Mastering IAM in the Cloud: Strategies for Effective Identity and Access Management
Mr. Ankit Sharma, Security Officer (India), Cisco
Cloud computing is the best-known technology in today’s scenario which aims to provide multi-tenant enterprises on-demand, scalable access to computing resources via cloud providers. However, in an extensive survey done by International Data Corporation (IDC), 87.5% of respondents identified security as the primary reason for the consumer’s hesitation to aggressively utilise Cloud computing in future system deployments. Identification and Access Management (IAM) can be deployed to address this problem by ensuring the protection of the end-user’s digital identity.
Identity and Access Management Systems Architecture
A recent market analysis report states that valued at US$15.93 billion in 2022, the global identity and access management (IAM) market is poised for steady growth. Analysts project a compound annual growth rate (CAGR) of 12.6% from 2023 to 2030.
Effective cloud security requires a proactive approach. The primary feature of the IAM system is centred on the authentication and authorisation processes. Cloud security relies on a two-step process: authentication and authorisation. Authentication verifies a user's identity, ensuring they are who they claim to be. Following successful authentication, authorisation determines the specific cloud resources a user can access based on their assigned permissions or roles.
Various IAM service models have been deployed and proposed to evaluate the performance of identity and access management concerning data storage, storage services, and data privacy. Cloud computing meets the organisational requirements of the present century, utilising IaaS, PaaS, SaaS, and multi-tenancy models to enhance the cost-effectiveness of cloud services. However, these models present challenges related to privacy and security risks invoking demand for more resilient security systems.
Developing A Robust IAM System
Identity and Access Management (IAM) encompasses processes used to manage access to resources by verifying the identity of an entity. Upon successful verification, access is granted at the appropriate level according to the policies governing the protected resources. The following strategies can serve as guidelines for effective identity and access management:
User Consent and Control
An IAM system must require user permission before collecting any personally identifiable information (PII).
Minimal Disclosure
The system should minimise the amount of PII exposed and enforce strict limitations on its usage.
Justifiable Access
Disclosure of PII should be restricted to authorised parties with a demonstrably essential need.
Contextual Identity Management
The system should utilise global identifiers for public entities and local identifiers for private entities, ensuring appropriate access control based on context.
Interoperability
The IAM system should support multiple identity technologies and providers, enabling seamless interaction.
Secure Human Interaction
The system must employ clear and secure human-machine interfaces to prevent identity-based attacks like phishing and impersonation.
Consistent User Experience
Despite supporting diverse operators and technologies, the IAM system should provide a simple and uniform user experience across different contexts.
Existing Models And Potential Drawbacks
Many cloud users access and use cloud services on a large scale, which raises security concerns for user data. Therefore, monitoring, storing, managing and managing user identities is a critical security issue and requires a trusted solution. Some potential flaws in IAM models are listed below:
Unrestricted IAM Roles
It creates significant security risks. These roles grant excessive access to resources, mirroring the vulnerabilities of exposed static keys. Granting too many permissions expands the potential attack surface, amplifying the damage if attackers exploit a compromised user account or application.
“Granting excessive permissions inadvertently is a common security pitfall leading to privilege escalation. The principle of least privilege needs to be enforced at all times to prevent potential security breaches.”
Identity-based proxy re-encryption is used to manage files
Centralised data access control presents several challenges, including potential security vulnerabilities against certain closure attacks. Alternative access control schemes should be explored to mitigate these limitations.
Authentication method using a one-time password
The drawback of this scheme is that a single credential is used for all cloud services which may cause penetration from attackers
Single sign-on (SSO) model
Granting a single user access to multiple resources with the same password creates a significant security vulnerability. This practice is highly susceptible to phishing attacks, potentially leading to unauthorised access and exposure of sensitive information.
Promising Advancements in IAM
New Service Models
One of the recent models for evaluating risk management in IAM was presented at the IEEE Mediterranean Conf. on Embedded Computing (MECO), Montenegro, 2019. Focusing on user identity, enterprise level solutions like Duo Security can be very impactful. Duo’s Continuous Identity Security safeguards against intricate identity threats 24/7 while maintaining a smooth authentication experience for the entire workforce. Encryption remains a crucial method for safeguarding the confidentiality of user identities, as evidenced by this research and various other studies highlighting the importance of cryptography in protecting user identities.
Blockchain
Blockchain is another revolutionary technology for protecting data in a decentralised manner. Blockchain technology plays a vital role in analysing and securing identity management systems.
IAM Linting
An IAM linter strengthens an organisation's cloud security framework by identifying overly permissive IAM policies and sensitive permissions. This tool scans IAM policies and roles, flagging potential security risks.
Final Thoughts
Cloud computing leverages a pool of on-demand, configurable resources like data centres, storage, networks, operating systems, applications, and databases to deliver convenient access to authorised users. Cloud service providers manage access control, granting users specific resources and services based on their identities and permission levels.
The proliferation of cloud users intensifies security concerns, particularly vulnerabilities in identity and access management (IAM) processes. Consequently, robust Identity and Access Management becomes essential for cloud computing, ensuring secure management and remote access for user credentials.
The Journey Into Industry
Mr. Ankit Sharma, a highly motivated Cloud Security Professional with proven expertise in information security, holds certifications like CSA Cloud Security Professional, CSA ZTA, is an ISO27001 Lead Auditor, and demonstrates strong ethical hacking skills. Ankit's leadership abilities have aided in improving quality programs, reducing data breaches, and boosting efficiency, security, and productivity across the products.
Beyond his leadership acumen, Mr. Sharma possesses deep cloud security knowledge, encompassing cloud infrastructure, application security (AppSec), security operations (SecOps), and compliance frameworks like ISO 27001 and SOC 2. His commitment to the field extends to contributions like developing and reviewing content for the CSA's Zero Trust Certification exam, CSA ECUC Mapping with CCMv4 and defining the Shared Security Responsibility Model for cloud deployments in application security. Furthermore, Mr. Ankit Sharma has played a role in exam development for ISC2's Certified in Cybersecurity program and is currently Voluntary Mentoring college graduates to make a successful career in the cybersecurity field.
