The Inner Circle

 View Only
  • 1.  Managing Cloud Identities

    Posted Jun 08, 2020 08:51:00 AM
    Does anyone have recommended resources/thoughts they'd be willing to share about best practices for managing identities across cloud and on-prem environments?  We're discussing strategies around separating vs. syncing directories, in particular for access to the mgmt plane, and are very interested in understanding what considerations (aside from limiting blast radius) played into this decision for others, what gotchas have been encountered, etc.

    ------------------------------
    Mary Carp
    Avery Dennison
    ------------------------------


  • 2.  RE: Managing Cloud Identities

    Posted Jun 08, 2020 08:50:00 PM
    This has been a real source for debate amongst a lot of the Enterprise discussions I've been a part of. And the decisions have been very split on separating vs syncing directories. The CSP platform or platforms of multiple CSPs used and the legacy IAM solutions compatibility was often an issue, such as AD usage across multiple cloud offerings. It wasn't just about separation of duties and privilege access management but also on account management. I do believe in a multi account approach to cloud with lots of permission lists and even expiring accounts but visibility on user login activity, especially for admin or high privilege for executive accounts, is a challenge. SDP is a Zero Trust type of solution for networks and microsegmentation that could be a good start too but your ACL challenges remain the same between separation or syncing. As a CSA Corporate Member there are a couple other actions to come out of this:

    • Address the Enterprise Corporate Members, which hosts monthly calls for discussion across end users. This coming month is on API Security and the use of API Gateways. @Brent Lundstrom can invite you to the meeting and put this particular topic on an upcoming agenda. Additionally, this group has a private community within Circle to engage in discussions earlier: Enterprise Corporate Members

    • Ask the Industry Analyst. CSA Enterprise Members get access to leaders in the space through an organized session for your security teams and an industry specialist. @Courtney Keogh can set this up for you.
    ​​


  • 3.  RE: Managing Cloud Identities

    Posted Jun 10, 2020 01:17:00 PM
    Thanks, John, sounds like we are in good company on this debate.  You bring up a number of considerations that have come up in internal conversations as well.  We do participate in the CSA calls where we can, and I will certainly bring this to the open discussion if I can make the next one.  I had forgotten that access to the CSA Industry Analyst was an entitlement that we had as Enterprise Members--this is a fruitful place for us to continue exploring, thanks for the reminder!

    ------------------------------
    Mary Carp
    Senior Cybersecurity Engineer
    Avery Dennison
    ------------------------------



  • 4.  RE: Managing Cloud Identities

    Posted Jun 09, 2020 08:12:00 AM

    If your organization has a multi-cloud ​environment I would definitely recommend implementing identity federation (e.g. SAML, Oauth), either directly from your on prem enterprise directory or via an intermediate IDaaS service. Lifecycle IAM administration process implementation and operation for a proliferation of separate cloud-based identities for each service can be very inefficient and expensive, at least for larger organizations. Federation also provides SSO usability benefits and centralized termination of access on employee termination, which can be very important with insider risk scenarios.

    For management plane access I would recommend separate identities (from "regular user" access) and multi-factor authentication, coupled with zero trust SDP access controls for privileged access.  I'd also suggest that privileged API access to the management plane (e.g. infrastructure as code) should be secured similarly well, depending on the capabilities supported by the CSP.



    ------------------------------
    Erik Johnson
    Sr. Enterprise CLoud Security Specialist
    Federal Reserve
    ------------------------------