If your organization has a multi-cloud environment I would definitely recommend implementing identity federation (e.g. SAML, Oauth), either directly from your on prem enterprise directory or via an intermediate IDaaS service. Lifecycle IAM administration process implementation and operation for a proliferation of separate cloud-based identities for each service can be very inefficient and expensive, at least for larger organizations. Federation also provides SSO usability benefits and centralized termination of access on employee termination, which can be very important with insider risk scenarios.
For management plane access I would recommend separate identities (from "regular user" access) and multi-factor authentication, coupled with zero trust SDP access controls for privileged access. I'd also suggest that privileged API access to the management plane (e.g. infrastructure as code) should be secured similarly well, depending on the capabilities supported by the CSP.
------------------------------
Erik Johnson
Sr. Enterprise CLoud Security Specialist
Federal Reserve
------------------------------
Original Message:
Sent: Jun 08, 2020 08:50:55 AM
From: Mary Carp
Subject: Managing Cloud Identities
Does anyone have recommended resources/thoughts they'd be willing to share about best practices for managing identities across cloud and on-prem environments? We're discussing strategies around separating vs. syncing directories, in particular for access to the mgmt plane, and are very interested in understanding what considerations (aside from limiting blast radius) played into this decision for others, what gotchas have been encountered, etc.
------------------------------
Mary Carp
Avery Dennison
------------------------------