IAM and Security Automation: How Companies Can Stay Safer in the Cloud
Published 11/01/2022
Originally published by ShardSecure.
Written by Anthony Whitehead, Lead Developer, ShardSecure.
Automation of security measures is a long-running topic of discussion. But despite the many benefits, including increased productivity, effectiveness, efficiency, and accuracy, many organizations haven’t made the leap — or when they do, they run into challenges. No matter which area of security you are talking about automating, one of the largest challenges is always detection — being able to trigger on some event to cause the automation to occur.
I worked for many years within identity and access management (IAM), where I think automation has probably come the furthest, largely because of the ability to define the trigger event. We utilized a concept called just-in-time (JIT) provisioning, which means that when an employee or contractor starts working with a company and needs access to business systems to perform certain actions, you can use the employee management system to trigger automation. This can include creation of accounts and access rights, initiating the process to produce identity cards, and more. All those baseline onboarding activities that workers need in order to do their jobs can be automated and triggered by a certain date entered within the employee management database. With JIT provisioning, automation has come quite a long way, but many organizations still don’t take advantage of its full capabilities.
The corollary of JIT provisioning is automatic deprovisioning, which is just as important (if not more important) than the initial user access. This is particularly true now, as the wave of people leaving their jobs or entering the gig economy has accelerated and shows no sign of slowing down. One of the largest surveys of the global workforce finds that 20% of workers plan to quit their jobs in 2022. When jobs and contracts end, you don’t want to have to manually hunt through all the systems that an employee or contractor uses and remove their access.
The deprovisioning process should be automated in the same way as when you provision a user — at the date of termination. Not doing so creates quite a risk due to credential leakage or compromise, which, according to the 2022 Data Breach Investigations Report (DBIR) by Verizon, remains by far the top way threat actors gain access to an organization. Numerous breaches have occurred over the years due to user credentials remaining in systems and not being removed by automated or manual cleanup functions.
Some systems have added a certain amount of deprovisioning capabilities, but it is something administrators often overlook, particularly outside of core databases and core directories. Organizations in the cloud tend to use Active Directory (AD), which often uses an end date to automatically terminate the user's access. But those directories are not always directly linked to access rights in other systems like database servers, web management systems, CRM systems, and SaaS solutions. Deprovisioning access to these secondary systems can get overlooked, so you really need to automate the removal of access to all those accounts when the main account is terminated.
The need for IAM improvements
Especially among small to medium companies, this area of security management doesn’t get a lot of attention. Generally, large companies have engaged in multi-year identity management programs, often with the assistance of consultants. That said, they can still run into problems, because by the time they finish integrating all these systems into a giant identity access service and arrive at implementation, things are already out of date. This is especially true these days, when more business units are acting independently and bringing in SaaS services or third-party systems and, therefore, sidestepping the access management system.
This is all the more reason to have a capable identity and access management system that makes it easy for a business unit to add the additional services they need and automatically manage the provisioning and deprovisioning of user accounts.
IAM can be perceived as mundane, but it is still a central part of the security process, particularly for today’s hybrid- and multi-cloud environments. Think about the additional challenges of managing access to cloud storage buckets. The risk of threat actors gaining access to sensitive information — either through misconfigurations where access was not secured or through credential leakage — is well-documented and keeps cloud security professionals awake at night. What happens if a user leaves and you forget to terminate their access, or if you don’t even have visibility into all the systems they were able to access to know what to deprovision?
While cloud providers continue to build in capabilities to help customers keep their data private, the problem will continue; humans are fallible and threat actors are increasingly crafty. Fortunately, there is another way to protect your data wherever it resides.
Protecting against backend cloud access with microsharding
If your company forgets to deprovision admins with access to the backend cloud infrastructure, you’ll want to make sure you’re covered. The right microsharding solution can make cloud admin credentials useless for unauthorized users by desensitizing data in the cloud.
It’s easy to miss a credential here and there. Microsharding can help you cover your bases by rendering your sensitive data unintelligible and of no value for anyone with compromised, leaked, or forgotten backend credentials.
I’m not suggesting that you don’t use IAM. There are good reasons why it is important — not the least of which is quickly running reports for compliance audits. Instead, think of microsharding as an extra security measure so you can rest easy and automate with confidence.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024