Organizations now operate in a multi-cloud world. That enables workers to be more productive and offers the accessibility and scalability organizations need to keep business operations flowing. But it also creates a challenge: managing large numbers of cloud-based identities. If left unchecked, they can be the cause of vulnerabilities and data leaks that create security nightmares for IT and security teams.
The role of cloud-based identities
As more applications move to the cloud, cloud-based identities are essential to enable organizations to enforce a single source of truth for all users to maintain orderly processes for onboarding and offboarding and to perform track access to applications and data.
Cloud identities include human but also machine identities. “In the cloud, applications are designed from the ground up. microservices. Like people, each microservice has an identity, which is given rights to access data or communicate with others. microservices”, explained Shai Morag, CEO and co-founder of Ermetic.
“There are tens of thousands of these machine identities in the cloud, and they also need to be managed securely.”
At a high level, the function of a cloud-based identity is the same as any other form of electronic identity, added Eric Olden, co-founder, president and CEO of Strata Identity.
“It’s there to link a human being to an account that represents them in the digital world,” Olden explained. “The only significant difference between a ‘cloud identity’ and something that might be considered an ‘on-premises identity’ is that the identity object and attribute data about that identity is stored in a cloud service, not necessarily in the organization’s traditional data center. infrastructure.”
The cloud service then provides the necessary mechanisms to use that identity to sign in to services and applications that trust the cloud identity provider. Cloud identities are also often used to access applications, such as SaaS applications like Salesforce.
Identity and security in the cloud
Cloud identities are another perimeter to defend, but it is a perimeter without physical barriers or network. Instead, identities must prove who they are and are granted access permissions based on the role of the identity.
Because most breaches begin with the compromise of an identity and its associated password credentials, identity plays a critical role in an organization’s security strategy.
“Securing identity in an enterprise, especially in a modern cloud/hybrid world, requires a different approach than was common five years ago,” Olden said. “Back then, an organization’s resources had very well-defined perimeters and boundaries. Resources, data, and services were all within the direct management and control of the organization. This made managing things like authentication and authorization relatively easy.”
Today, in a cloud environment with identity as the new edge, a different approach is needed.
“Enforcing a consistent set of identity policies across myriad cloud services is one of the biggest challenges for organizations, as each cloud platform (AWS, Azure, Google, etc.) uses a proprietary identity system which is incompatible with other vendors’ systems”, Olden fixed.
It is impossible to avoid risk completely, so there is only risk mitigation and management under the control of organizations. Organizations are challenged to find the most effective way to use their limited resources to reduce risk. Focusing on protecting cloud-based identities can go a long way toward reinforcing an organization’s overall security best practices.
According to Olden, the key things an organization can do to mitigate the risks inherent in using cloud-based identity services include:
• Strengthen authentication across all apps, including legacy apps, through your cloud identity service. There should be no exceptions.
• Migrate from legacy access management technologies to a modern identity provider.
• Define and apply sound governance and identity lifecycle practices across all identities, both human and non-human.
• Enforce multi-factor passwordless authentication whenever possible.
• Begin a switch to passwordless authentication technology as soon as possible.
• Apply the evaluation and application of runtime policies for each application, taking advantage of security analysis services; that is, the continuous validation of who the user is and their level of risk and authorization. A distributed identity orchestration and policy orchestration platform can provide this service at the application and cloud infrastructure layer.
• Use orchestration as a runtime application layer to implement real-time continuous analytics and identity authentication and authorization enforcement.
• Encrypt user data at all times; in motion across networks and at rest in databases and vaults.
• Enforce least privilege access to applications and data; don’t give users access to apps and data they don’t need. Use just-in-time access provisioning to dynamically provide access as needed.
• Classify data and apps to better manage which apps contain sensitive data; manage data geographic storage and access requirements to align with multi-geographic and multinational regulations.
Cloud identities are the new security perimeter, making them an incredibly important part of any organization’s security system. The controls in place to protect the security of identities go a long way toward protecting the security of the entire multi-cloud universe.