Introduction
Enterprises today are moving their workloads to the cloud at breakneck speed. As per the latest statistics, there has been an exponential growth in the cloud services industry. Estimated at around $24.65 billion in 2010, it has already crossed $100 billion in 2019 and is expected to reach $150 billion by the end of 2020.
Some statistics to consider:
- By 2020, an astounding 83% of enterprise workload will be housed in the cloud. (Source: Logic Monitor/Forbes).
- 67% of enterprise IT infrastructure and software will be cloud-based by the end of 2020. (Source: Forbes)
- Over 80% of the enterprises have reported operational improvements within a few months of adapting to the cloud. (Source: Multisoft).
- Enterprises find it 40% more cost-effective to utilize third-party cloud platforms as compared to maintaining an in-house system. (Source: Multisoft).
- It is predicted that enterprises will invest over 3.5 million on average in cloud computing in 2020. This spending will entail 30% of their total IT budget. (Source: IDG).
In the rush to transform their businesses and reap the advantages of cloud computing, it is easy for enterprises to overlook the security risks involved. Here are some major risks [1] associated with cloud services:
- Loss or theft of sensitive data or intellectual property.
- Noncompliance of Government or Industry imposed regulations like GDPR, HIPAA, etc,
- Lack of control over accessibility permissions of sensitive data.
- Inability to prevent theft or misuse of data by internal actors.
- Lack of visibility or ability to monitor the transfer of data to-and-from cloud applications.
- Advanced threats and malicious attacks on cloud service providers.
In light of the recent high-profile breaches of cloud platforms like Evernote, Adobe Creative Cloud, Slack, and LastPass, the risks involved with cloud services are a clear and present danger which enterprises cannot afford to ignore.
Identity and Access Management (IAM)
Identity and Access management is seen by many experts as the foremost line of defense which can mitigate a huge part of the risks faced by organizations while moving to a cloud environment.
Identity and Access Management is the branch of IT security that consists of policies and technologies which enable authorized individuals to gain access to the required resources at appropriate times, provided they have proper justification to access the said resources.
With an IAM framework in place, enterprises can control the access that users have to sensitive information. Identity and Access Management enables role-based access control, which helps organizations regulate access to networks or systems commensurate to the role of the individual users within the organization.
A recent security survey conducted by Forrester Analytics [2] revealed that establishing or implementing security strategies for public clouds was among the top three strategic priorities for organizations in 2019. The same survey revealed that improving identity and access management processes and tools was among the top tactical priorities for organizations in 2019.
The same study stated that organizations will have to give prominence to a sound cloud strategy in their strategic priorities. This strategy should include creating advanced security capabilities within organizations for cloud-based deployments, and training their employees on securing cloud applications and supporting infrastructure.
This study also stated that global regulations will force the evolution of data security and IAM and that investment in third party IAM tools and security solutions will see a marked increase since regulations like CCPA and GDPR have made knowing identity of customers and safeguarding their privacy as much a priority as stopping malicious attackers.
IAM Architecture
The IAM processes comprise the following components:
User management
This is the process that enables system administrators to control the level of access that the user has on a system. It also enables them to on-board users on to the system, change their level of access, or off-board users as required.
Authentication management
This is the process of establishing the identity of a user, in addition to ensuring that a user is who he or she claims to be. This is usually accomplished by the user entering a unique user name accompanied by a secure password.
Authorization management
Based on the authentication above, the user is given access to the system as per their role in the organization and the company policies.
Access management
It is the management of access requests from users. It includes providing or denying access to the users based on their role, a business justification to have access, and the company policies.
Data management and provisioning
It includes consolidation and management of data about the users and their identities for the use of authorization purposes, as well as managing the entire life cycle of a user in an organization including on-boarding, change of roles and retiring or off-boarding.
Monitoring and auditing
This includes continuous monitoring and scrutiny of user activity in the system to ensure that the users are compliant with the company policies.
Figure 1: Sample IAM Architecture [3]
IAM in the could computing environment
In the traditional IT environment, users have to be added, changed or removed from a system and can access resources as per their authorization levels. This process of adding, changing or removing an employee does not change in a cloud computing environment. Even if this system is located with a cloud service provider, the users have to be identified by the system in order for them to have access to the resources. However, in the cloud environment, not all components of the IAM process are managed by the parent organization itself.
The same applies to authorization and access management; a user still needs to provide authentication credentials to gain access. However, not all components of this process are managed by the parent organization itself.
Regardless of what parts of the IAM process are managed within the organization, the organization is always accountable for the entire IAM processes. Therefore it is crucial to know which organization controls which part of the IAM process.
The control an organization has over its IAM processes will lower the risk to the organization, and make risk mitigation easier. For example, if the organization uses on-premise authentication to access its resources, it can easily modify the authentication mechanisms if they are found to be insecure. However, if the organization uses off-premise authentication, it is not in control of changes made to the authentication mechanisms.
I AM Architecture in the cloud computing environment and the risks thereof
Authentication management
Authentication management is one of the key components of IAM that is frequently not managed by organizations using cloud services. Authentication mostly takes place in the cloud. Most cloud service providers use their own authentication mechanism for granting access.
Not being in complete control of authentication management could introduce multiple risks for an organization. Organizations may be required to comply with laws and regulations. If the authentication mechanisms of the cloud service provider do not comply with any of the laws or regulations, organizations might be in noncompliance. Additionally, organizations may have certain requirements for security and data storage in place.
These specific security requirements for authentication could be different from those of the cloud service provider (E.g. password strength and password storage requirements). If the service provider does not meet the required security level for authentication, organizations could be at a higher risk of data theft or loss. If the service provider has complete control over the authentication mechanisms, it could decide to change the authentication mechanisms and requirements to suit its needs.
In such cases, the organization using the cloud service is not in control over these changes, which is a risk for the organization. For example, the cloud service provider could decide to change the password policy to something less secure than what is required by the organization.
User management
In a traditional IT environment, users are managed by the organization itself. In a cloud computing environment, the users might be managed by the cloud service provider. Not being in control of all user data could make it difficult to comply with local laws and regulations for personal information. In case the cloud service provider is located in a region with different laws and regulations in place, the organization might be in noncompliance with the local laws and regulations.
Organizations may also be at risk because of possible differences in requirements for data security, or incompatible technology between the organization and the service provider. This might result in confidential or personal information being accessed or modified by unauthorized users.
Organizations using the cloud services could have no control over the changes made to user management by the cloud service provider (E.g. The service provider could decide to store users differently, making it incompatible and/or noncompliant with the requirements of the organization using the cloud services.
Not being in control of user management makes it very difficult to verify if an update to the user data is successful.
Authorization management
There might be differences in authorization models used by the Cloud service provider and the organization using the cloud services. For example, if the organization has implemented a role-based access control model to manage authorizations and the Cloud service provider does not support this, it is difficult to synchronize authorization of users. Not being able to synchronize the authorization of users makes it impossible to ensure that users only access the resources that they are authorized to access. Incorrect authorization management can lead to noncompliance with laws and regulations.
Organizations might not be in a position to verify if authorization protocols of its users (in terms of which resources a user is able access) have been diligently followed by the Cloud service provider. Therefore, organizations might not be able to detect erroneous authorizations (if any) done by the service provider. The organizations using cloud service are ultimately accountable for the authorization of their users, but the cloud service provider might have control (at least partial), over the processes involved.
Access management
Organizations using cloud services might not be able to control the enforcement of their security policies on the services provided by the cloud service providers, who ultimately control access to their services. In order to gain access to public cloud services, an Internet connection is generally used instead of a local network connection. Securing a local network is a lot easier than managing security on the Internet. The Internet is a public network that can be accessed by anyone with any compatible device. Another risk is the dependency of the Internet; if the connection to the Cloud service provider fails, the cloud services can no longer be accessed by the organization. Also, the fact that data is not stored and managed by the organization using the cloud services makes it very difficult to verify who has access to this data.
The possibility that there could be loss of control over the access management process combined with the fact that the cloud service are accessed over a public network, could pose certain risks to organizations using the cloud services. If data is not adequately protected, anyone using the Internet could gain access to the data of the organization using the cloud services. This data could be protected by laws or regulations, which would make the organization noncompliant.
Data management and provisioning
In the cloud computing environment, the data of the organization using the cloud services might be stored on the servers of the Cloud service provider. The organization using cloud services might not have control of this data.
There might be a risk of using incompatible technologies or incorrect deprovisioning, which might lead to unauthorized users continuing to have access to the cloud services even after dismissal. This could make the organization using the cloud services noncompliant with any applicable laws and regulations and put the data at risk of being stolen or lost. In addition to this, since data stored in a cloud environment might no longer be managed by the organization owning the data, requirements for removal and encryption might not be implemented according to the security standards and regulations.
Monitoring and auditing
In a cloud computing environment, the data of organizations using cloud services might be stored in the servers of the service provider. The Cloud service provider might control a part of the IAM processes, which might result in a lack of control of the monitoring and auditing processes. In a traditional IT environment, the organization can monitor and audit its own systems and network. When using cloud services, an organization might not have control over this part of IAM.
Organizations might be required by regulations to audit their processes, systems, and network periodically. However, it may not always be possible for the organization to audit the Cloud service provider which might be responsible parts of the IAM processes. It could also be storing a part of the data. In such cases, the organization using cloud services might be noncompliant with the regulations.
Organizations using the cloud services might not be in control of the quality and frequency of logging, monitoring, and auditing if the control lies with the cloud service provider. Additionally, not being able to monitor and audit cloud services could make it difficult to detect unauthorized access to data.
Figure 2: Summary of risks faced by organizations at each stage of the IAM Process
Apart from the above, Shadow IT and Lack of visibility and control are major risks faced by organizations as a result of the significant changes in the work environment brought about by the recent developments in cloud technology.
Shadow IT
Shadow IT is the use of unsanctioned apps or technology for work related purposes. Employees might be doing to in order to solve business problems or to get around IT challenges or funding constraints, but this still constitutes risk. This could mean that confidential and/or regulated data is exposed to sources outside of the organization or it could mean that data is being stored at undetermined locations without the knowledge of the organization.
Visibility and Control
In addition to the shadow IT practices, there are huge number of sanctioned could apps being used in organizations. As a result of this, data is distributed over a huge number of cloud apps and organizations are losing the ability to maintain visibility and control over what apps are being used and how data is managed in these apps.
Shadow IT and lack of visibility and control exposes organizations to myriad risks that they might not even be aware of. This risk could manifest in the form of noncompliance with laws and regulations, loss or breach of data because of user error, or a malicious outsider or insider attack. Some apps have security built in but most of them work on shared responsibility models which means cloud vendors do not own the client’s data nor are they responsible for how it is used.
Mitigating IAM risks in the cloud computing environment
Organizations using cloud services need to perform a thorough risk analysis; carefully considering all the risks involved and put controls in place to mitigate those risks.
The first step in addressing these risks would be to select cloud service providers based on their ability to ensure compliance with the organizations operational and security requirements, as well as their ability to comply with the applicable laws and regulatory requirements.
The second step would be to ensure that robust contracts and service level agreements are established with the service providers setting strong emphasis on having controls in place to mitigate all the risks identified. Special focus should be given to aspects including (but not limited to):
- Compliance to laws and regulations.
- Data security Requirements.
- Change management (allowing the organization to have control over any changes made to the IAM processes, authentication mechanisms, etc).
- Right to audit the Cloud service provider (allowing the organization to audit the IAM processes among other things).
The third step would be to audit the cloud service providers periodically enabling the organizations to verify if the service providers are in fact compliant with the contractual and SLA obligations, which will in turn ensure that all the security concerns are addressed to the satisfaction of the organization.
In addition to the above, there are several solutions available to organizations using which they can mitigate the Identity and Access Management risks and challenges discussed above. Here are a few important ones among them:
Single sign-on (SSO)
This is a process used for authentication which enables users to access multiple applications, services, and accounts with just one set of login credentials.
One example of SSO is the Google login, which enables users to access multiple Google applications like Gmail, Google Drive, etc with the same set of login credentials.
Some of the advantages of SSO are:
- Users do not need to log on to multiple applications and remember multiple passwords.
- Higher security and better compliance resulting from a centralized single sign-on system, which enables easier monitoring of user accounts across multiple applications.
- Reduces the risk of phishing since there are lesser number of passwords to protect.
Enhanced Security
Organizations can identify critical applications and systems housing sensitive data and increase the security levels for these applications. This can be achieved by adding additional layers of security using Multi-factor Authentication.
Multi-factor authentication is an authentication method in which the user needs to provide two or more different proofs of identity before being granted access to a system. The authentication factors are based on knowledge, possession, and inherence. Knowledge is something that only the user knows (E.g. passwords, passphrases, personal identification numbers, etc). Possession is something that only the user has (E.g. Hardware or software tokens). Inherence is something that only the user is (E.g. Biometrics, fingerprint, face recognition, etc).
Resource Level permission/access control
Resource level access control enables organizations to control which resources a particular user is allowed to access and what kind of actions the user is permitted to perform on that resource. This can be applied at an individual user level or at a group level (Role based).
This is somewhat akin to the Japanese Poka-yoke or fail-safe principles used in Quality Control; having control at a level of granularity, where you are essentially making it (nearly) impossible for unauthorized individuals to gain access or unduly modify resources.
Cloud Access Security Broker (CASB)
Cloud Access Security Brokers are security tools which help organizations set policy, monitor user behaviour, and manage risk across all the cloud services and service providers being used in an organization. CASBs (pronounced as cas-bee) enable organizations to control access to sanctioned cloud apps and prevent access to unsanctioned cloud apps, and help them protect sensitive data. CASBs use techniques like “user risk scoring” and “behaviour fingerprinting” to detect anomalous or suspicious activity by users to prevent accidental or malicious breaches.
CASBs might run on the client’s premises, or they might run in the cloud. CASBs act as intermediaries between users and the cloud apps; they monitor user activity and enforce security policies.
CASBs provide a wide gamut of security services including Data Loss Prevention, and Malware protection, however, for the purpose of this article; only the aspects related to the IAM risks discussed previously in this article are addressed.
Access control
CASBs usually do not store User Identity data; instead, they work with the client organization’s Active Directory. The organizations Active Directory groups are utilized to make Access control decisions. CASBs can control access to specific cloud apps for users (individuals or groups) based on device type, user behaviour, etc. Specific users or groups can be authorized to use specific apps. CASB’s can analyze risk related data like user behaviour, type of data, device being used, etc in access control decisions and initiate step-up authentication.
There is no HR Identity feed or personnel information housed with the CASB, instead, there is a tight integration with the client organization’s Active Directory, so the organizations AD groups can be used in Access control decisions. Unsanctioned apps can be blocked and attempts to access undesirable apps can be used to educate users and steer them towards sanctioned apps.
Visibility
CASBs analyze logs from the edge of network devices like routers, switches, and integrated access devices to track the cloud apps being used. This provides visibility into who is transferring the data, what data is being transferred, the volume and the type of data being transferred, and the locations to which the data is being transferred. This data can be used to identify policy violations and can be incorporated into policy construction in the CASB. Once this has been incorporated into CASB policy, any similar undesirable actions can be prevented.
CSP vendor risk management
CASB vendors maintain dynamic lists of thousands of cloud applications and their risk profiles. CASB vendors continually research cloud apps to keep the risk profiles accurate and up-to-date. They analyze terms and conditions and determine to what extent the vendors are responsible for data. They analyze service organization controls or SOC reporting for effectiveness of security controls. And they also send security questionnaires to cloud service providers to gather information.
CASBs provide organizations with dashboards containing vendor risk profiles and ratings which help organizations to select the right vendors based on their risk appetite.
Cloud Access Security Brokers when used in conjunction with other IAM security solutions like Single sign-on tools and Multi-factor authentication techniques can be extremely effective in mitigating the cloud IAM risks. An example of this is adaptive or risk-based authentication wherein, if a user is exhibiting what is seen to be risky behaviour when accessing a sensitive resource, the user is challenged to provide step up authentication (additional multi-factor authentication) to ensure that the resource is not accessed by unauthorized entities.
IAM Success Stories [4]
NASDAQ
Being the second-largest stock exchange in the world in terms of value, NASDAQ supports markets in over 50 countries and has to comply with strict regulations. They faced a challenge where they had to integrate modern cloud apps and platforms with their internal processes. This resulted in a complex matrix of controls which complicated the IAM process.
They were able to solve this problem by implementing Single Sign-on across their entire organization. Users now had to remember only one password for accessing internal and external applications. Enhanced security prevented the login credentials from being compromised without causing undue inconvenience to the users.
Adobe
When Adobe transformed into a cloud-first organization (from Adobe Creative Suite to Adobe Creative Cloud), there was a huge shift in their business model and it was faced with the immense challenge of providing secure access to a large number of enterprise customers.
Instead of spending resources on building an internal solution, Adobe opted to engage the services of third-party IAM service providers, implementing Single Sign-on for its employees worldwide, and a comprehensive authentication layer for all their cloud applications. This helped them gain massive growth in their customer base and revenues.
21st Century Fox
Being one of the biggest content producers of the world, 21st Century Fox needs to collaborate with third parties, manage digital workflows and connect with content creators and professionals across multiple devices and platforms. Their traditional network security measures were not adequate to deal with this complex scenario.
Realizing that there was an urgent need to update their security strategy, they implemented adaptive Multifactor authentication. With adaptive Multifactor authentication, in addition to having two or more factors of authentication, if any suspicious activity is observed when a user is attempting to access a resource, the user is required to proved additional authentication factors. These steps have hugely reduced the risk of data breaches.
Conclusion
The Information security landscape is constantly evolving, and the challenges have only increased with enterprises being forced to rapidly adapt to cloud computing. With a rapid increase in the number of devices and services to be managed, Identity and Access Management poses considerable risks and provides great opportunities at the same time depending on how it is managed.
In the context of security, using a robust IAM framework by identifying and addressing the related risks can enable organizations to better enforce their user access policies and best practices. This will also enable organizations to be compliant with government and industry specified regulations by empowering organizations to demonstrate (through proper audit trails) that personal or sensitive data will not be compromised or misused.