As businesses adopt more and more cloud services, security professionals are faced with new and exciting challenges. One of them is the rapid proliferation of identities associated with these cloud services. AWS (Amazon Web Services) is one of the most popular and used cloud services providers in the globe. The more of these, the more identities must be provisioned. Keeping track of it can quickly turn into a nightmare. In the fall of 2014, Adallom - since acquired by Microsoft - estimated that 80% of companies had at least one former employee with a SaaS account still active; that 11% of SaaS application accounts were inactive; that 7% were directors; and that 19% of users bypassed identity and access
28
management systems (Microsoft, 2015). These problems are still very common. They illustrate how difficult it can be to manage the account lifecycle of SaaS applications. And if we still had to convince ourselves of what was at stake, a study by Rhino Security labs blog (Gietzen, 2018) recently highlighted a large number of elevations of privilege techniques that were still incredibly common in AWS in early 2018. They take advantage of role models and ill-defined privileges. For large organizations, there may be hundreds, if not thousands, of roles defined for a large number of accounts. The mere inventory of role assignments can be a huge challenge.
While some may already have Identity and Access Management (IAM) policies in place internally, these will likely need to be adapted for cloud environments. For all real human users, accounts should link directly to central directory services like Active Directory, making it easier to provision, audit, and de-provision accounts.
All SaaS applications should require the use of a single sign-on (SSO) system linked to this central directory through federation. For PaaS and IaaS environments, identity governance can be a bit trickier, as all assets (servers, server less code, storage nodes, etc.) can have their own roles and privileges. Some of these identities - whether they are simple users and groups or more complex role assignments - may not easily align with a central directory, and
development and operations teams may find it easier. Use cloud native tools to manage accounts and identities in some cases.
Companies must indeed understand that the evolution to the cloud affects their IAM strategies on two key elements (Deloitte, 2019):
First, the Cloud brings new management challenges because companies must now extend the scope of their IAM strategy to manage user access to applications in the cloud, in addition to their on-premises applications. Second, the growing use of management tools in SaaS mode for businesses such as human resources and IT services has paved the way for the implementation of a new collaborative approach called IDaaS (Identity as a Service), capable of increasing business agility, generating value faster, while reducing operating costs.
These two challenges are critical for the evolution of companies' IT strategies, leading to two possible scenarios: the management of SaaS as part of the implementation of IAM then the implementation of the IAM-as-a-Service.
29
Cloud IAM offerings allow you to manage and federate different resources. If they are used well, they can be a real accelerator for the business of the company. But like any service in the cloud, there are advantages (costs, regular updates, etc.) and disadvantages (data control, sometimes non-standard protocols and formats, etc.) (Deloitte, 2019).
Customers and partners, as well as employees or service providers, can benefit from the identity federation. Likewise, specific connectors are implemented for SaaS or on-premises applications used by the company. Users can log in through any type of terminal. There are still a few essentials to take full advantage of an IAMaaS and keep control of it: the ability to perform account reviews, the availability of provisioning connectors to applications and control of sending personal data to the cloud (Deloitte, 2019).
Figure2: IAM domains and supporting services by AWS (Deloitte, 2019)
As the above Figure2 shows us the IAM domains and supporting services provided by the AWS cloud platform for enterprise end-to-end solutions which includes access governance, authentication, authorization, accountability and identification. Similar IAM domains
development is in raise with other cloud platform providers like Microsoft Azure and Google Cloud.
30
In comparison with on-premises solutions, certain risks will be covered in the same way, or potentially better, by a cloud solution: system availability and data compromise. Suppliers are often more mature than the company on the subject of infrastructure resilience and have anticipated compartmentalization administrators from the design of the service.
Other risks, however, must be specifically addressed such as (Deloitte, 2019):
Reversibility: you must ensure that it is possible at any time to recover your data in a usable format and you must not make any compromise on the use of standards.
Data isolation: this is sometimes very difficult or even impossible to
control; nevertheless, it is possible to contractually ensure the isolation of its data from the supplier's other customers.
Compliance: within the framework of certain obligations CNIL (Commission Nationale Informatique & Libertes) in particular as “The CNIL supports the
development of new technologies on a daily basis and takes part in the construction of a digital ethic.” (The CNIL in a nutshell, 2019) It is necessary to ensure that the outsourced data will be hosted in compliance with the standard. One approach to this is to use data encryption before sending, but this is not necessarily easy to use in an IAM solution.