Your Guide to IAM – and IAM Security in the Cloud

Originally published by Ermetic.

As user credentials become a coveted target for attackers, IAM (Identity Access Management) technologies are gaining popularity among enterprises. IAM tools are used in part to implement identity-based access security practices in the cloud. But is IAM security enough to adequately protect cloud identities and resources? In this blog post we answer this question - and others!

What is IAM?

IAM (Identity Access Management) is the framework of policies, technologies, processes and programs that organizations use to manage digital identities and govern user access to organizational systems, data and resources.

IAM is a key piece of a security strategy. IAM helps improve an organization’s security posture by allowing the organization to control and ensure appropriate access to resources in the environment, including to meet growing compliance requirements. Among other things, IAM is used to determine the ability of users to perform system actions like viewing, creating or modifying files.

Using IAM, the organization can implement security best practices such as the principle of least privilege, which helps prevent access-based cyber attacks and mitigate the cybersecurity risks of breaches and data loss. These practices improve the organization’s security posture and also enable compliance with security regulation requirements.

According to Gartner, IAM is an essential endeavor: “Enterprises that develop mature IAM capabilities can reduce their identity management costs and become significantly more agile in supporting new business initiatives.”

What is IAM in the Cloud?

IAM in the cloud involves managing identities and access to resources in cloud environments. Each cloud provider has its own web service for managing IAM (AWS IAM, Azure Active Directory,...).

The professionals tasked with carrying out IAM management and who use IAM technologies differ from one organization to the next. In legacy enterprises, it is often IT or dedicated IAM professionals. In organizations migrating to the cloud, IAM may be managed by professionals in different domains including IT, IAM, cloud IAM, DevOps or DevSecOps.

IAM plays an important role in cloud infrastructure. Some IAM solutions have evolved to offer cloud identity management of human identities and entitlements. But first-generation cloud IAM lacks the deep visibility and security capabilities required to manage service identities, which are the bulk of identities in cloud infrastructure.

What is an IAM System and What Does it Do?

An IAM system, or an IAM security tool, manages and controls user access in a manner that technologically supports the organization’s policies and programs. The purpose of the IAM system is to assign a digital identity to each user, device or service. When attempting to access a system, this identity is verified to ensure it can only access resources and data it has been given permissions to.

An IAM system performs the following activities:

• Identity Management - Assigning unique identities to human users and cloud services and authenticating and authorizing digital identities when they access resources.
  • Identity management takes place in a centralized directory or database. This is where IAM professionals and admins manage identities and can modify which identity has access to what and when. For example, they can remove a user’s permissions when she leaves the organization. To ensure effectiveness, the data in the database needs to be kept up-to-date.
  • The verification process itself can be based on different methods, like SSO (Single-Sign On), MFA (Multi-Factor Authentication), PAM (Privileged Access Management) and others.
• Access Management - Ongoing permissions policy management, by enabling IAM professionals and stakeholders to assign and remove permissions of human and machine identities at a granular level. This process should be simple and as automated as possible through workflows, while ensuring admins retain control.Access policies can be determined by using methods like RBAC (Role-based Access Control), ABAC (Attribute-based Access Control), JIT and others. In addition, methods like automated provisioning and de-provisioning enable managing permissions in certain predefined cases that are related to business lifecycle events. E.g, automatically changing a user’s permissions when a person changes roles inside the organization.

In the cloud, it is recommended to enhance your IAM tools with a CIEM. A CIEM will:

• Provide Visibility - Granting IAM professionals and stakeholders with visibility into roles, permissions and access capabilities. This includes being able to see and filter lists of inventory resources, human and service identities and third-party access; classification of privileged permissions; mapping two-way full permissions; and the ability to discover admins and privileged identities.
• Monitor - Tracking, recording, logging and analyzing identity-related user information and events. These actions enable investigation and analysis to determine which permissions are really necessary and retiring unused and over-privileged permissions, for implementing security practices like least-privilege. Investigating these activities can also help identify malicious actor behavior. For example, by looking into anomalous behavior by a certain user.
• Remediate - Identifying and suggesting recommendations for remediating excessive permissions. The remediation process should be automated or provide guidance for manual implementation, and should include notification of a vulnerability, ticket assignment to fix the issue and tracking completion of the task. The remediation process can take place through predefined workflows or through CI/CD - for shifting left tracking and remediation.

Read more about IAM and CIEM capabilities from the Identity Defined Security Alliance (IDSA).

Is IAM a Part of Cybersecurity?

IAM processes and technologies are an important part of cybersecurity because they are the most effective way to implement an identity-based approach to security. IAM helps organizations address increasingly complex access realities given modern business needs like remote work, cloudification, continuous global access and the growing usage of SaaS applications. In cloud environments, the protection of on-prem firewalls is absent so identity is the new security perimeter, making identity-focused security a priority.

To secure cloud-based environments it is recommended to use a CIEM (Cloud Infrastructure Entitlements Management) platform as part of a cybersecurity strategy, in addition to an IAM system. A CIEM is advantageous because it automates risk analysis across identities, resources and permissions in cloud infrastructure to provide clarity into where identity risk lies, its severity, and how it can be remediated. Unlike an IAM system, CIEM can reveal dangers hidden in the permissions complexity of the cloud, and can do so across multiple clouds and for all identities including external ones.

How Does IAM Improve Security?

An IAM solution enables administrators to provision and control access to company resources. By doing so, an IAM system improves the security posture of the company and its cloud. This is enabled by:

Mitigating Credential-related Security Risks

According to the 2022 Data Breach Investigations Report by Verizon, approximately half(!) of all cyber attacks pertain to credentials, making them the highest risk factor for an organization. Credentials are followed by phishing (less than 20% of attacks), vulnerability exploitation (less than 10%) and botnets (less than 5%).

Cloud migration, remote work, growing business use of third party vendors, growing use of external SaaS apps have all made access management more vulnerable.

IAM solutions manage identities and permissions. Together with CIEMs they provide centralized visibility into how credentials are being used. By enforcing permissions policies and monitoring credential misuse, toxic combinations and excessive permissions, organizations can control user access and thus improve their prevention of data breaches that exploit credentials. This includes third-parties and remote users, which pose a higher risk.

Improving Compliance

Compliance standards and guidelines like ISO, PCI-DSS, GDPR, NIST and HIPAA have been enacted to protect individual users. Despite their many advantages, making IAM professionals’ lives easier is not one of them. An IAM system helps automate the process of policy management, data collection and reporting. This automation can help comply with industry standards and alert about non-compliance gaps, as they are related to least-privilege access.

By leveraging the IAM with a CSPM, organizations can ensure they cover the complete breadth of compliance requirements.

Reducing Shadow IT

Employees are under pressure by the business to move fast. They lack patience as they wait for IT to respond to their requests or when having to go through security-related processes to gain access to systems. Shadow IT is a practice that has evolved as an insecure bypass to IT and security demands. Shadow IT means that employees act as their own IT, accessing unapproved systems and sharing valuable organizational data to them.

An IAM solution helps manage access requests in an efficient and prompt way. Workflows, role-based bulk approvals and automated provisioning are IAM methods that IT and security can employ to manage access. These methods help reduce employee frustration and eliminate the need for shadow IT.

Reducing Complexities

When IT and security teams are swamped, important tasks tend to fall between the cracks. IAMs help reduce the operational workload related to access management by providing automation and visibility that help make the work easy and even enjoyable. This ensures that identity-based access tasks are completed efficiently and don’t pose unnecessary risks that could have been avoided.

What is an IAM Policy in AWS?

(All quoted texts in this section are from the AWS IAM policies and permissions user guide).

AWS is one of the leading cloud providers so let’s take a look at how IAM works in that cloud.

An IAM policy is an object in AWS that defines the permissions associated with an identity or resource. An AWS IAM policy serves to “manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources… When an IAM principal (user or role) makes a request, AWS evaluates these policies. Permissions in the policies determine whether the request is allowed or denied.”

AWS IAM has six policy types:

1. Identity-based policies – Policies that grant permissions to an IAM identity (users, groups to which users belong, or roles).
2. Resource-based policies – Policies that grant permissions to the specified principal, either in the same account as the resource or in other accounts; e.g., Amazon S3 bucket policies and IAM role trust policies.
3. Permissions boundaries – The maximum permissions identity-based policies can grant to an entity. Note: They do not grant permissions or define the maximum permissions a resource-based policy can grant to an entity.
4. Organizations SCPs – The maximum permissions for account members of an organization or organizational unit (OU). Note: They do not grant permissions.
5. Access control lists (ACLs) – A list of rules that controls which principals from other accounts can access a given resource. This is the only policy type that does not use JSON for its policy document structure. Note: ACLs cannot grant permissions to entities within the same account.
6. Session policies – Policies that limit the permissions the role or user's identity-based policies grant to the session. Note: They do not grant permissions.

A policy document in AWS includes policy-wide information as well as at least one individual statement. Each statement includes information about a single permission. The information in a statement is contained within a series of elements: version, statement, Sid (optional), effect, principal (required in only some circumstances), action, resource and condition (optional).

Learn more about AWS IAM policies and IAM policy evaluation here.

The Importance of Adding a CIEM to Secure Your IAM

A CIEM solution provides a centralized platform for securing IAM across cloud deployments, while maintaining consistent security policies across all platforms. While IAMs are the solution for managing and authenticating users across environments, IAM systems do not answer the complex security needs of the cloud, where tens of thousands of identities, many for microservices, need to access resources in a dynamically changing environment.

CIEM provides advanced visibility, monitoring and remediation features, including advanced identity mapping, risk assessment and anomaly detection, enabling you to understand and act on IAM related risk in your cloud infrastructure. CIEM solutions can help you implement least privilege access, including Just in Time access for developers, and reduce risk by removing unused or excessive privileges. In addition, they can automate access governance and compliance. They can determine effective access – the difference between permissions granted and actual use – and recommend how to bring access policies in line.

A CIEM plays a huge role in helping organizations scale IAM security and minimize the cloud attack surface as their heterogeneous cloud environment expands.

We recommend researching and adding CIEM to your roadmap, especially if you use cloud infrastructure. Examine your ability to secure your cloud identities and prevent an identity-based breach.

Ask yourself:

• Do I know which identities have access to which resources?
• Am I getting alerts about excessive permissions?
• How easily can I understand how to remediate for least privilege?

To answer these questions and more, get on a call with a CIEM provider and see how a CIEM can help augment your IAM solution while addressing cloud-related gaps.