Identity and Access Management (IAM) has moved from a back-office hygiene task to the primary control layer for modern cloud defense. In the cloud, where resources are often exposed to the internet by default, identity functions as the “new perimeter”.
We recently spoke with Joseph South, Principal Cloud Security Engineer at Volkswagen Financial Services and host of the Security Unfiltered podcast, about navigating the complexities of Cloud IAM. This guide captures the strategic and tactical lessons from that conversation.
You can read the complete transcript of the epiosde here >
Why is IAM Still Not “Solved” After a Decade?
While Cloud IAM was one of the first services introduced by major providers, it remains one of the most challenging areas to secure.
- The Exposure Gap: Unlike on-premises environments shielded by firewalls, cloud portals (like AWS or Azure) are accessible via the internet. An attacker only needs valid credentials to bypass traditional network defenses.
- The Okta/MGM Effect: High-profile breaches involving leaders in Single Sign-On (SSO) have brought IAM to the forefront of executive attention. It is now clear that even legitimate logins can wreak havoc if they are overly permissive.
- Account Explosion: The ease of creating users and roles allows cloud environments to explode in complexity before security teams are even formed. Joe highlights an example where a young company unknowingly created 400,000 accounts in just one year.
What Foundational Questions Should Start an IAM Journey?
Joe recommends starting with two critical organizational questions before touching any technical configurations:
- How will the environment be used? Define your different environments—such as QA, development, and production—as this structure dictates your IAM logic.
- How will the organization be structured? Align IAM policies with your business units and teams to ensure access control follows the actual flow of the business.
How Should Organizations Prioritize Security Configurations?
When faced with a “maddening” number of accounts, prioritization is essential to reducing the attack surface.
1. Human Identities
- Priority: Highest
- Recommended Action: Consolidate duplicate roles and audit for “global admin” permissions on accounts that don’t need them.
2. Machine/Service Accounts
- Priority: High Priority due to High Risk
- Recommended Action: Lock down permissions for service-to-service communication (e.g., S3 to EC2) to prevent a single public bucket from becoming a foothold for lateral movement.
3. Third-Party Accounts
- Focus: Compliance & Cleanup
- Recommended Action: Perform regular attestations to verify if contracts are still active; often, vendors retain access long after their engagement has ended.
How Can Security Leaders Balance Least Privilege with Business Speed?
“Least privilege” is often the most difficult goal to achieve because overly restrictive controls can slow down innovation.
- The Department of “Yes, But”: Security should not just say “no”. Instead, enable developers to build by offering alternatives (e.g., “Yes, you can have a public bucket, but we are going to secure it this specific way”).
- Executive Buy-In: Security leaders must secure an agreement from business executives that secure deployment is a prerequisite for protecting reputation and avoiding fines.
- Policy and Partnership: Once a baseline policy is created, work hands-on with developers to guide them on how to build securely rather than just policing them.
What are the Warning Signs of Sophisticated Phishing?
Traditional security training focusing on “looking for links” is no longer enough because attackers are evolving their psychological tactics.
- Rapport-Based Attacks: Modern phishing often involves no links. Attackers may initiate conversations from what appear to be internal addresses to build rapport before eventually asking for sensitive information or a phone call.
- The “Nugget” Strategy: Much like compromising government agents, attackers start with small, seemingly insignificant requests—like a name or a payroll clarification—to build trust before escalating to a compromise.
What are the Top 5 Considerations for a Mature IAM Program?
For organizations looking to move from chaos to a graduate-level security posture, Joe recommends these five pillars:
- Least Privilege: Ensure every decision is based on “do I truly need this?”.
- Addressing Overly Permissive Roles: Audit roles that grant more access than necessary for the task.
- Reducing Overly Used Roles: Lower the probability of a compromised account having broad access by breaking down massive, multi-purpose roles.
- Privileged Account Management: Adopt low-level privilege accounts for daily use and use Just-in-Time (JIT) escalation only when root-level access is required.
- Multi-Factor Authentication (MFA): In 2023, MFA is a baseline requirement; if you don’t have it, “you’re not even in the game”.
Conclusion: Taming the Cloud Identity Nightmare
Cloud IAM is a “song and dance” that requires constant navigation between technical rigor and organizational enablement. As identity becomes the definitive perimeter, organizations must move away from manual “click-ops” and embrace rigorous tagging, automated role consolidation, and context-aware authentication. By fostering a culture of hands-on partnership with developers and educating employees on the new wave of psychological phishing, organizations can successfully unravel the complexities of the cloud and build a truly resilient security posture.
