Cloud 101

Research Topic

Identity and Access Management

Latest ResearchWorking Group
Identity Access Management Working Group Charter
Identity Access Management Working Group Charter


Identity and Access Management
What is Identity and Access Management (IAM)? 
Identity and access management is mapping some form of an entity (a person, system, piece of code, etc.) to a verifiable identity associated with various attributes (which can change based on current circumstances), and then making a decision on what they can or can’t do based on entitlements. 

How IAM is Different in the Cloud
Cloud services are becoming ubiquitous in all sizes, and customers encounter many obligations and opportunities for using Identity Access Management (IAM) systems with those cloud services. However, as an area of emergent technical focus, there is little independent analysis and guidance in the public domain for addressing the intersection of IAM and cloud services. 

In cloud computing, the fundamental problem is that multiple organizations are now managing the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provide the same user on dozens—or hundreds—of different cloud services. Federation is the primary tool used to manage this problem.

Other key differences are that in the cloud IAM:
  • tends to change faster
  • be more distributed (including across legal jurisdictional boundaries)
  • add to the complexity of the management plane
  • rely more (often exclusively) on broad network communications for everything, which opens up core infrastructure administration to network attacks. 

These shifts also bring challenges. Moving to federation at scale with multiple internal and external parties can be complex and difficult to manage due to the sheer mathematics of all the variables involved. Determining and enforcing attributes and entitlements across disparate systems and technologies bring both process and technical issues. Even fundamental architectural decisions may be hampered by the wide variation in support among cloud providers and platforms.

IAM spans essentially every domain of cloud security. To read best practices for managing IAM in the cloud in key domains, read the CSA Security Guidance: Domain 12.

Identity and Access ManagementShared Responsibility Model

Discuss this topic in Circle

View discussion community
Press MentionSourceDate
5 Multi-cloud Security Challenges You Can AvoidITPro TodayNovember 14, 2022
View all

Guidance from CSA

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

The 2020 State of Identity Security in the Cloud

The 2020 State of Identity Security in the Cloud

Read the results of a survey to understand cloud IAM challenges other enterprises face when undergoing a digital transformation. You will also learn methods of addressing cloud IAM challenges as well as identify the teams and roles responsible for cloud IAM. In the wake of the COVID-19 public health crisis, many enterprises digital transformations are on an accelerated track to enable employees to work from home. CSA surveyed these organizations to better understand how cloud services are being used during this transition and how organizations secured their operations over the next 12 months.

Identity and Access Management Guidance

Identity and Access Management Guidance

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of Security as a Service (SecaaS)

Domain 12 of the Security Guidance: Identity, Entitlement, and Access Management

Domain 12 of the Security Guidance: Identity, Entitlement, and Access Management

This domain of CSA’s flagship research paper addresses managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management. If you are new to IAM in the cloud we recommend starting here. 


Achieving least privilege across Multicloud with Cloud Infrastructure Entitlement Management (CIEM)
Achieving least privilege across Multicloud with Cloud Infra...

December 6 | Online

Learn more

How Does Your Cloud Security Compare, and Where Do You Go From Here?
How Does Your Cloud Security Compare, and Where Do You Go Fr...

October 25 | Online

Learn more

Cloud Attack Vectors: Build Cyber-Defense Strategies to Protect Cloud Resources
Cloud Attack Vectors: Build Cyber-Defense Strategies to Prot...

September 19 | Online

Learn more

Blog Posts

How To Achieve InfoSec When Your Tools Do InfraSec
SANS 2022 Cloud Security Survey, Chapter 4: Using IAM to Secure the Cloud
The DevOps Guide to Applying the Principle of Least Privilege in AWS