Automating Multi-Cloud Access

by Micro Focus Employee in CyberRes

Adhering to Peter Drucker’s famous quote, “you can’t manage what you can’t measure,” IT routinely allocates significant portions of their security budget to managing and monitoring user activity. So, with this rule in mind how good is your organization at applying that sage advice to your cloud-based services? Here’s one of several experiences I’ve had that led me to believe that organizations are still catching up to access management sea change that occurred with cloud-based services.

Our Access Security Heritage 

Automating Multi-Cloud AccessYears ago, one of their perks at another large company was employee access to a robust digital library of professional and technical publications. These publications were industry-specific and would have been quite expensive to purchase. Indeed, individual subscriptions were costly and access to them depending on it being active. A cool feature of the service was the ability to download a set number of chapters each month across its library. This library was my first cloud service. Access to it didn’t require a VPN or any type of corporate credential. Unfortunately, for security’s sake, the service didn’t support any federated authentication model but its own separate credential. These were the days before SAML 2 and OIDC. While other federation options existed, they were rarely used.

I bring up this cloud access scenario because years after I left this organization, I realized that my credentials still worked, meaning I still had access to the full library of materials and services. So, while my corporate credentials were disabled, the credentials for this service were untouched. While ITs access security team was focused on its intranet, they didn’t think much about the web services consumed outside. They paid all sorts of attention to the types of communication allowed through their firewalls and VPN technologies and considered cloud-based services outside of their realm. During this era of realm-specific security it was also common for IT to underrate the importance of staying on top of their user’s identity lifecycle. Not only was that a less than secure assumption at the time, its flaw becomes glaring when applied to cloud-based services.  

So, when I left this company, IT blocked access to my laptop and their core set of applications by disabling my Active Directory account. They also deactivated the LDAP account used for VPN authentication. But it appears that cloud service was likely non-existent to IT’s priorities. My guess is that it was a standalone project by HR. It would have been interesting to know if HR even contacted IT or if they simply viewed it as outside their purview. It likely didn’t even occur to IT that this specialized cloud service was something they even needed to think about. 

Multi-Cloud Access Governance

Based on the number of times I hear about organizations performing manual provisioning and governance operations, it’s clear they’re not ready for a multi-cloud paradigm. This tradition of manual or ad-hoc administration tactics stems from the old intranet mindset, where IT’s focus is narrowed to just a few of the identity stores holding the permissions. This old mentality relied on firewalls and VPNs. Their limitations were generalized rules that were simply unable to enforce a least privilege model.

More than in past architectures, multi-cloud requires an identity-centric least privilege approach. With multi-cloud, users will typically have direct access to them without being funneled through an internal network, especially for remote users. To avoid TCO and error-prone manual processes, access management for multi-cloud environments requires automation.

The Reality of Hybrid Environment

Going back my example of rogue access, my guess is that this cloud-based service that I was able to access for another eight years after my departure wasn't properly maintained because it was probably purchased as an enterprise license. Meaning that the organization didn't gain business value by maintaining those accounts. But what about those services that pose a risk or cost to an organization? I'm sure that every organization has them, including yours. Are you still managing them with manual or ad-hoc processes? Is management really aware that their firewalls and VPNs are irrelevant to them? Historically, a barrier to full automation is a mindset created by the fact that for internal applications, there are just a few identity stores that need to be updated. It's too easy to miss that this same approach won't work for access control of cloud-based services. So, while a traditional process of updating account information in Azure AD and LDAP directories solves access to internal services, it doesn't work for cloud-based ones.

Another potential organizational barrier to full automation is that for internal applications, organizations have just a few identity stores that need updating with a growing list of cloud-based ones. So while their traditional approach of updating account information stored on their Azure AD and LDAP directories solves access to their internal services, it does not apply to the cloud-based ones.   

Access Management Automation for Multi-Cloud

As IT resources continue to get harder to find and expensive to pay for, the more value your organization will gain by automating it. Chiefmartec claims that average organization consumes over 1,200 cloud-based services. That seems high to me but lets assume it’s a fourth of that. What kind of processes do you have in place to automate changes to the access controls to those services? Any human steps involved? How do you verify that an ex-employee (or consumer) was properly deprovisioned? How effective are your monitoring capabilities?

Multi-Cloud Access Governance

Beyond ensuring that access control changes are made quickly and reliably, there is the issue of ensuring that users have the right level of access. Labeled as least privilege, getting the right level of access to the right user has been a growing focus for cloud-based services. Because they’re typically directly available from the internet, least privilege is an essential element of an organization’s zero trust initiative needed to shore up its access security.

To elevate the accuracy of governance decisions, you’ll need a way to present all the relevant data to the person deciding to grant access or later to review the merit of that access. And, of course, you need an easy way to attest to compliance requirements as requested.

Multi-Cloud Access Summary

The use of cloud-based services has evolved generationally since my first experience with them. Hopefully, your organization’s strategy of controlling access to them has as well. Beyond this blog’s focus on automation and governance, there is a lot more that can be done, such as:

  • Tightly integrate actual access activity to governance and risk assessments
  • Elevate the level of risk-based access control to a more advanced set of metrics.

But identity automation and governance go a long way in getting you there. In fact, they are foundational before you can move

If you don’t use NetIQ Identity Manager for all the important identity repositories, check out this NetIQ Unplugged video on why it should be. This video does a good job demonstrating how NetIQ Identity Governance can effectively inform application and data owners at the point of approving an access request with the best information at hand.

Connect With Us

Join our Community. Have technical questions about NetIQ Identity Manager? Visit the Identity Manager User Discussion Forum. Keep up with the latest Tips & Info about Identity Management. Do you have an Idea or Product Enhancement Request about Identity Management? Submit it in the Identity Manager Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Identity & Access Mgmt
Anonymous