Cloud identity: Are you who you say you are?


Recent years have seen an increasing number of companies adopting cloud-based technologies, with cloud spending predicted by Gartner to climb 20.7% in 2023, approaching $600bn (£482.2bn). Such cloud adoption is due to the elasticity, agility and scalable nature offered with Infrastructure-as-a-Service (IaaS), which is experiencing highest growth rate, while Software-as-a-Service (SaaS) remains the category with highest spending.

IT footprints of organisations that adopt cloud will certainly expand with their IT network perimeter, shifting to a perimeter-less one while IT resources become highly dynamic and distributed. Within cloud environments, as IT resources are constantly provisioned, deprovisioned and moved around across containers, regions, or even cloud service providers, there are several new security challenges. A 2021 survey by Cloud Security Alliance (CSA) and AlgoSec found network security to be one of the main leading security concerns for cloud projects.

Besides that, another fundamental problem in cloud computing is the complexities in managing cloud Identity and Access Management (IAM) across multiple organisations. CSA’s Top Threats to Cloud Computing – Pandemic Eleven report has listed identity management as the number one cloud threat today because “…access to cloud resources is primarily determined by identity, not by network segmentation.” In other words, the user’s identity is the new perimeter. 

Given these few key differences and challenges, the typical security paradigms that have been commonly used to secure enterprise networks and systems against cyber threats, such as perimeter-based security and defence[JS1] -in-depth models, may not be well-suited for cloud environments. For example, in a defence-in-depth model, trust is rather lax once a user has been authenticated into the enterprise IT network. However, that identity may have been validated for a long while or could have been compromised in the dark web or through a data breach from one of the other third-party cloud service providers, such as the case in Uber’s 2016 data breach[RM2] [GSY3]  in which a Uber employee’s stolen credentials was used.

Here are the three main trends that I believe will be more prominent in the coming year:

Adoption of zero-trust frameworks – “Never Trust, Always Verify”

With an increasing number of data breaches involving cloud technologies, one of the most significant trends in cloud IAM in 2023 would be the increase in adoption rate of zero-trust security models by organisations to reduce their risk of data breaches. Zero-trust is a security concept that assumes that every user, device, and network is untrusted and must be continuously authenticated and authorised before accessing any resources. This means that access to systems and data is restricted based on factors such as user identity, device security, and location. Proponents of this concept include Sundar Pichai from Google, Satya Nadella from Microsoft and even Tim Cook, the CEO of Apple. The US Department of Defense (DoD) strongly believes that this approach reduces the risk of data breaches and cyber attacks by ensuring that only authorized users can access sensitive information. BeyondCorp, a zero-trust solution developed by Google, is an example. It uses device and user context to enforce access controls and provide secure access to cloud resources.

As there is a need for continuous authentication and authorisation in implementing zero-trust, it is crucial for organisations to develop a comprehensive zero-trust architecture plan that outlines their strategy, policies and technologies based on their respective needs. Besides that, as the cloud computing skills gap was found to be the second-largest skill gap in ISACA’s State of Cybersecurity 2022 survey, the execution of the zero-trust plan would require the awareness creation and necessary training to be provided to employees, as well as what to expect from their behavior. The behavior changes would include shifting to stronger user authentication methods such as multi-factor authentication.  

Increasing need for automation – AI/ML to the rescue

Due to the dynamisms of IT resources within the adoption of cloud environments, organisations would need to rely on automation to streamline their security operations management and reduce the risk of human errors due to the requests fatigue that could come from zero-trust adoptions. Such cloud IAM automation needs would lead to another trend in cloud IAM, which is the integration of Artificial Intelligence (AI) and Machine Learning (ML) technologies. For example, AI can be used to analyse user behaviour and detect anomalies that could indicate a security breach by filtering out noise. ML can be used to learn from these anomalies and improve the overall security of the system. 

Cloud IAM solutions that incorporate AI and ML into their technology include Cloud Infrastructure Entitlements Management (CIEM) solutions that enable management and enforcement of granular access policies, such as CloudKnox. As AI and ML technologies rely on data feeds for efficiency and accuracy, visibility and monitoring are some of essential components that organisations would need to get right through careful planning of integrated monitoring across endpoints, network traffic, and applications and user behaviours, supported by real-time threat intelligence on potential security threats.

IAM-as-a-Service – Native cloud identity on the rise

The third significant trend we can expect to see is more companies adopting cloud IAM as a Service (IAMaaS). IAMaaS is a cloud-based solution that provides IAM functionality on a subscription basis, and an increasing number of the IAMaaS providers are offering integration to zero-trust, SIEM and CIEM solutions. This approach primarily eliminates the need for companies to manage and maintain their IAM infrastructure, reducing costs and complexity while allowing organisations to manage user access to their systems and data, authenticate users, and enforce access policies across multiple cloud platforms and applications.

However, recent data breaches, such as those experienced by Okta, have highlighted the risks associated with IAMaaS. The breach occurred due to a breach that originated from its third-party contractor, Sykes. Such data breaches highlight the importance of implementing strong security measures when using IAMaaS. Organisational leaders should ensure that they choose a reputable IAMaaS provider with a proven track record of security and that they continuously implement best practices for securing their IAM systems, such as regularly updating software and using multi-factor authentication, as well as having proper independent attestations of their IT environments. There is an increasing need to review regulations and compliance

As the strong growth of cloud adoption continues, cloud IAM would become an ever-increasing critical component of modern business operations. Several major trends that will shape the future of cloud IAM include the adoption of zero-trust security models, the integration of AI and ML technologies to support automation, and adoption of IAMaaS.

Organisations that are aware of these trends and the potential opportunities, along with underlying risks and challenges, will be better equipped to manage user access to their systems and data, reduce their risk of data breaches, and improve their overall security posture. However, as per any technology, organisations need to ensure they have a strong security foundation backed by talents with the right skillsets to supplement these best practices and trends in cloud IAM.

Ser Yoong Goh is a member of the ISACA Emerging Trends Working Group.



Source link