IAM is the new perimeter
Note: This article is written to express my personal opinion based on industry experience and customer conversations. This is not an advertisement of the product.

While majority of businesses already have some kind of a cloud footprint today; research shows that up to 93% of enterprises have a multi-cloud vision.

As it stands, organisations have had to adapt as their digital transformation goal posts got moved drastically due to the current black swan event in the form of COVID-19 global health crises.

The basic instinct to survive in this climate of fear and the need to have employees access corporate data and applications so they can perform their duties and roles remotely has pushed businesses that once sat on the fence to take a forced leap into the cloud and others to exponentially expand their cloud presence.

This aggressive adoption of cloud platforms by businesses has exacerbated the need to protect the perimeter guarding their precious resources, data and Intellectual Property (IP). In the cloud world this perimeter is Identity and Access Management (IAM).

Right, so what’s the problem?

The problem is: Cloud IAM Governance

With corporate resources sitting in the cloud and accessible across the internet, IAM becomes fundamental in governing who has what access to which resources, also known as effective access.

image source: docs.divvycloud.com

The hyper-scalable, elastic and intangible nature of cloud along with multiple layers of security policies makes understanding effective access cumbersome. Throw in the mix that everything in the cloud environment has an identity i.e. users, applications, services, systems etc. and it becomes a complex computation exercise making it virtually impossible to track and comprehend.

For example: within AWS alone there are five different ways to specify or grant access to an individual resource. Attempting to track these various methods of access across dozens of resource types through separate console interfaces with differing structures is a time-consuming and error-prone process.

image source: divvycloud.com

The DivvyCloud Solution

If you are new to DivvyCloud, you may want to read: Cloud Security Posture and Compliance with DivvyCloud to get a broader understanding of the Cloud Security Posture Management (CSPM) Solution.

DivvyCloud has taken an initiative towards fighting this problem head on by introducing the IAM Access Explorer (AE). The AE gives you visibility into effective access (available today), automated remediation of permission combinations (planned for future release) and reporting capabilities (available today) towards addressing the IAM governance challenges across your cloud environment.

DivvyCloud does this by adopting the least privileged access approach to cloud security. In order to better understand this model let’s quickly cover the IAM terms that are integral to this solution:

1. Principal:

A principal is simply a cloud user, role, or group making a request for an action or operation on a resource. Federated users, IAM roles, IAM users etc. fall into this category.

2. Resource:

A resource refers to supported resource types harvested by DivvyCloud from the cloud provider (AWS only today) example: S3 buckets, RDS, EC2 Instances etc.

3. Application:

Applications are collections of cloud resources that typically make up business applications; grouped together based on tagging or naming convention. For example: an e-commerce application may be made up of EC2 Instances, RDS, S3 Buckets and EBS volumes etc.

How does the Access Explorer work?

As part of its normal operation, DivvyCloud harvests IAM policies (along with other resource types) from the cloud environments connected to it.

Access Explorer then analyses these IAM policies to establish connections between principals and resources.

At this point you can use the Access Explorer and apply different lenses like principal, resource or application to see the effective access.

You can apply different lenses: Principals, Resources or Applications

What kind of questions can you ask?

You may want to ask questions like:

  • Who has access to the ERP Application and associated cloud resources (application lens) OR,
  • what level of access does Adam (principal lens) from IT have to the storage container that contains employee compensation information OR,
  • management may want a list of all users that have access to the customers database (resource lens) and the level of access they have, etc.

Here is an example screenshot showcasing the effective access for a principal named Chris for all S3 buckets across the cloud environment.

Click image to view in a new tab.

Additionally, you can explore further for a deep dive into associated IAM policies, the permissions attached to those policies and specifically look out for inline policies.

Detailed view of multiple IAM policies associated with a resource

So, whether you have auditing requirements or concerns about overly permissive policies, you can use the Access Explorer to gain visibility into effective access and enforce best practices and compliance across your environment.

For more info please visit:
DivvyCloud IAM Governance webpage
IAM Access Explorer documentation

Conclusion:

The journey to cloud is inevitable for most organisations, whether it’s driven by the necessity to stay operational and relevant, to meet shareholder expectations or an inherent need to innovate. The question is where do you sit on the cloud maturity model today.

While cloud is an enabler for businesses, giving them the agility to adapt to the ever-changing landscape, it does have its hidden perils. If you do not properly guard the perimeters of your cloud environment, the same cloud environment can lead to exposure and put organisations out of business.

In cloud, the security perimeter shifts away from physical security to IAM policies which is all that sits between the outside world and the ever-accessible cloud resources critical to your business. It is therefore no surprise that major data leaks and breaches occur due to misconfigured permissions derived from multiple IAM policies where the effective access is not clearly identifiable.

Ask yourself, ‘do I have the ability to ascertain the effective access associated with my business-critical resources in the cloud?‘ If the answer is NO, you need to do something about it.

REMEMBER: “If you can’t see it you can’t protect it”