Cloud Adoption is a strategic imperative for any company seeking to thrive and grow in our increasingly digitized world. Yet, moving to the cloud without a solid strategy and governance plan in place can quite quickly eliminate any cost savings and efficiencies a company hoped to gain through its transformation. For example, a data breach can result in severe fines, months upon months of remediation work, and reputational damage that could lead to customer churn.
In a previous blog, we described how Cloud Governance is an extension of Corporate Governance. We listed seven key questions companies should ask as they continue their cloud journeys. This blog looks at Identity and Access Management (IAM) and how it relates to Cloud Governance. We present an overview of some of the key IAM challenges our clients have confronted as they approach the cloud and a list of critical questions every organization should consider regardless of whether they’re living in the Cloud(s) or haven’t started the journey.
Governing Identity and Access Management in the Cloud
The cloud’s ability to enable faster value creation, delivery, and protection through new services, enhanced digital experiences, or more efficient and secure transactions is a blindingly attractive beacon for modern enterprises. However, ‘blindingly attractive’ isn’t necessarily great – ‘real’ visibility is an essential characteristic of enterprise strategy, operations, and risk management.
A key aspect of visibility is knowing who and what is operating in your enterprise. As organizations migrate applications and workloads to the cloud and begin developing in it, observability becomes increasingly complex and potentially fraught with pitfalls. Particularly if the organization doesn’t have clear governance and centralized management that covers oversight of the identity lifecycle, the access request and approval process, entitlements management, role and policy management, access and entitlement certifications, and auditing and reporting to name a few.
This is where Identity and Access Management (IAM) comes into play. Simply stated, IAM is a set of policies, processes, supporting tools, and infrastructure used for managing the creation, maintenance, use, and oversight of digital identities, which can be either human or non-human. Whether we are talking about human users, machine roles, mobile devices, or even printers, anything that connects to or interacts with your environment should be identifiable and visible.
Whether your organization is all-in the cloud, partly there, or just thinking about it, the following is a list of fundamental questions to ask:
- Do we know how access is provisioned across the enterprise today? Is it centrally managed or decentralized? Who approves requests at the enterprise and LOB levels?
- How are we managing the provisioning/de-provisioning of Machine Roles and Human Roles?
- How are IAM accounts currently audited? How frequently are IAM accounts audited?
- Is automation in place to facilitate access reviews for Joiners, Movers, and Leavers?
- Are we actively monitoring orphan accounts?
- How are changes to roles, entitlements, and accounts monitored?
- Do we ensure that default roles are disabling default roles?
- Is SSO implemented? What is the level of adoption?
- How are we managing secrets?
- How are we tracking privileged access and usage?
- Do we have automated enforcement of our password policies? Are self-service capabilities in place for password management?
- What is your IAM compliance monitoring strategy? Does your organization regularly monitor orphan accounts?
Taking care to ensure that only the right people have access to the right resources, at the right time, for the right reason in your cloud environment requires well-managed governance and a risk-aware culture as well as flexible adoption frameworks and centralized solutions.
Infinitive’s experts have the knowledge and experience to help your organization improve productivity by automating critical aspects of managing identities, authentication, and authorization. If you are struggling with any of these questions or want an outsider’s perspective, contact us to create the right IAM environment for your business.