In my previous post I raised a flag around the importance of identity and access management (IAM), and how this should be embedded in your overall security planning.
What does identity and access governance stand for?
According to Gartner, it represents "a combination of administration and account provisioning, authentication and authorization, and reporting functions" which is either served from the cloud (IDaaS) as a utility, or implemented internally in a more silo’d approach.
Companies may choose to run a combination of the two in their hybrid environment, where they bring up a secondary IAM system to handle their hosted apps, while continuing to rely on standard IAM for internal applications.
Although this scenario is preferable to not running an IAM platform, having a mixed IAM is undoubtedly a tricky business because it doubles the maintenance effort, and can be fault-prone and costly over the long haul. Adding a third, fourth, fifth, IAM mechanism quickly becomes geometric in cost and complexity.
Adding to this, there is a certain set of capabilities and standards required in the cloud that don’t necessarily fit into classical, more systematic IAM configurations (like discretionary or mandatory access control, also known as DAC and MAC) and that are too complex to be covered with the newer role-based access control model (RBAC).
Trends like ‘Bring Your Own Device’ (BYOD) and proliferating roles in an enterprise bring about an immediate need for contextual awareness in deploying fine-grained security and access policies, but also in developing secure applications.
As such, there is recent growing interest around the more flexible attribute-based access control (ABAC) technique that has applicability across all the above-mentioned IAM model. It can be configured to leverage their benefits but also transcend their limitations.
I will further explain how this works by moving away from the authentication stage I’ve outlined thus far, to the next level of access authorization.
ABAC uses attributes or properties of a given entity in the system, which can represent a user, a programmatic workflow context (program/process operating on behalf of the user), an object (resource to be accessed), or even an attribute itself.
These predefined attributes are validated against environment conditions or scenarios based on a set of rules which determine the relationship between subject and object.
ABAC can be used to enforce DAC through identities and access control lists (ACLs), MAC through security labels and classifications or RBAC through user roles.
If we are to listen to the analysts’ voices, it may come as a surprise to find IAM placed in the top three list of ‘must-have’ security services in the cloud. In an extensive report from 2013, Gartner’s predictions with respect to the future of IAM technologies are extremely generous.
By year end 2020, the industry analyst forecasts that:
70% of all businesses will use attribute-based access control as the dominant mechanism to protect critical assets, up from 5% today.
60% of all digital identities interacting with enterprises will come from external identity providers through a competitive marketplace, up from 10% today.
80% of digital access will be shaped by new mobile and non-PC architectures, up from 5% today.
In a more recent report dedicated to Identity and Access Management within Amazon Web Services, Gartner highlights a series of recommendations to be followed by AWS customers, which I will summarize below:
Do not distribute the AWS root account within your organization and try to keep its use to a minimum.
Leverage IAM-type of roles to delegate management duties; third-party IAM tools are also supported
Employ multi-factor authentication (MFA) for privileged IAM users who have access to the AWS management console
Avoid over-assignments of rights to IAM users; follow the "least privilege" principle.
Use AWS CloudTrail to monitor IAM operations in AWS.
Most of these security tools native to AWS services are completely free of charge to encourage any cloud admin, however new to AWS, to give them a go. Soon they will become tried-and-true security practices as AWS uptake continues to accelerate. They may become an opt-out for AWS customers, rather than an opt-in.
Essentially, there are two principles that an AWS admin should relate-to when managing IAM rights: ‘segregation of duties’ and ‘least privilege’. And I think this is the hardest part of the process, as it is in any datacenter, and one that involves higher risks.
Thankfully, AWS handles part of the heavy-lifting by providing single-sign on support where each user/identity is tied to unique security credentials that have access only to those AWS services and resources granted by the administrator.
Provisioning of credentials is done automatically in the backend and temporary credentials are rotated regularly. This leaves no room for human fault and helps to prevent unauthorized access from outside the organization.
In the light of Gartner’s forecast, we may witness the revival of interest among enterprises for state-of-the-art IAM solutions born in, rather than adapted to, the cloud. This will drive large investments in the industry and will help diversify the offering and perfect the techniques known today.
Expect no silver bullets though. No Swiss army knife will help you survive in the woods unless you know how to handle its tools skillfully.
The bottom line is that the better equipped you are with your IAM gear for mastering the cloud, the less of a headache you will face in juggling with myriad corporate identities and assets spread across different departments and geo-locations.