Identity Access Management: Security Principle of the month

Managing and protecting IAM is really protecting the crown jewels when it comes to Cloud hosting.

By compromising an authorised user’s digital identity and intruding upon his or her access with common vulnerabilities and attacks, attackers gain the quickest path to the enterprise’s crown jewels: sensitive and proprietary data. Once, privileged access was considered to be the preserve of administrators, charged with keeping the systems running. Today, technology innovations mean that privileged access is everywhere. For any privileged account security programme, change management is required. It is not a plug-and-play implementation, but rather needs to be carefully managed. It must be pervasive throughout the organisation so that there are no blind-spots and everyone in the organisation must be made aware of its importance. While this is all good practice to be implemented on an enterprise level, I'll try to highlight few key technical points for securing IAM

The guiding Principle is:

Access to the CSP resources, must be strictly controlled, to ensure only those with a required need to access such services, are permitted and that only the appropriate level of access is allowed

• Lock away and protect ‘Root’ access keys securely, along with MFA & a ‘break glass’ process

• Use IAM-defined polices to assign permissions to Groups. Enhance Policies’ security by using ‘Policy Conditions’

• Maintain appropriate Access Level to services interfaces and data, by following the PoLP, implement RBAC and attach to a JML process

• Regularly review and monitor all IAM policies and permissions

• Implement strong password policies

• Engage with the PAM (Privileged Access Management) team or implement a PAM solution, for protecting assets in sensitive/production environments

• Enable MFA for privileged (or all) users access (based on the use-case)

• Use Roles’ for Apps/Code running on an Instance/VM, and ‘Assume’ Roles for Cross-Account/3rd Party user access, instead of using/sharing credentials

• Rotate credentials regularly and often, with removing unused ones

• Use Federation and SSO where applicable

• Consider Segmentation between the app and DB layer; Access given to an app should be only given to the required part within a DB, rather than a wider access across all data parts within a DB

*The "Security Principle Of The Month" posts are a series of short articles aim to help and guide the security SME, whether it's a Consultant who is reviewing a solution design proposal, or a DevSecOps engineer deploying a solution, by listing key points of various security controls which should be considered for the proposed solution or to an existing product/environment. This list should be used as a 'complementary' list to any other security controls and strategies already in use within solutions.

**Sources:

- (ISC)² CCSP certification exam materials

- 'AWS Certified Security Speciality' certification exam materials

- 'Azure Security Technologies certification exam materials

- NCSC (National Cyber Security Centre); Cloud Security Principles

- Broad projects experience

- Online information