Although identity and access management (IAM) solutions do a good job of controlling who has access to services and resources in the cloud, many businesses need to implement a system of identity governance in the cloud in order to provide further safeguards against unauthorized access and data loss.
Most businesses are aware of the difference between cloud management and cloud governance, but not necessarily aware of the difference between identity management and identity governance in the cloud—or, indeed, that there is a difference. This is most likely due to Cloud Service Providers supplying a range of excellent tools to securely manage access to services and resources, giving businesses reason to believe they have identity governance in the cloud covered. However, that’s not always the case.
If you are not familiar with the difference between cloud management and cloud governance, you can read up on the topic in our eBook “Accelerate Your AWS Journey to Reach Cloud Maturity”.
The difference between identity management and identity governance in the cloud
Identity and access management in the cloud usually consists of managing who has access to what services and resources in the cloud, and sometimes when (i.e. only during working hours) and from where (i.e. only from a range of IP addresses). Part of this role is to apply IAM best practices in order to enhance cloud security, and help prevent unauthorized access and data loss.
A level up from identity and access management is identity governance in the cloud. This consists not only of creating policies about who should be allowed access to services and resources (and when and from where), but also monitoring compliance with the policies, auditing the policies, analyzing their effectiveness, and amending them as necessary to provide further safeguards as required.
How to monitor identity and access management policies
Monitoring compliance with identity and access management policies should be straightforward if the policies have been applied correctly. However, sometimes mistakes happen—especially when there is a wide range of complex policies in use—so it is always worth monitoring that the policies and best practices have been applied correctly to avoid unforeseen lapses in cloud security.
How you monitor identity and access management policies will depend on factors such as the monitoring tools available, the business’s propensity to risk, the time available to monitor compliance, and the skill of the person(s) doing the monitoring. If, for example, you operate in the AWS Cloud, the monitoring tools available include CloudFront, CloudTrail, CloudWatch, Config, and S3 logs.
Using these monitoring tools, you can audit the source IPs of specific activities, the date and time they occurred, and which attempted activities failed due to inadequate permissions. By analyzing the results of the audit for anomalies and users with unnecessary permissions, you can fine-tune identity and access management policies to provide further safeguards against unauthorized access and data loss.
Simplifying the monitoring, auditing, and analyzing process
The process of monitoring, auditing, and analyzing the effectiveness of identity and access management policies can be long-winded depending on the volume of users, complexity of policies, propensity to risk, and—in particular—the skill of the person(s) doing the monitoring. Certainly you need a person with an understanding of networking, operating systems, and operational controls to execute the process competently - otherwise your identity governance in the cloud could be vulnerable to human error.
Could that person’s experience be put to better use within your business? More than likely. Therefore it is a good idea to simplify the identity governance process by automating as much of it as possible. To do this, all you need is a cloud management platform such as CloudHealth by VMware that can be configured to alert you to anomalies such as when a user is not assigned to an IAM group and events such as attempted activities that have failed due to inadequate permissions. Try CloudHealth’s alerts and IAM groups for yourself with a free trial.