Key Takeaways
- Identity and access management (IAM) is one of the most complex and difficult tasks that network administrators face, and it's about to get worse due to the scale and complexity of cloud deployments.
- In some cases, it is simply not possible to bring SaaS and cloud services under the control of in-house IAM systems, and CASBs can be useful in these contexts.
- Despite the difficulties involved in working with IAM, there exists well matured technologies and techniques for securing cloud systems.
- Organizations looking to improve their IAM should focus on four areas: Scaling Single Sign On; Centralizing IAM; Scaling Multi-Factor Authentication; and improving employee skill sets.
Identity and access management (IAM) is one of the most complex and difficult tasks that network administrators face, and it's about to get worse.
The rise of cloud computing shows no signs of slowing down, and is about to pass a threshold where computing power, rather than the efficacy of managerial systems, will be the limiting factor on security.
Here at InfoQ, we’ve recently written about some novel ways in which cybersecurity analysts are adapting to this problem.
Some are using blockchain for identity management. Others are looking to market-leaders on the scale of Netflix, hoping that the systems they have put in place provide a clear path forward.
In this article, we'll take a more direct approach: we'll look at why IAM is becoming such a huge challenge, explain why identity is the new currency, and then reveal some principles that can help you meet this challenge.
(Labeled for reuse: Pixabay)
Identity Mismanagement in the Cloud
In order to understand why IAM has become such a headache for network admins, it's worth reminding ourselves of what IAM consists of in the first place. At a basic level, IAM is a simple enough concept. Any IAM system is concerned with defining and managing the roles and access privileges of users on a network, whether these users be employees, customers, or vendors. The core idea of IAM systems is that each user should be assigned a unique identity, and the associated level of access should then be managed throughout the user's "lifecycle."
This simple description, however, hides some of the complexities of contemporary IAM systems. In reality, companies have adopted a wide range of IAM approaches, and the way in which identities are managed varies considerably between them. In addition, the sheer number of systems in use at the average organization means that authentication technologies and processes struggle to keep up.
Growing Problems
There are two major reasons why IAM is more difficult today than it has been before. One is the sheer scale of cloud deployments; the other is the increased frequency of identity-based cyberattacks.
Let's take the problem of scale first. According to recent research, enterprises in 2017 expected to use an average of 17 cloud applications to support their IT, operations, and business strategies. So, it’s no surprise that 61 percent of respondents believe identity and access management (IAM) is more difficult today than it was even those two short years ago. With so many different systems in play at any one time, IAM is no longer just about having a rigorous tracking and authentication system in place. In many organizations, the computing cost of authentication and encryption now forms the primary bottleneck on network performance.
The second reason why contemporary IAM is more difficult is the dramatic rise in cyberattacks based on compromising identity systems. A decade ago, most cybersecurity analysts were primarily focused on securing data against direct intrusion and theft attempts. Today, with statistics indicating that identity theft is the growing threat to watch out for, and that most ransomware uses IAM systems as a threat vector, they are more worried about protecting identities.
And these issues, it seems, will only get worse. The complexity of cloud systems will only increase over the next decade. Already, most large firms now employ heterogeneous hybrid clouds, including multiple public and private cloud services and technologies. Furthermore, many of them have a mix of virtual servers, bare metal servers, containers, and applications based upon microservices. Deploying effective IAM in this chaotic situation is difficult, but it can be done.
Building a Secure IAM System
Achieving a rigorous IAM system for cloud implementations necessitates that you put in place a number of specific tools. We’ll describe those below. However, rolling out a new IAM system, or improving an existing one, also rests on a number of key principles.
The most important of these is to ensure that you are taking a holistic approach. Most IT admins have in place a secure system for managing the process of implementing a new software deployment: this includes processes and procedures for deciding and granting access privileges to key staff groups.
However, in-house software deployments are not the only area in which IAM should be applied. Even the most security-conscious organizations can lack analogous systems for managing the deployment of IaaS and SaaS systems. In many cases, in fact, these systems suffer from an (accidental) abdication of responsibility when it comes to access management. In-house IT admins assume that security is being handled by the provider, and the provider assumes that it is being done by their client.
Addressing this lacuna means, for many organizations, that they look at the way in which responsibility is distributed across in-house staff and software providers. Ideally, when investing in a new SaaS system, organizations should complete a process of due diligence that ensures that access to the new system can be brought under the umbrella of existing IAM systems.
(Labeled for reuse: Wikipedia)
Building Bridges with CASBs
In some cases, it is simply not possible to bring SaaS and cloud services under the control of in-house IAM systems. This has become more common in recent years, as organizations move to hybrid cloud infrastructures.
Managing IAM in these contexts can be extremely complex, but there are a number of promising approaches emerging. One of the most popular is to use cloud access security brokers (CASBs) as an “access bridge” to backup “traditional” IAM systems. At the most basic level, CASBs add an extra layer of protection to the components of IAM systems. They enable organizations to track user behavior, apply consistent security policies across multiple applications and enforce policies (e.g., session termination) in the event applications are misused.
More specifically, deploying a CASB alongside your on-prem IAM systems will give you a number of key security benefits:
- A CASB allows for greater oversight on third-party applications. Mobile and third-party applications are hard to manage, particularly if they have access to data stored in cloud services. CASBs provide a centralized interface to discover, report and restrict the use of third-party applications.
- Trigger identity management events. The real-time risk analysis functionality in CASBs can trigger identity management events in identity governance and administration (IGA). They can alert an organization of an unusual event within a cloud system and ultimately deactivate a user from all systems.
- Use step-up authentication: In discovering abnormal behaviors through risk analysis, users can then be prompted for step-up authentication to increase the assurance that the intended user is present. This will strengthen the organization’s existing authentication model.
- Discover and limit the use of corporate credentials in unsanctioned applications: Any reuse of corporate credentials in unsanctioned applications widens an organization’s potential attack surface. CASBs discover usage of unsanctioned applications and can either block access or provide tools to help the organization securely onboard the unsanctioned application to its IAM infrastructure.
Improving Identity Management
Improving identity management in the age of heterogeneous hybrid clouds also means deploying a set of specific tools. Despite the difficulties involved in working with these systems, there exists well matured technologies and techniques for securing them. More specifically, organizations looking to improve their IAM should focus on four areas:
- Scaling Single Sign On (SSO). There is still a problematic tendency – certainly among users, but also for network admins – to see the primary value of SSO systems as convenience. In reality, however, these systems also offer increased robustness when it comes to IAM. In a world where the majority of successful cyberattacks rely on insecure user credentials, reducing the opportunity to use weak passwords is crucial.
- Related to this point is a second: centralizing IAM. As networks, and particularly cloud systems, become more heterogeneous and fragmented, the value of bringing all of your IAM functionality into one place is only growing. It's still not unusual for organizations to have redundant IAM technologies to manage identity in many areas, but these siloed technologies can now be replaced with centralized identity services from vendors such as Google, IBM, Microsoft, and Oracle.
- Scaling Multi-Factor Authentication (MFA). Alongside centralizing SSO systems, organizations should also look at scaling their MFA capabilities. ESG research indicates that 65 percent of organizations use some form of MFA, but only for a small percentage of their applications.
- Skills. Finally, look at your own skills. Research indicates that 27 percent of organizations lack the right IAM skills, and this is only going to get worse as new systems are deployed. Within the next few years, organizations need to be prepared to move to authentication as a critical device and location agnostic control point to invoke security controls such as continuous authentication, multi-factor authentication, context-aware access controls, and user behavior analytics. Make sure you are prepared.
(Labeled for reuse: Wikipedia)
A Final Word
Hopefully, when reading through the list above, you've come to the conclusion that you have the tools you need to improve your IAM. The problem, for most organizations, will be to scale these existing systems so that they can be effectively used in highly diverse cloud environments. In other words, in order to meet the growing challenge of IAM in the hybrid cloud age, you need to look at how to secure code at scale.
About the Author
Bernard Brode is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.