7 Identity and Access Management Best Practices for 2020

12 December 2019 | Posted by Josh Bouk

Identity and access management (IAM) is one of the foundations of cloud security. As more organizations turn to mobile-friendly and cloud-based platforms, the need to provide a safe and secure place to store identifiable information becomes more important.

As we move into a new decade, access management will not only be more important than ever, it may look different than it did even five years ago. So, as we look forward to 2020, here are seven best practices for managing effective enterprise-level access to your cloud.

7 Best Practices for IAM in 2020

If you manage a multidevice, multilocation hybrid set-up, consider a policy that embraces functions such as single sign-on, authentication and session management. Due to the fast-paced world of cloud computing, your IAM policy should also be reviewed regularly.

1. Treat Identity as Primary Security Perimeter

Where is the entry point to your network? Fifteen years ago, you could point to your firewall and say: “Here is our security threshold”. But today, the cloud offers access to anyone, anywhere. More accessibility means more entry points, which means we must rethink how we approach security. Identity and verification at the user-level is where today’s security perimeter really lies.

IAM policies need adapt to the fluid boundaries of today’s technology. Strong authentication factors help build a circle of trusted identities, and the best way to enforce this circle is to add layers of trust. That trust needs to be verified before you allow it access.

2. Enforce Strong Passwords

Strong passwords have always been one of the foundations of an effect IAM strategy and will remain so moving forward. Best practice for password creation comes from the National Institute of Standards and Technology (NIST).

NIST Password Guidelines

  • A minimum of eight characters and a maximum length of at least 64 characters
  • The ability to use all special characters but no special requirement to use them
  • Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
  • Restrict context-specific passwords (e.g. the name of the site, etc.)
  • Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words
  • Restrict passwords obtained from previous breach corpuses

The best passwords are easy to remember and hard to guess. If your user can picture it in their head and no one else can, it’s a good password. That’s why the ability to use special characters is great but enforcing them isn’t.

Passwords that force the use of special characters become hard to remember and are more likely to be written down. Best practice is to restrict the common passwords and their variations to encourage creativity.

3. Use Multifactor Authentication (MFA)

Multifactor authentication is the first step in creating layers of trust. In addition to revealing a credential known only to the user (usually a password), there are two additional layers of authentication:

  • Something they have
  • Something they have inherited

Something they have could be a key or a security pass. Inherited factors mean biometric information such as retina scans, fingerprints, or voice recognition. Multifactor authentication means that if one factor is compromised, an infiltrator still has at least one more barrier to breach before successfully breaking into your system.

Other authentication factors include location and time, meaning that you can only access systems at certain places or at certain times of day. The more factors you use, the more effective your IAM policy will be.

Discover the 8 most common mistakes in cloud management and how you can avoid  them

4. Don’t Use Privileged Accounts for Day to Day Operations

Privileged accounts give users the power to do anything in your cloud environment. They are necessary for some tasks but shouldn’t be used for everyday use. Practicing a “policy of least privilege” means using the right account for the right job. While an IT manager might not get nefarious ideas while using a privileged account, using one opens the potential for accidentally causing a data breach.

To help enterprises better manage account access, Azure offers a Privileged Identity Management (PIM) feature. PIM allows you to allocate specific access to specific roles for a set time.

So, you can offer a user access to a resource for 30 minutes, then the access is automatically revoked. Micromanaging access in this way reduces the need for users to log into privileged accounts to perform everyday tasks.

5. Use Groups for Defining Permissions

Using Groups to define permissions is a logistical best practice for enterprises. Organizations with thousands of users need an easier way to manage cloud access.

Access policies written at the Group level turns thousands of individuals into a small handful of groups with the same access. Often, users will be grouped by department and given the access they need to do their specific jobs.

For example, everyone in the finance team will be in one Group and have access to specific things, while your sales teams will be in another Group with different access. Using Groups rather than users to define permissions takes a huge amount of hassle out of identity and access management.

6. Never Embed Keys into Code or Instances

Storing keys in your code or environment might seem convenient, but it also exposes them to the threat of hackers. Even if they are encrypted in your code or instance, it may still be possible for cybercriminals to extract your keys. Best practice is to use AWS Roles, GCP Service Accounts, or Azure Service Principal.

7. Audit Access to Resources

Regularly reviewing access logs adds an extra layer of security to your cloud. You can see who accessed what and when. This can help you keep track of your users’ activity and determine actions taken on the account and the resources. AWS, GCP, and Azure offer logging features that help make auditing access relatively straightforward.

Access reviews also make sure users still have correct permissions and all inactive accounts are disabled. So, when someone leaves your organization, you know that their access is revoked. And when new staff join, they have the access they need to do their jobs.

Balancing Accessibility & Security

Best practice IAM measures walk the line between accessibility and security. When you’re thinking about your IAM program, it’s important to remember that one of the core benefits of the cloud is its accessibility. Adding multiple layers of security creates barriers to productivity that could potentially restrict the value you’re getting from the cloud.

This common cloud management security mistake is one of many that enterprises make every day. Discover the others, and tips for how to avoid them, in our handy guide.

New call-to-action

Topics: Security, Cloud Management Services

Get weekly Cloud roundups direct to your inbox.