Written by Ashwin Chaudhary, CEO, Accedere.
Identity and access management (IAM) ensures that only authorized identities have the right
access to the right resources. With cloud platforms consolidating numerous administrative
functions of data centers and services into unified Internet-accessible web consoles and
application programming interfaces (APIs), IAM acts as the new perimeter in cloud-native
security, protecting sensitive resources from unauthorized access and misuse. Cloud Security
Alliance’s Security Guidance v5.0 covers Identity and Access Management in Domain 5. In
both public and private clouds, cloud service providers (CSPs) and cloud service customers
(CSCs) are tasked with managing IAM within acceptable risk tolerances. While we will review
fundamental IAM concepts, the focus will be on the characteristics and challenges of IAM in
the cloud and ensuring their effective management. IAM cannot be managed solely by the
CSP or the CSC. It requires a trust relationship between both parties, a clear designation of
responsibilities, and the technical mechanics to facilitate its management. Gartner defines
IAM as “the security discipline that enables the right individuals to access the right resources
at the right times for the right reasons.”
Fundamental terms
- Access control: Restricting access to a resource, based on the permissions granted to
the entity. - Authentication: Verifies the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in a system. - Authorization: The decision to permit or deny a subject access to system objects (e.g.,
network, data, application, service,). - Multi-Factor Authentication (MFA): A mechanism through which an identity is
authenticated via additional factors such as something you know, something you have
or something you are. - Attribute: A characteristic or property of an entity that describes its state,
appearance, or other relevant aspects. - Entitlement: Maps identities to authorizations with required attributes (e.g., user X is
allowed access to resource Y when Z attributes have designated values) - Entity: An entity refers to a unique, identifiable actor in a computer system. In the
context of cybersecurity, an entity can be a user, a device, an application, or a system
that is identified and authenticated by an IAM system. - Identity: the unique expression of an entity within a given namespace.
- Role: Provides a permission-centric view, defining the access level for users to perform
specific tasks. - Attribute-Based Access Control (ABAC): An access control or entitlement that
requires 73 specific attributes, such as multi-factor authentication (MFA), the user
logging in from a managed system, or the targeted resource having a particular tag. - Policy-Based Access Control (PBAC): Access requirements defined in a machine-readable policy document that typically provides extensive flexibility and granularity
with support for various conditions and other variables, such as attributes. - Role-Based Access Control (RBAC): It is a more common model than ABAC, where
access is granted to all users with a given role (e.g., developer or administrator).
Commonly Used Standards for Cloud Computing
- Security Assertion Markup Language (SAML) is an OASIS (Organization for the
Advancement of Structured Information Standards) standard for federated Identity
Management that supports authentication and authorization. It uses XML to make
assertions between an Identity Provider and a Relying Party. Assertions can contain
authentication statements, attribute statements, and authorization decision
statements. Both enterprise tools and CSPs widely support SAML, but it can be
complex to configure initially. SAML is well-suited for traditional web-based client-server applications. - OAuth is an IETF (Internet Engineering Task Force) standard for authorization widely
used for web services (including consumer services). OAuth is considered an
authorization protocol that allows users to grant third-party applications limited
access to resources without sharing their credentials (like passwords) directly with
those applications. OAuth is popular for authorizing API access or connecting 3rd
parties to applications. OAuth is designed to work over HTTP and is most often used
for delegating access control and authorizations between services. - OpenID Connect (OIDC) is a standard for federated authentication widely supported
for web services. It adds an authentication layer to OAuth and is based on HTTP with
URLs used to identify the IdP and the user/identity (e.g.,
http://identity.identityprovider.com). OIDC 1.0 is very commonly seen in consumer
services, and there is growing support for it in commercial products. One example
would be Single Page Applications (SPA – e.g., Facebook). OpenID is a standard for
authentication and is distinct from OIDC. OpenID 2.0 is deprecated and has been
largely replaced by OIDC.
Security Considerations
- Develop a comprehensive policy, plan, and processes for managing cloud service
identities and
authorizations. - Cloud users should use MFA for all cloud access and send MFA status as an attribute
when using
federated authentication. - Document an entitlement matrix for each cloud deployment that aligns with security
and business
requirements. - Translate entitlement matrices into technical policies when supported by the CSP or
platform. - Prefer Attribute-Based Access Control and Policy-Based Access Control over Role-Based Access Control.
- Assess and adopt more modern IAM processes and technologies such as usage
tracking for
improved least privilege, JIT access, and risk scoring. - Log and monitor all IAM changes both at the Identity Provider and the Resource
Provider. - Incident Response- Integrate plans and procedures for invalidating or restricting
abused IAM session tokens into the incident response program.
About the Author
Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit, and Training Firm.
He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP,
ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of
cybersecurity/privacy and 40 years of industry experience. He has managed many
cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT,
Governance Risk, and Compliance.
Source link
