Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Help shape the future of cloud security! Take our quick survey on SaaS Security and AI.

Identity and Access Management in Cloud Security

Home
Industry Insights
Identity and Access Management in Cloud Security

Blog Article Published: 08/28/2024

Written by Ashwin Chaudhary, CEO, Accedere.

Identity and access management (IAM) ensures that only authorized identities have the right access to the right resources. With cloud platforms consolidating numerous administrative functions of data centers and services into unified Internet-accessible web consoles and application programming interfaces (APIs), IAM acts as the new perimeter in cloud-native security, protecting sensitive resources from unauthorized access and misuse. Cloud Security Alliance's Security Guidance v5.0 covers Identity and Access Management in Domain 5. In both public and private clouds, cloud service providers (CSPs) and cloud service customers (CSCs) are tasked with managing IAM within acceptable risk tolerances. While we will review fundamental IAM concepts, the focus will be on the characteristics and challenges of IAM in the cloud and ensuring their effective management. IAM cannot be managed solely by the CSP or the CSC. It requires a trust relationship between both parties, a clear designation of responsibilities, and the technical mechanics to facilitate its management. Gartner defines IAM as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons."


Fundamental terms

  • Access control: Restricting access to a resource, based on the permissions granted to the entity.
  • Authentication: Verifies the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.
  • Authorization: The decision to permit or deny a subject access to system objects (e.g., network, data, application, service,).
  • Multi-Factor Authentication (MFA): A mechanism through which an identity is authenticated via additional factors such as something you know, something you have or something you are.
  • Attribute: A characteristic or property of an entity that describes its state, appearance, or other relevant aspects.
  • Entitlement: Maps identities to authorizations with required attributes (e.g., user X is allowed access to resource Y when Z attributes have designated values)
  • Entity: An entity refers to a unique, identifiable actor in a computer system. In the context of cybersecurity, an entity can be a user, a device, an application, or a system that is identified and authenticated by an IAM system.
  • Identity: the unique expression of an entity within a given namespace.
  • Role: Provides a permission-centric view, defining the access level for users to perform specific tasks.
  • Attribute-Based Access Control (ABAC): An access control or entitlement that requires 73 specific attributes, such as multi-factor authentication (MFA), the user logging in from a managed system, or the targeted resource having a particular tag.
  • Policy-Based Access Control (PBAC): Access requirements defined in a machine-readable policy document that typically provides extensive flexibility and granularity with support for various conditions and other variables, such as attributes.
  • Role-Based Access Control (RBAC): It is a more common model than ABAC, where access is granted to all users with a given role (e.g., developer or administrator).


Commonly Used Standards for Cloud Computing

  • Security Assertion Markup Language (SAML) is an OASIS (Organization for the Advancement of Structured Information Standards) standard for federated Identity Management that supports authentication and authorization. It uses XML to make assertions between an Identity Provider and a Relying Party. Assertions can contain authentication statements, attribute statements, and authorization decision statements. Both enterprise tools and CSPs widely support SAML, but it can be complex to configure initially. SAML is well-suited for traditional web-based client-server applications.
  • OAuth is an IETF (Internet Engineering Task Force) standard for authorization widely used for web services (including consumer services). OAuth is considered an authorization protocol that allows users to grant third-party applications limited access to resources without sharing their credentials (like passwords) directly with those applications. OAuth is popular for authorizing API access or connecting 3rd parties to applications. OAuth is designed to work over HTTP and is most often used for delegating access control and authorizations between services.
  • OpenID Connect (OIDC) is a standard for federated authentication widely supported for web services. It adds an authentication layer to OAuth and is based on HTTP with URLs used to identify the IdP and the user/identity (e.g., http://identity.identityprovider.com). OIDC 1.0 is very commonly seen in consumer services, and there is growing support for it in commercial products. One example would be Single Page Applications (SPA - e.g., Facebook). OpenID is a standard for authentication and is distinct from OIDC. OpenID 2.0 is deprecated and has been largely replaced by OIDC.


Security Considerations

  • Develop a comprehensive policy, plan, and processes for managing cloud service identities and authorizations.
  • Cloud users should use MFA for all cloud access and send MFA status as an attribute when using federated authentication.
  • Document an entitlement matrix for each cloud deployment that aligns with security and business requirements.
  • Translate entitlement matrices into technical policies when supported by the CSP or platform.
  • Prefer Attribute-Based Access Control and Policy-Based Access Control over Role-Based Access Control.
  • Assess and adopt more modern IAM processes and technologies such as usage tracking for improved least privilege, JIT access, and risk scoring.
  • Log and monitor all IAM changes both at the Identity Provider and the Resource Provider.
  • Incident Response- Integrate plans and procedures for invalidating or restricting abused IAM session tokens into the incident response program.


About the Author

Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit, and Training Firm. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT, Governance Risk, and Compliance.

Cloud Incident ResponseIdentity and Access ManagementTransitioning to the cloudZero Trust

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Download the Non-Human Identity Security Report
Register for CSA's Global AI Symposium
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 Top 10 Linux Server Hardening and Security Best Practices
#2 The Common Misconfigurations that Lead to Cloud Data Breaches
#3 The Implications of AI in Cybersecurity: A Transformative Journey
#4 The 6 Phases of Data Security
#5 9 Best Practices for Preventing Credential Stuffing Attacks
Secure your cloud data with Zero Trust Training
Related Articles:
Top Threat #2 - Identity Crisis: Staying Ahead of IAM Risks

Published: 09/16/2024

Burdens and Benefits of Shared Security Responsibility Model (SSRM) in Cloud Computing

Published: 09/13/2024

What are OAuth Tokens, and Why are They Important to Secure?

Published: 09/12/2024

An IT Veteran’s Guiding Principles for Successfully Implementing Zero Trust

Published: 09/09/2024