IT decision makers may hesitate or at least carefully consider consequences related to identity and access management (IAM) and the cloud. Recently released research conducted by Forrester and commissioned by ForgeRock and Google Cloud points to numerous organizations planning to expand or play catchup on such matters with initiatives intended to go into action over the next two years.
Andras Cser, vice president and principal analyst with Forrester, says identity that needs be managed in relation to IT can fall into two categories. One is the general business user accessing applications that are in the cloud, which he says tends to be relatively without issue. The other group is defined as privileged users such as administrators who can log into a cloud console to make changes.
That is where potential concerns might be raised, Cser says. “Cloud adoption went way ahead of identities,” he says. “We lack mechanisms to reliably control identities’ access rights for these admin kinds of users as they manage the cloud platform console.”
Cser says this means organizations might struggle with how to grant access for such privileged users. “It also means many times the access of these users includes too many rights or excessive privileges,” he says. “Sometimes you cannot authenticate these users reliably.”
Understanding access rights -- how one identity has access to objects and resources in the cloud, such as instances, storage, and network -- is also difficult, he says. The problem includes an intertwining of security and awareness of who has access to what, Cser says. “Even understanding who can do what in the cloud is absolutely horrendously difficult. There are a lot of policy types. They determine what the admin user has access to question in an overlay. That is the problem.”
He says this can lead to one set of policies denying access to a user while another policy grants access all layered on top of each other, which can create confusion.
According to Omdia, the research arm of Informa Tech, there are some considerations organizations can make when developing a hybrid, multicloud strategy while coming from an on-prem infrastructure:
- Quiz the on-prem IAM provider regarding their ability and capacity to support the new environment being envisaged. It may prove less disruptive to add their identity-as-a-service than to rip and replace the entire identity services infrastructure with a brand-new provider.
- If the response from the IAM provider prompts exploration of other options, a vendor comparison report can offer profiles of leading players, along with strengths and weaknesses.
Hybrid and multicloud are expected to grow according to Omdia's Cloud Service & Leadership Strategies N.A. Enterprise Survey – 2021. Identity and access can be more of an issue for hybrid multicloud, according to Roy Illsley, chief analyst for IT and enterpise with Omdia. "When the world of hybrid multicloud becomes a reality -- on-premises to a number of public cloud providers -- then identity and access become a challenge," he says.
Addressing identity and access management concerns could make it easier for enterprises to transition to and maintain workloads in the cloud, Cser says, while also protecting data. “All this boils down to data protection,” he says. “Misconfiguration is an attack vector, how attackers can get access to your data.”
Nature of the cloud is the biggest culprit in this dilemma, Cser says, coupled with a lack of oversight. “Developers kind of want to be done with stuff,” he says. “They don’t want to build something and then have to revoke all the unnecessary privileges. Developers just want to work. They want to develop their apps. They don’t want to worry about security and revoking access.”
For example, during creation of a resource or object, a developer might allow the resource to remain relatively open, though Cser says there should be a follow up step after development to remove that access or add encryption. “This last step does not happen,” he says. “They don’t clean up after themselves and revoke privileges. Once something goes into production, even if it’s temporary, nobody is going to touch it.”
There can be a fear, Cser says, of changes to production that might jeopardize functionality. “Nobody wants to risk that.” He says these concerns can affect a broad spectrum of organizations. “For everyone who went to the cloud, this is the first or second biggest question,” Cser says. “Data protection is the biggest problem, but misconfiguration or overly permissive privileges are big issues because you don’t have any kind of physical boundaries, as with data centers.”
With the cloud, scripts and code determine where instances live, how much memory is available, and other elements he says are not governed. Cser says products from DivvyCloud, Palo Alto Networks, and Dome9 for cloud security posture management can be put to work to address these concerns.
While cloud platforms such as AWS, Microsoft Azure, and Google Cloud may have built in posture management capabilities, he says, they typically only cover their proprietary systems. “You cannot use Azure’s cloud security posture management to protect configuration artifacts in AWS or the other way around,” Cser says. “You want to avoid a silo for posture management tools for every single platform. You want to centralize visibility of all this into one tool.”