Identity and access management (IAM) is one of the foundations of cloud security. As more organizations turn to mobile-friendly and cloud-based platforms, the need to provide a safe and secure place to store identifiable information becomes more important.
Last year, the pandemic forced many organizations to shift large sections of their workforce to remote environments. And this abrupt change in working highlighted several security and business continuity concerns for many IT stakeholders.
So, as we look forward to a new normal in 2021 and beyond, here are seven best practices for managing effective enterprise-level access to your cloud.
7 Best Practices for IAM in 2021
If you manage a multidevice, multilocation hybrid setup, consider creating a policy that embraces functions such as single sign-on, authentication and session management. Due to the fast-paced world of cloud computing, you need to review your IAM policy and adjust it to meet new and future cloud demands.
1. Treat Identity as Primary Security Perimeter
Where is the entry point to your network? Fifteen years ago, you could point to your firewall and say: “Here is our security threshold”. But today, the cloud offers access to anyone, anywhere.
The shift to remote working alongside greater accessibility for users has inadvertently created more entry points, which means it's important to rethink how you approach security. Identity and verification at the user-level is where today’s security perimeter really lies.
IAM policies need to adapt to the fluid boundaries of today’s technology. Strong authentication factors help build a circle of trusted identities, and the best way to enforce this circle is to add layers of trust. And that trust needs to be verified before you allow it access.
2. Enforce A Strong Password Policy
Strong passwords have always been one of the foundations of an effective IAM strategy and will remain so moving forward. Best practice for password creation comes from the National Institute of Standards and Technology (NIST).
NIST Password Guidelines
- A minimum of eight characters and a maximum length of at least 64 characters
- The ability to use all special characters but no special requirement to use them
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
- Restrict context-specific passwords (e.g. the name of the site, etc.)
- Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words
- Restrict passwords obtained from previous breach corpuses
The best passwords are easy to remember but hard to guess. If your user can picture it in their head and no one else can, it’s a good password. That’s why the ability to use special characters is great but actually enforcing them isn’t.
Passwords that force the use of special characters become hard to remember and are more likely to be written down. Best practice is to restrict the common passwords and their variations to encourage creativity.
3. Use Multifactor Authentication (MFA)
Multifactor authentication is the first step in creating layers of trust. In addition to revealing a credential known only to the user (usually a password), there are two additional layers of authentication:
- Something they have
- Something they have inherited
Something they have could be a key or a security pass. Inherited factors mean biometric information such as retina scans, fingerprints, or voice recognition.
Something they have inherited usually refers to a fingerprint scan, facial recognition software, or any other kind of biometrics that let you log in.
Multifactor authentication means that if one factor is compromised, an infiltrator still has at least one more barrier to breach before successfully breaking into your system.
Other authentication factors include location and time, meaning that you can only access systems at certain places or at certain times of day. The more factors you use, the more effective your IAM policy will be.
4. Don’t Use Privileged Accounts for Day-to-Day Operations
Privileged accounts give users the power to do anything in your cloud environment. They are necessary for some tasks but shouldn’t be used for everyday use. Practicing a “policy of least privilege” means using the right account for the right job. While an IT manager might not get nefarious ideas while using a privileged account, using one opens the potential for accidentally causing a data breach.
To help enterprises better manage account access, Azure offers a Privileged Identity Management (PIM) feature. PIM allows you to allocate specific access to specific roles for a set time.
So, you can offer a user access to a resource for 30 minutes an hour, or however long they need, then the access is automatically revoked. Micromanaging access in this way reduces the need for users to log into privileged accounts to perform everyday tasks. This is especially useful when you have users accessing resources remotely, as it limits the amount of time they have to handle sensitive data.
5. Use Groups for Defining Permissions
Using Groups to define permissions is a logistical best practice for enterprises. Organizations with thousands of users need an easier way to manage cloud access.
Access policies written at the Group level turns thousands of individuals into a small handful of groups with the same access. Often, users will be grouped by department and given the access they need to do their specific jobs.
For example, everyone in the finance team will be in one Group and have access to specific things, while your sales teams will be in another Group with different access. Using Groups rather than users to define permissions takes a huge amount of hassle out of identity and access management.
6. Never Embed Keys into Code or Instances
Storing keys in your code or environment might seem convenient, but it also exposes them to the threat of hackers.
Even if they are encrypted in your code or instance, it may still be possible for cybercriminals to extract your keys. Best practice is to use AWS Roles, GCP Service Accounts, or Azure Service Principal.
7. Regularly Audit Resource Access
Regularly reviewing access logs adds an extra layer of security to your cloud. You can see who accessed what and when. This can help you keep track of your users’ activity and determine actions taken on the account and the resources. AWS, GCP, and Azure offer logging features that help make auditing access relatively straightforward.
Access reviews also make sure users still have correct permissions and all inactive accounts are disabled. So, when someone leaves your organization, you know that their access is revoked. And when new staff join, they have the access they need to do their jobs.
Balancing Accessibility & Security
Best practice IAM measures walk the line between access and security. When you’re thinking about your IAM program, it’s important to remember that one of the core benefits of the cloud is its accessibility. Adding multiple layers of security creates barriers to productivity that could potentially restrict the value and flexibility that you’re getting from the cloud.
As reliance on the cloud is set to ramp up exponentially in the coming years, it's important to find a balance between providing easy access to remote users, while still keeping critical infrastructure, devices, and accounts secure.
Discover how to address and overcome common cloud management mistakes in our handy cloud management guide.