Realizing the vast potential of the cloud enables organizations to innovate and undergo digital transformations. The past two years have demonstrated the importance of ensuring strong cybersecurity, especially as many companies have migrated to the cloud. However, a key element of the cloud is to ensure that companies use proper identity management. Increased cloud adoption has resulted in a deluge of new human, and even non-human, identities that threat actors can compromise. Companies that don’t take this seriously can find themselves the latest victims of a breach.
Look no further than Okta, a popular identity management platform used by many businesses. Earlier this year, the criminal organization Lapsus$ claimed to have a superuser account at Okta. While the full extent of the breach is not yet known, having these high-level credentials potentially means the criminal organization has the figurative “keys to the realm” regarding access, as well as the ability to obtain data from users who rely on the Okta Platform. When an Identity and Access Management (IAM) provider falls victim to an identity-based attack, you know the threat actors are playing hardball.
That said, IAM is not a new issue and will certainly become more prominent in the foreseeable future. A report from Cider Security ranked IAM as the second most important issue in continuous integration/continuous delivery environments. These concerns relate to both the permissions granted to identities in an enterprise and ensuring that permissions are deprovisioned in a timely manner.
Identity Management Challenges in the Cloud
Managing identities in the cloud is difficult due to a confluence of factors. Often, the structure of a cloud provider’s notions of projects and organizations does not mesh well with how a business structures itself. This can lead to things like a single corporate user trying to manage multiple cloud “identities” in order to do their job. Downstream, this translates to few, if any, people having real visibility into who has access to what in the cloud.
As problems like this grow, they are further exacerbated as the company hires employees and then experiences turnover. Additionally, moving from on-premises to cloud can create similar challenges. Companies spend years operating in a way that works for them with their own hardware, and then when they migrate to the cloud, they have to adapt that old way of working to the cloud provider’s structures.
Consequences of mismanaged identities
From a security perspective, failure to properly manage credentials in the cloud exposes enterprises to a lack of command and control of who can do what within their infrastructure. It also makes it very difficult to recognize when something is wrong with credentials or permissions for those identities.
From a non-security perspective, poorly managed identities can cause friction in a company’s processes and then lead to undesirable outcomes. These results could include employees having to log into cloud assets using multiple identities, or employees continually finding they need to request new permissions they should have had from the start. Ultimately, this slows down a company’s processes.
Two common IAM missteps
Customers regularly fail to build cloud-based identity management solutions. Ultimately, the cloud resources that identity holders access don’t care whether you’re a person, a machine, or a dog. If you have the correct credentials, you are authenticated and authorized. Before they know it, a critical service is running 24 hours a day, 7 days a week, 365 days a year, and a key part of that service is communicating with other critical services through the identity of a human employee. What happens when this employee leaves? Ensuring service continuity is imperative for companies and their identity and access management in the cloud.
Another potential pitfall is that users share credentials. It doesn’t take long for this key to be used without anyone having the ability to know exactly who is actually accessing the cloud resources. This lack of accountability can lead to big problems, including security issues, for companies.
How Organizations Can Mitigate Security Issues
First and foremost, consider identity management as a top priority issue, not something to be solved later as you launch your business in the cloud. Create your own well-defined policies on identity management, making sure to ensure the principle of least privilege, where identities can only access what they need.
Don’t let cloud provider tools determine how you run your business. A great way to ensure your business is in the driver’s seat is to find people who know the cloud and know it well. Bringing in outside assistance from those who know it best not only puts it in the hands of those most qualified to do so, but it can also help alleviate common IAM issues that you don’t have. maybe not even on your radar. Additionally, it’s important to gain organization-wide visibility into your cloud infrastructure. This valuable insight into your cloud infrastructure provides many benefits, not only for IAM, but also for compliance and financial management.