Organizations now operate in a multi-cloud world. That allows workers to be more productive and offers the accessibility and scalability that organizations need to keep business operations flowing. But it also creates a challenge—managing large numbers of cloud-based identities. Left unchecked, these can be the cause of vulnerabilities and data leakage that produce security nightmares for the IT and security teams.
The Role of Cloud-Based Identities
As more applications move to the cloud, cloud-based identities are essential to allow organizations to enforce a single source of truth for all users to maintain orderly processes for onboarding and offboarding and to track access to applications and data.
Identities in the cloud include humans but also machine identities. “In the cloud, applications are architected from microservices. Just like people, each microservice has an identity, which is granted entitlements to access data or communicate with other microservices,” explained Shai Morag, CEO and co-founder at Ermetic.
“There are tens of thousands of these machine identities in the cloud, and they, too, must be managed securely.”
At a high level, the role of a cloud-based identity is the same as any other electronic form of identity, added Eric Olden, co-founder, chairman and CEO of Strata Identity.
“It is there to link a human to an account that represents them in the digital world,” Olden explained. “The only meaningful difference between a ‘cloud identity’ and something that could be considered an ‘on-premises identity’ is that the identity object and attribute data about that identity are stored in a cloud service, not necessarily on the organization’s traditional data center infrastructure.”
The cloud service, then, provides the necessary mechanisms to use that identity for logging in to services and apps that trust the cloud identity provider. Cloud identities are also often used to access applications, like SaaS apps such as Salesforce.
Cloud Identities and Security
Cloud identities are yet another perimeter that must be defended, but it is a perimeter without physical barriers or a network. Instead, identities have to prove who they are and are given access permissions based on the identity’s function.
Because the majority of breaches start with the compromise of an identity and its associated password credentials, identity plays a fundamental role in an organization’s security strategy.
“Securing identity in an enterprise, especially in a modern cloud/hybrid world, requires a different approach than was common five years ago,” said Olden. “Back then, an organization’s resources had very well-defined perimeters and boundaries. Resources, data, services were all within the direct management and control of the organization. This made managing things like authentication and authorization relatively straightforward.”
Today, in a cloud environment with identity as the new perimeter, a different approach is needed.
“Applying a consistent set of identity policies across innumerable cloud services is one of the biggest challenges for organizations since each cloud platform (AWS, Azure, Google, etc.) uses a proprietary identity system that is incompatible with other providers’ systems,” Olden stated.
Reducing the Risks
It is impossible to completely avoid risk, so there is only mitigation and management of risk under organizations’ control. Organizations are challenged to find the most effective way to use their limited resources to reduce risk. Focusing on protecting cloud-based identities can go a long way toward shoring up an organization’s overall security best practices.
According to Olden, the key things that an organization can do to mitigate the inherent risks of using cloud-based identity services include:
• Enforce authentication to every single application—including legacy applications—through your cloud identity service. There should be no exceptions.
• Migrate away from legacy access management technologies and to a modern identity provider.
• Define and enforce robust identity life cycle and governance practices across all identities—both human and non-human.
• Enforce multifactor, passwordless authentication wherever possible.
• Begin a shift to passwordless authentication technology as soon as possible.
• Apply runtime policy evaluation and enforcement for every application, leveraging security analytics services; i.e. continuous validation of who the user is and their level of risk and authorization. A distributed identity orchestration and policy orchestration platform can provide this service at the application and cloud infrastructure layer.
• Use orchestration as a runtime enforcement layer to implement continuous real-time analysis and enforcement of identity authentication and authorization.
• Encrypt user data at all times; in motion across networks and at rest in databases and vaults.
• Enforce least-privilege access to applications and data; don’t give users access to apps and data that they don’t need. Use just-in-time access provisioning to dynamically provide access on an as-needed basis.
• Classify data and apps to better manage which apps contain sensitive data; manage the geographic storage and access requirements of data so they are aligned with multi-geography and multinational regulations.
Cloud identities are the new security perimeter, so they are an incredibly important part of any organization’s security system. Controls in place to protect the security of identities goes a long way toward protecting the security of the entire multi-cloud universe.
