Although networks, systems, and cyber security have come on in leaps and bounds, the fundamental theories of access control and the recent addition of identity to it (IAM) hasn’t really moved on from the 60s and 70s. Things like mandatory, discretionary, and role-based access control still sit at the heart of modern technologies such as Active Directory and OpenID. In some ways, the use of these services still follows an old way of thinking, a list that allows or denies access to a system or service. While these models have been shown to work very well, we may need think more radically for future technologies. This is especially true when we think about the evolution from Web 2.0 to Web 3.0 and beyond.
Mandatory, discretionary and role-based access control boils down to: once a user is authenticated to a service, how do you know they are allowed to do the things they are supposed to do? The foundations upon who decides who gets access to what need to be completely solid for access management to work effectively in the cloud, especially as things can go wrong quickly, and cloud engineering skills are still not widespread.
Although it might not seem glamorous, one of my favourite cyber security trends now is getting back to basics. Stop falling for the shiny silver bullet technology. For IAM, and especially for the cloud, it comes down to a few simple areas – how can you maintain the lifecycle of an identity, are you using in-built or third-party identity services, and are you implementing industry standards? By getting the basics right, you’re setting yourself up for success to then can build more advanced and complex functionalities on top.
Knowing your people
Privilege creep has been a perennial problem and it is only increasing, especially in cloud where it’s easy to give users very privileged accounts at the click of a button. Creep is the gradual accumulation of access privileges granted to a user beyond their actual needs – imagine people that have been in an organisation for over 10 years, who have worn many hats and moved around the business. Businesses need to ensure that people only have the access they need, and leaving this unchecked can increase the risk of privilege misuse or accidental data breaches.
To tackle this, it’s important to implement a robust access control framework that continuously monitors and reviews user access rights. While the process can be quite manual, it’s necessary. However, the templating of access rights and checking this against job roles isn’t always the most difficult part.
When someone takes something away from you, like access rights, it’s easy to feel quite sad or even defensive. It has the potential to damage relationships as employees might feel like they aren’t trusted. If we’re not careful, it can feel like the security team is moving the goalposts for employees that have been working the same way for a long time and feel they have done nothing wrong – which they haven’t.
Moving to a new way (or even revisiting old ways) of thinking about access management needs careful consideration, planned out and communicated. Security doesn’t just operate on an island – make sure you collaborate and lean on others in your business to achieve this, such as your communications team. It’s crucial to be clear and transparent with everyone and explain that you do trust your employees, just not the threat actors out there that are trying to find a way into the business. If you don’t bring your people along with you, then these projects will not be effective and fail.
Leveraging in-built services
Cloud providers, such as AWS, Microsoft Azure, and Google, all have their in-build way to provide identity services. These provide a centralised way to manage access controls, but it’s incredibly involved and detailed. While the in-built identity services of major cloud providers integrate well with their own services, integrating these with third-party applications and services can be complex. And customising these to meet the specific needs of the business can be challenging – especially if you need to implement custom authentication protocols or policies. But there are plenty of positives – such as with compliance, centralised management for federated identities, and enhanced security features.
As interoperability and customisation is a difficulty here, it will be necessary to have the right skills in-house to configure and maintain these identity services if you want to keep on top of your identities in the cloud. But being able to lean on the scalability and cost-savings of in-built IAM services shouldn’t be ignored.
It’s important to have clear standards that everyone follows – which is one of the benefits of in-built identity services with cloud providers. But apart from this, I’d recommend keeping abreast of what’s coming out of the industry. The FIDO Alliance is developing authentication standards based on public key cryptography for authentication that’s more secure than passwords or OTPs. FIDO2, in particular, enables users to easily authenticate to online services using common devices across different environments. Security Assertion Markup Language (SAML) is and older but widespread one to take a look at – an open standard that allows identity providers to pass credentials to service providers.
What does the future hold?
Zero-trust has been spoken about for a long time and started life as an initiative known as de-perimeterisation from the Jericho Forum, but the adoption of this approach has the potential to revolutionise access management in the cloud and completely change the IAM model. It assumes everything and everyone is a potential threat until proven otherwise, and grants access on a case-by-case basis to the resources and data that employee needs at that time. By using a combination of technologies such as multi-factor authentication, encryption, and access controls it can ensure that only authorised users and devices have access to sensitive resources.
The benefits of cloud computing are undeniable, but they can only be fully realised if we prioritise identity access management and get it right. Proper implementation in the cloud can help maintain data security, minimise the risk of cyber threats, and comply with regulatory requirements. And by starting with the basics, making the most of the identity services at our fingertips, and keeping up with the latest standards, security teams can set themselves up for success.