resource, such as service control policy; permissions boundary; identity-based policy, session policy etc. resulting in the user, the resources, and the applications being assigned their own separate identities.
It is critical that access to cloud infrastructure (systems, applications, and services) are at all times rightsized, and there are no over-provisioned privileges. Studies suggest that most identities use less than 2% of their privileges to perform day to day operations, leaving the 98% privileges unused and open to misuse. Lack of visibility into the cloud infrastructure adds to this, and there is an absence of insights into who has-what privileges, thereby expanding an organisation’s threat surface.
The starting point to an effective IAM governance is enforcing policy guardrails in the cloud infrastructure that can prevent unauthorised access and over provisioned privileges. Example:
Gaining visibility into the access rights or privileges of various identities is also critical to a sound IAM strategy. Having a unified view of the IAM posture across the cloud infrastructure, and the ability to track all the identities, their privileges, and ascertain when the privileges were last used by the identities or how many privileges or service grants were used over the last 30, 60, 90, 180 or 360 days is critical.