Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Identity and Access Management in Cloud Security

Published 08/28/2024

Identity and Access Management in Cloud Security

Written by Ashwin Chaudhary, CEO, Accedere.

Identity and access management (IAM) ensures that only authorized identities have the right access to the right resources. With cloud platforms consolidating numerous administrative functions of data centers and services into unified Internet-accessible web consoles and application programming interfaces (APIs), IAM acts as the new perimeter in cloud-native security, protecting sensitive resources from unauthorized access and misuse. Cloud Security Alliance's Security Guidance v5.0 covers Identity and Access Management in Domain 5. In both public and private clouds, cloud service providers (CSPs) and cloud service customers (CSCs) are tasked with managing IAM within acceptable risk tolerances. While we will review fundamental IAM concepts, the focus will be on the characteristics and challenges of IAM in the cloud and ensuring their effective management. IAM cannot be managed solely by the CSP or the CSC. It requires a trust relationship between both parties, a clear designation of responsibilities, and the technical mechanics to facilitate its management. Gartner defines IAM as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons."


Fundamental terms

  • Access control: Restricting access to a resource, based on the permissions granted to the entity.
  • Authentication: Verifies the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.
  • Authorization: The decision to permit or deny a subject access to system objects (e.g., network, data, application, service,).
  • Multi-Factor Authentication (MFA): A mechanism through which an identity is authenticated via additional factors such as something you know, something you have or something you are.
  • Attribute: A characteristic or property of an entity that describes its state, appearance, or other relevant aspects.
  • Entitlement: Maps identities to authorizations with required attributes (e.g., user X is allowed access to resource Y when Z attributes have designated values)
  • Entity: An entity refers to a unique, identifiable actor in a computer system. In the context of cybersecurity, an entity can be a user, a device, an application, or a system that is identified and authenticated by an IAM system.
  • Identity: the unique expression of an entity within a given namespace.
  • Role: Provides a permission-centric view, defining the access level for users to perform specific tasks.
  • Attribute-Based Access Control (ABAC): An access control or entitlement that requires 73 specific attributes, such as multi-factor authentication (MFA), the user logging in from a managed system, or the targeted resource having a particular tag.
  • Policy-Based Access Control (PBAC): Access requirements defined in a machine-readable policy document that typically provides extensive flexibility and granularity with support for various conditions and other variables, such as attributes.
  • Role-Based Access Control (RBAC): It is a more common model than ABAC, where access is granted to all users with a given role (e.g., developer or administrator).


Commonly Used Standards for Cloud Computing

  • Security Assertion Markup Language (SAML) is an OASIS (Organization for the Advancement of Structured Information Standards) standard for federated Identity Management that supports authentication and authorization. It uses XML to make assertions between an Identity Provider and a Relying Party. Assertions can contain authentication statements, attribute statements, and authorization decision statements. Both enterprise tools and CSPs widely support SAML, but it can be complex to configure initially. SAML is well-suited for traditional web-based client-server applications.
  • OAuth is an IETF (Internet Engineering Task Force) standard for authorization widely used for web services (including consumer services). OAuth is considered an authorization protocol that allows users to grant third-party applications limited access to resources without sharing their credentials (like passwords) directly with those applications. OAuth is popular for authorizing API access or connecting 3rd parties to applications. OAuth is designed to work over HTTP and is most often used for delegating access control and authorizations between services.
  • OpenID Connect (OIDC) is a standard for federated authentication widely supported for web services. It adds an authentication layer to OAuth and is based on HTTP with URLs used to identify the IdP and the user/identity (e.g., http://identity.identityprovider.com). OIDC 1.0 is very commonly seen in consumer services, and there is growing support for it in commercial products. One example would be Single Page Applications (SPA - e.g., Facebook). OpenID is a standard for authentication and is distinct from OIDC. OpenID 2.0 is deprecated and has been largely replaced by OIDC.


Security Considerations

  • Develop a comprehensive policy, plan, and processes for managing cloud service identities and authorizations.
  • Cloud users should use MFA for all cloud access and send MFA status as an attribute when using federated authentication.
  • Document an entitlement matrix for each cloud deployment that aligns with security and business requirements.
  • Translate entitlement matrices into technical policies when supported by the CSP or platform.
  • Prefer Attribute-Based Access Control and Policy-Based Access Control over Role-Based Access Control.
  • Assess and adopt more modern IAM processes and technologies such as usage tracking for improved least privilege, JIT access, and risk scoring.
  • Log and monitor all IAM changes both at the Identity Provider and the Resource Provider.
  • Incident Response- Integrate plans and procedures for invalidating or restricting abused IAM session tokens into the incident response program.



About the Author

Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit, and Training Firm. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT, Governance Risk, and Compliance.