AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix – Your Partner in Cloud Security Excellence

Why IAM in the Cloud needs attention?

  • Abhiram Shindikar Abhiram Shindikar

  • Wednesday, Aug 21, 2024

The history of cloud IAM can be traced back to the early 2000s due to the rise in managing identities in digital environments. With emerging cloud platforms like AWS, managing user access across distributed resources was complex using basic access control lists (ACLs) and access using usernames and passwords. Access management tools had to be evolved to manage specific users and permissions for specific cloud services.

Keeping all the possible complexities in mind, IAM services like AWS IAM, Azure IAM, and GCP IAM were developed offering services like centralized control over user access, policies for all the resources for that particular cloud, and required permissions.

Why does Identity and Access Management need attention?

Although cloud providers are doing a pretty good job when it comes to securing their portals, you have to jump through a couple of hoops to get your IAM security right. You may want to argue that cloud providers are taking care of securing the portals so why does it need attention?

Earlier, when organizations were on-prem and used firewalls or network security in place. Fast-forward to today, If you are a cloud practitioner or a developer, you must know that “Security is not a one-time practice”. Also in the cloud, the network is not the perimeter. IAM is the new perimeter in the cloud.

Thus it makes complete sense to think about “Who has access to what” in your cloud environment; and if you have the right security controls and procedures in place.

Companies like MGM got breached because of IAM, paying the ransomware of $110+ Million. Bad actors legitimately enter into systems pretending to be the real ones! Pretty scary, right?

IAM - Curse or a Blessing?

Recently, in one of our podcasts at ScaletoZero with Joseph South, Joe exclaimed that the ability to create users and roles at will is the advantage of the cloud as well as the security pitfall of cloud IAM!

To understand this, think about the cloud as a blank slate where developers and engineers can develop and design software, applications, and whatnot. As the cloud gives support to the required resources or support, developers can completely focus on development without worrying.

What about IAM here? Organizations often grant excessive permissions and overly permissive roles to individuals including developers, engineers, third-party vendors, etc just to speed up the development and deployment process. This is one of the important reasons why understanding how IAM works and getting the IAM architecture right becomes crucial even before other aspects of security come into the picture.

To conclude, we realized that IAM plays a major role in keeping your organizational workloads safe and secure by granting required permissions and roles.

How to deep dive into Identity and Access Management?

Joe recently shared an interesting case study from his friend’s company. They migrated to the cloud without a dedicated security team in place. Initially, they estimated having around 40,000 user accounts.

After a thorough review of their cloud environment, it turned out the organization had over 400,000 user accounts – a significant discrepancy from their initial estimate. This raises a crucial question: what would be the best course of action in such a scenario? We can help you navigate this situation!

In a cloud environment, tagging is important. Thus, a good security program in the cloud should have tags enforced on each asset of the cloud. Tagging will show you details such as who created the asset, who owns it, etc. This will help you find the owner of the accounts.

The next big move is to find all the accounts that have not been used in a specific time and have over-permissions. For example; A account that has global admin permission and has not been used in a year.

Prepare a list of such roles and accounts, reach out to these teams, and ask them questions like;

  • What accounts do you own?
  • What roles are required of this particular user group?
  • Can we combine any roles?
  • Can we combine any group here?
  • Can we have certain accounts and roles for a limited time period?

How to prioritize between identities?

Organizations should understand that “not all identities are user-generated identities i.e. human identities”. There are machine identities, human identities, third-party identities, etc. Resolving all of these requires a lot of time. But, before even organizations start to act on these identities how can they prioritize their identities?

Organizations can start by prioritizing human identities first. After all, humans are the weakest link. From the list of identities, preparing a list and prioritizing active human identities is crucial. This will help you understand the permissions they carry, level of access and roles, etc. Discuss with teams if combining several roles and identities can help.

Following these things will help you secure the attack surface from preventing someone from getting access to your cloud or workload.

Machine identities (non-human) should also undergo scrutiny. You cannot deny the fact that every single cloud has a different term for how IAM gets set up.

Last but not least, third-party identities! Reviewing access of the third party (vendors) to your organization’s environment, why they have it, if you are still in contract with them, and whether these third parties still need access, will help you determine if the permissions need to be kept or closed.

We have seen that organizations often have forgotten to act on these permissions and roles from third-party vendors.

Conclusion

In the dynamic world of cloud computing, Identity and Access Management (IAM) has emerged as a critical component of security. While cloud providers offer robust IAM services, organizations must take proactive steps to ensure their cloud environments are adequately protected. By understanding the importance of IAM, identifying potential risks, and implementing effective security measures, organizations can safeguard their sensitive data and prevent unauthorized access.

Remember, IAM is not a one-time fix; it requires ongoing attention and continuous improvement. By prioritizing IAM and adopting best practices, organizations can build a strong security foundation and protect their cloud infrastructure from emerging threats.

Cloudanix IAM JIT is revolutionizing the way organizations manage and review their IAM internally as a team and with their regulatory authorities.

People Also Read

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo