Identity and access management (IAM) is a strategy for protecting critical information within your organization by limiting who is able to access privileged resources. With the rise of remote work and adoption of cloud-based work environments, identity can no longer be assumed based on location or device but must be verified by other authentication factors. Once a user’s identity is verified, they receive limited, time-based access to only the resources needed to perform the tasks they are assigned.
In the event that credentials are compromised and an unauthorized user does gain access to the network, limiting what users have access to ideally places limits on the threat actor, stopping them from gaining control over the entire system.
IAM is not a magic bullet for stopping threats. Threat actors have ways to get access to credentials and methods of escalating access once inside a system, but it does act as another line of defense. IAM tools can also identify unusual behavior, helping you pinpoint and lock down a potential breach. In this post, we review some of the core tenets of identity and access management, particularly as they apply to managing vulnerability in a cloud environment.
Authentication
Multi-Factor Authentication (MFA)
Multi-factor authentication is one of the easier IAM elements to implement. Yet, according to Zscaler’s 2021 State of Cloud (In)Security Report, 71% of organizations reported not using multi-factor authentication for cloud access. Multi-factor authentication is essential in a cloud environment where it is easy for someone outside of your organization to access an application through the web using stolen credentials. MFA adds a layer of authentication beyond recognition of your password or user behavior to confirm your identity before allowing access.
IAM Solutions
User identities are stored by identity providers (IdP). IdPs are consulted by applications to authenticate the user and enable single sign-on. One of the challenges of a hybrid cloud environment is ensuring that user access can be authenticated both in the cloud and on premises, which is called a hybrid identity. Traditional on-premises environments have relied on IdPs such as Microsoft Active Directory to authenticate users. Today, the major cloud service providers have developed IAM tools (Google Cloud Identity, Azure Active Directory, AWS IAM) that attempt to bridge the gap to allow single sign-on across on-premises and cloud environments. If you’re only using one cloud provider, such as Microsoft Azure, you can use their IAM system, Azure Active Directory, in conjunction with password hash synchronization or pass-through authentication, to connect your on-premises Active Directory to Azure AD. The problem many organizations run into, however, is they are using multiple different cloud service providers, and they need one identity and access management system to act as the source of truth for digital identities to set permissions and approve or deny access requests across their entire environment.
Cloud infrastructure entitlement management (CIEM) tools are specifically designed to be that IAM solution across hybrid and multi-cloud environments. They allow for visibility of user access, detection of overly permissive access, federation between on-prem and cloud environments, and enforcement of the least privilege principle.
Least Privilege
Least privilege means granting access only to the resources absolutely necessary to perform the operation that the user (either human or non-human) is charged with. It also puts in place, time restrictions on the length of access to those resources. This is ideal for preventing compromised accounts from accessing the entirety of an organization’s network. It also helps maintain compliance with regulations such as privacy laws.
That being said, implementing a least privilege policy in a multicloud or hybrid cloud environment can be extremely challenging. According to Zscaler’s 2021 State of Cloud (In)Security Report, 91% of accounts had been provided permissions they never used. Here are some best practices we recommend to simplify your least privileged implementation:
Visibility
Before you design your least privilege strategy, you’ll need a clear idea of the roles within your organization and the permissions they are using, which will require visibility across your cloud environment. Visibility remains a challenge for many organizations, however. Visibility was the most significant barrier to cloud adoption noted by respondents in Fortinet’s 2021 Cloud Security Report.
For organizations trying to get a handle on their current data usage, machine learning can be utilized to track user behavior. This information can also be used to figure out what resources users are accessing so you can determine what permissions they will need on a regular basis. Visibility will also make it easier to locate identities that are dormant and should be deleted to avoid unintentional compromise of these accounts.
Role-Based Access Control
Don’t grant permissions to individual users as their job function may change, changing the resources they will need access to. Instead, create user groups and grant permissions to those user groups. This is known as role-based access control. Be wary of using the general user roles from your cloud service provider. These can provide users with more permissions than they need. For better least privilege implementation, create your own custom roles.
Just-in-Time Access
When granting permissions, focus on those that are needed on a regular basis and develop processes for adding permissions for specified time frames for less frequently used operations. Automate the process of revoking permissions, including an alert system for permissions due to expire.
Root User Credentials
Don’t use your root user credentials! The root user has access to the entire cloud account, and you can’t use IAM permissions to deny them access because they’re essentially the account owner. Create a user with administrative permissions to carry out your administrative tasks for the account and lock away your root user credentials. Administrative accounts can perform most of the functions that you would consider using the root credentials for, aside from major account level decisions such as changing the account name or closing the account.
Zero Trust
A zero-trust policy states that no user should be implicitly trusted. Their identity must be verified before being granted access to company resources. Zero trust goes hand in hand with the least privilege policy and microsegmentation of resources to limit what users have access to. Learn more about zero trust in our blog post, Zero Trust Architecture for Cloud Vulnerability Management.
Are you interested in collaborating with other security professionals to improve your vulnerability management program? RH-ISAC members can join RH-ISAC’s vulnerability management working group to participate in vulnerability management discussions and exchange of best practices. Learn more about RH-ISAC membership.