As organizations adopt more cloud services, we security professionals realize we face some new and interesting issues. One of the more pressing problems is the rapid proliferation of various identities associated with cloud service environments. The more cloud services we use, the more identities we provision within these environments. Identity and access management in cloud environments can be problematic for tracking, monitoring and controlling accounts. In October 2014, Adallom (now part of Microsoft) found the following related to SaaS user accounts:
- 80% of companies had at least one former employee whose SaaS account was still active;
- 11% of SaaS accounts were "zombies" (inactive assigned users);
- 7% of users were admins; and
- 19% of users bypassed identity and access management controls.
These are still very common issues. What these results illustrate is the lack of control over account lifecycle that many SaaS scenarios present. Account management and lifecycle maintenance aren't the only issues when it comes to identity and access management in cloud settings; creation of roles and management of privileges within all types of cloud environments can also be challenging.
One case study on the impact of identity and access management in cloud settings by the security research team at Rhino Security found a large number of incredibly common privilege escalation techniques in AWS in early 2018 that take advantage of poorly defined roles and privilege models. For large organizations that may have hundreds or even thousands of defined roles across numerous accounts, just gathering an inventory of the role assignments can be a huge issue. Fortunately, the same research team at Rhino created a tool that can remotely pull an inventory of all users with a breakdown of possible privilege escalation susceptibility.
How to approach identity and access management in cloud
To combat issues like the ones the security team discovered, organizations using the cloud today need to develop a governance strategy for identities. While some may already have identity and access management (IAM) strategies in place internally, the strategies will still likely need to be adapted for cloud environments. For all actual human users, accounts should be directly linked to central directory services like Active Directory, which facilitates provisioning, auditing and deprovisioning the accounts from a central store.
All SaaS applications should require the use of single sign-on linked to this central directory using federation technology. For PaaS and IaaS environments, identity governance can be somewhat trickier, as all assets -- servers, serverless code, storage nodes and so on -- can have roles and privileges assigned to them. Some of these identities -- whether simple users and groups or more complex role assignments -- may not easily align with a central directory store, and development and operations teams may find it easier to use cloud-native tools for managing accounts and identities in some cases. Focus on several aspects of identity governance in these cases:
- Develop internal standards and account creation practices that govern how DevOps and other teams integrate identities and privilege models into cloud deployments. This should include account rationale, authentication and authorization methods and controls, and lifecycle parameters.
- Use cloud-native or third-party tools to regularly pull lists of users, groups, roles and privilege assignments from cloud service environments. PowerShell for Azure and the AWS command-line interface are both tools that can be used to collect this type of information, which will still need to be sorted, stored and analyzed.
- Ensure you have robust logging and event monitoring that focuses on all IAM activity in your cloud provider environments and then monitor for any unusual activity or unauthorized changes.
Developing a governance plan for identity and access management in cloud settings can be a tedious and lengthy process, but there are significant risks involved if we don't. Don't forget to involve all relevant stakeholders, as this can get political quickly.