Yes IAM: plugging the gaps in cloud security

Cloud adoption is sky-high and rising. In Australia, the market is expected to rise 12.5% and be worth a gargantuan $14.1 billion by 2025.

The benefits of the cloud, especially for companies that are transforming or are powered by a hybrid workforce (and who isn’t?) are clear. Cloud service providers are also stepping up to meet the demand; Microsoft now has four Australian cloud regions for Azure, while Google launched its second in Melbourne in 2021, along with a centre in Auckland.

But while the cloud is a great facilitator, it’s far from perfect. As recent incidents have shown, flawed Identity and Access Management (IAM) can leave users in a tangle – and let hackers walk straight in, make themselves at home and browse your assets at their leisure.

Why the cloud is facing an identity crisis 

So what is IAM, and why are companies in the cloud vulnerable to credential-exploiting hackers? Identity and Access Management (also known as Identity Management, or IDM) is a program that, as Gartner calls it, “enables the right individuals to access the right resources at the right times for the right reasons”.

Earlier this year, San Francisco-based Okta was hacked when the Lapsus$ group gained remote access to a machine belonging to a subcontractor. The attack was not particularly damaging (a fact the company put down to its zero-trust framework), but it was noteworthy because Okta is one of the world’s leading IAM providers – proof that anyone can be hit.
 

IAM implementation needs careful planning

The problem with IAM is partly one of scale: as businesses have flocked to the cloud, the number of human and non-human identities that are open to attack have mushroomed. Cloud platforms need to ensure access across different environments and different tech platforms, while negotiating issues around ease-of-access and compliance. Companies often migrate on-premises workflows that have served them well for years to a cloud environment without enough planning – or giving enough thought to identity management.

The result is that IAM is often underfunded, or treated as a one-off process rather than a formal, ongoing program that requires a proper planning process and investment. This can make identity management less effective and more expensive – according to Gartner, organisations without a formal program will spend 40% more on IAM capabilities while achieving less than organisations with well-structured programs.

Why poor IAM can be a security nightmare

Many companies base their identity management and cloud infrastructure on their cloud service provider’s defaults, rather than tailoring it to their needs. The result can be a system that isn’t fit for purpose, with inefficient operations and daily frustrations for workers. Some staff will have overly permissive permissions; others may need to repeatedly request new permissions that they should have been granted at the outset. Inevitably, staff will find workarounds, including sharing credentials or using multiple identities. Without effective identity management, employee churn often leaves old identities, with a role in critical functions, sitting unused and forgotten.

The problems of poor IAM procedures are often worsened by basic mistakes, such as companies allowing password reuse or failing to fully utilise the security tools offered by their cloud provider. Problems pile on problems, making it hard to get to the root of an issue with identities or permissions.

It all adds up to a bonanza for attackers who, increasingly, are specialising in this profitable and rapidly expanding territory. Cloud threat actors such as Team TNT and WatchDog benefit from poor identity controls – once they have the right permissions, they can access the resources they require, spread laterally and escalate privileges.

Hitting the target with IAM best practice

IAM should not be a late addition to cloud implementation – instead, organisations should bake it in from the kick-off. Key steps in setting up or improving your identity and access management include:

• Planning an IAM that has buy-in with stakeholders across your organisation, that supports business goals and has a clear impact on risk&

• Running IAM as a single, ongoing program. This will assist resource planning, and allow you to better manage competing priorities, support business needs, use budget efficiently and ensure the right people have visibility – which can be crucial for compliance.

• Cloud providers’ native tools may serve you well, but all too often they’ll offer an inexact fit. Many businesses will benefit from creating their own identity management policies, working with the principle of least privilege and laying extra precautions around privileged accounts. Others might choose to work with an experienced external partner.

• Rather than working with several separate solutions, which may result in inconsistency and increased workload, consider an integrated security solution (such as a Cloud-Native Application Protection Platform, or CNAPP).

• Increase automation where possible around functions such as user management, provisioning and deprovisioning, auditing and plugging security loopholes

• Set and regularly communicate clear guidelines around employee use of identities (especially any that may be shared), passwords, devices and remote work.
   

How IAM can safeguard your data

The case for IAM is simple: it helps the right people access the right resources, and makes it harder for cybercriminals to find a gap to exploit. It’s worth underlining to staff and executives that an IAM program is not a one-off step, but an ongoing commitment – aligning it with business goals and communicating progress will both add value and can ensure funding keeps coming.

As your program matures, more benefits should become clear, including lower identity management costs, easier scalability and the agility to support new initiatives. Do it right, and you’ll have the benefits of the cloud without suffering an identity crisis that could end in catastrophe.