A Single Identity Management and Security Strategy for Hybrid Clouds

Hybrid IT environments are becoming the exception and not the rule. Cloud adoption has transformed more than business operations; it has also transformed how businesses need to address identity management and security.

Today’s identity teams and cloud architecture specialists are facing a myriad of challenges. In my new paper—“Multi-Cloud Access Management Done Well – Myth or Mystery?”—I discuss these potential hurdles and what enterprises can do to establish an identity and access management approach that supports their on-premises and cloud environments.

Multiple clouds, one strategy
One of the biggest obstacles to successfully addressing identity and access management (IAM) in hybrid cloud and hybrid IT environments is managing the identity lifecycle across a mix of on-premises, public cloud, and private cloud environments, each of which may have its own native IAM system. A lack of readily available IAM solutions that can manage the full depth and capabilities of each cloud provider’s security models only increases the challenge organizations face.

For organizations to enable secure access, they must establish a common identity store that serves both machine and human identities. This centralized identity store can then be linked to the organization’s Identity Governance and Administration (IGA) solution so that processes like deprovisioning can be automated across its entire infrastructure, whether it is on-premises or in the cloud. For primary human identities, federation services can synchronize user stores from corporate Active Directory deployments to the cloud user store. This process is more difficult for machine identities and any secondary human identities due to the sheer number of them that are likely to exist, making good identity hygiene and strong governance that much more important.

Centralization, however, is the name of the game. It is highly likely that one line of business could use a particular cloud provider, such as AWS, while another uses a different service like Microsoft Azure. As noted earlier, each service can have its own approach to IAM, which complicates efforts to standardize access levels for users who leverage multiple clouds. Google Cloud, for example, organizes resources based on hierarchies that offer features such as inheritance. On the other hand, AWS provides the ability to grant fine-grained permissions specific to any resource. Maintaining consistent access levels across these different clouds—particularly in highly regulated industries—must be an important focus.

To address this challenge, organizations should start by consolidating the management of cloud access so that it is the responsibility of a single, centralized team, ideally in an IAM Operations function, at the start of your cloud journey. If the management needs to be done manually, a best practice is to segregate the provisioning and deprovisioning teams according to what cloud provider is being used.

While a next-generation architecture that supports multi-cloud environments will ultimately feature automation, enterprises need to understand that they will likely have to manually support basic IAM operational functions during the initial phase of their cloud journey. Organizations should review all their existing security and access management policies, standards, and procedures to ensure they are up-to-date and provide specific guidance to IT teams and business owners on what is expected. A best practice is to perform a complete review twice per year, and a typical enforcement policy would be less than six months after the publication of any new policy or standard.  If too many exceptions appear, it is proof that your policies need to be revamped.

Above all, it is critical to maintain good identity hygiene and centralize lifecycle events to ensure each identity is known, authorized, and managed. As always, the work begins early. Be sure to communicate with your business and IT stakeholders regarding what is moving to each cloud environment and when so that you can start to think about governance and educate yourself before deployments begin.

About the Author: Tom Malta, Head of Identity and Access Management, Navy Federal Credit Union, has led many successful IAM Programs over the last 20 years utilizing custom built as well as off the shelf technology supporting internal, external, and 3rd party/cloud identities alike. His recent passions include emerging technologies such as biometrics, AI, and next generation customer authentication solutions such as blockchain. Tom is a member of the IDSA Customer Advisory Board.



Let's work together to help everyone become more secure.