Written by Uwe Sievers
Uncontrolled proliferation is a problem for many companies: Chaotic rights arrangements and unknown accounts are typical situations. Add Cloud services into the mix, and the threat level rises exponentially. The time is right for coherent identity management.
Managing digital identities and assigned authorities is no easy task. The situation is exacerbated with employees working from home offices and the associated growth in use of Cloud systems. The Identity and Access Management (IAM) systems used in many companies are often unsuitable for remote access or Cloud services. But a suitable IAM can help to prevent identity-based attacks, especially in Cloud environments.
Cloud Computing involves storing data in third-party data centres, with access via the internet. A major advantage is the fact that users can access their data from almost any location or device, since most Cloud services are designed to be device and location-independent. But because users no longer have to work in an office or use the company’s own devices, traditional security measures such as perimeter protection using firewalls, in general, are no longer adequate. That makes “identity” the most important factor in access control. The user’s identity determines which Cloud data the user can access, not the device or the location.
But in the Cloud, IT security is subject to different conditions for which many departments are not prepared. All major Cloud providers have their own security framework and also often their own Identity and Access Management (IAM) system. That means in-house IT specialists also have to configure and manage the guidelines and roles the Cloud providers supply. To do this, they need additional specialized knowledge. Network specialists also have a part to play in Cloud services.
Most Cloud providers’ policies are very complex. Dealing with the authorization systems of the various providers is therefore labour-intensive, but simultaneously serves as a basis for implementing in-house guidelines and roles. But many companies need to adapt quite a lot of rules that determine how objects and services work together in the Cloud.
Many of the larger Cloud providers are aware of the issues and help their customers to put guidelines into practice or identify risky policies. They have developed tools such as Google Cloud Identity, AWS IAM Access Analyzer and Azure Security Center and Privileged Identity Management for this purpose. But constantly monitoring guidelines and adapting to changes is still labour-intensive.
In particular, companies that make use of hybrid or multi-Cloud solutions often use special Cloud services for identity checking, known as Identity-as-a-Service (IdaaS). These services can be considered as a variation on the partial outsourcing of identity management. They function as a kind of central switch point for Single Sign-on (SSO) and rights management. The IdaaS providers connect to in-house directory services such as Microsoft’s Active Directory. Because this gives the providers of these services access to highly sensitive company data, having confidence in them is not enough: it is essential to check the provider and its agreements in depth.
