Identity and Access Management is one of the first steps to achieving cloud security. Organizations, now more than ever, are adopting cloud technologies at a rapid pace. To do so, organizations are leaving the cloud infrastructure vulnerable. So, to provide a safe and secure environment to store identifiable information becomes crucial.
If you want to explore the basics of IAM, you can download our eBook on “IAM For Cloud Dummies.”
Identity and Access Management (IAM) systems provide the capability to create and manage user accounts, roles, and access rights for individual users in an organization. They typically incorporate user provisioning, password management, policy management, access governance, and identity repositories in an often-complex design. Because providing IAM is a colossal task, you’re likely to face many challenges. You may be asked to confirm the accounts in your IAM system and the access rights for each, which can be a daunting and challenging task. Unfortunately, the environments that IAM systems support are often subject to both persistent attacks and inadvertent permission creep due to changing roles and rights within your organization.
To ease out the pain that IAM has been, we are listing 6 best practices that you can incorporate:
1. Multi-factor Authentication (MFA) is a must
MFA is the first step in creating layers of trust. Apart from the passwords known only to the user, there are two layers of authentication
i. A key or a security pass that they already have.
ii. The biometric information or voice recognition that they have inherited.
MFA ensures that even is the hacker has breached one layer; then there is another layer of security that the hacker has to breach to access your cloud. So, MFA should be mandatory.
2. Never share account credentials
This should be basic while handling credentials that can be used to access your cloud infrastructure. Instead of sharing accounts, create individual IAM users for employees that need to access cloud resources. This allows the admin to assign a unique set of permissions to different users based on one’s job requirements.
3. Always audit access to resources
It’s essential to regularly review your organization’s IAM policies to ensure they’re granting the least privileges. Reviewing the access logs adds another layer of security to your cloud infrastructure. The admins can see who accessed what and when.
4. Enforce a strong password policy
According to Skyhigh, the top 20 most common passwords account for 10% of all passwords. The number suggests that a hacker can infiltrate one out of twenty user accounts without any brute-force attacks if one happens to use a most common password such as “123456” and “password.”
While creating passwords admins and the users can implement the following practices:
- Define maximum and minimum characters length.
- Use special characters.
- Put a restriction on sequential and repetitive characters.
- Set-up a password expiration policy.
- Imply restrictions on dictionary words in the passwords.
5. Remove the unnecessary IAM users and associated credentials
In 2019, various cloud breach cases were involved with the ex-employees. How did they get access to the cloud infrastructure? Using their existing credentials. Every unnecessary IAM user should be removed to minimize the risk of being stolen or giving away an easy entry point to the hackers. The audit step mentioned above should be able to help you figure out which IAM user has not logged for a longer period, and proper steps should be taken whether to delete or revoke the permissions.
6. Do not embed keys into code or instances
When writing codes, it seems convenient enough to store keys in the code itself or the environment, but it welcomes only vulnerability. Even if the keys are encrypted, there is a high possibility that the hackers will be able to extract those keys. The recommended practice is to use Azure Service Principal, GCP Service Accounts, or AWS Roles if you are using either of the cloud services.
To get exclusive cloud security content right into your inbox, subscribe to our newsletter.