Sunday, August 7, 2022

Why It Is Important To Take A Top Down Approach For IAM - 2 Key Considerations

 


Day by day, businesses across America and even globally are starting to understand the importance of moving entirely to the Cloud, and totally eradicating with their On Orem infrastructures.  Now, there is really nothing wrong with the latter per se, it’s just that these are old legacy systems, which can cost a fortune to maintain.

In today’s world, nobody can really afford that.  In fact, many of the vendors that use to make the reliable ecommerce back in the day, are probably no longer even in existence today (one good example of this is Compaq – I bought their ProLiant server many years ago). 

And with the world going all digital one day, with the expectations that we will soon evolve into the Metaverse, being totally in the Cloud makes much more sense.  Keep in mind tough that a complete migration to the Cloud requires careful planning and is usually done in phases in order to make sure that nothing is left out.

In this regard, it is best to make use of what is known as a Cloud Services Provider, or CSP for short.

Not only can they plan the entire migration for you, but they can also do it, and maintain it after it has been all said and done.  But after a smooth transition from On Prem to the Cloud has been done, your work has just started, at least from the standpoint of security. 

Probably the biggest issue here is that of Identity and Access Management.  This is essentially a field of Cyber in which you establish all of your user and group profiles, and from there, assign the needed rights and permissions.

If you are using Microsoft Azure, then a lot of this headache will be eliminated if you make use of the Active Directory.  This is actually pretty complex, but cut to the chase, this is the centralized database in which all of the above is stored at.  It can be very simple or complicated to use, a lot depends upon your security requirements, and just how big your organization is.

It is important to keep in mind that Azure gives you all of the tools you need in order to create a sound IAM Policy.  But Microsoft won’t do that for you (of course you hire them for a huge consulting fee), it is up to you to configure your security environment the right way, which is according to your requirements.  In fact, this is where many companies fail at. 

They think that simply because they have moved into the Cloud, all is well.  No, there is much more work to be done.

In fact, this is why data leakage has been such a huge issue with the AWS.  It’s not that the Private Cloud that has been deployed is weak, it’s the fact that the owners of it have not configured the S3 buckets properly. They leave it at the default settings, thinking that it is enough. 

But on the flip side, the Cyberattacker already knows what they are, such it is just a matter for them of breaking into your Cloud environment, tampering with the settings, and from there, exfiltrating all of the data that they can get their hands on.  This is the first area a good IAM policy must address.

Also bear in mind that many organizations also fail to remember that one of the key mantras of the Cloud is automation.  What once took hours to do On Prem can now be done in minutes in Azure.  For example, this means that all of the network log files, enabling new software applications once the triggers and conditions have been met, managing all of the Cloud Access Brokers (CASBs), etc.  With all of this stuff being interconnected together, privileges and rights can cross each other, and in fact, even be used in the wrong way, thus leaving more exposure for the Cyberattacker,  You can consider all of this automation as little robots running around in your Private Cloud trying to get their assigned tasks done.

And if the right privileges are not in place, chaos is about too erupt to a degree of which you have never seen before.  This is the second area that a solid IAM policy must also address.  In fact, these are referred to as Non-Human Identities, and have become a prime target for the Cyberattacker to chase after.

My Thoughts On This:

So there you have it, the two main areas in the Cloud in which IAM must address.  Of course, there are many other areas as well, especially those that relate for the Remote Workforce.  The traditional security technologies of yesterday are simply not enough to keep up with the security demands of today. 

Thus, companies have to invest into some newer technologies in order to keep up.  These are also, I believe, available in Azure, so take a look around.

But remember, one of the key tenets of an IAM policy is a top-down approach.  This simply means that if the top brass, such as the C-Suite are obeying it, then there is a far greater chance that the employees underneath will follow in the same fashion.  This is how you should also plan for your IAM strategies.  You should always start from a holistic sense, using this top-down mentality. 

For example, take a look at all of the departments you have.  Then from there, craft out the user groups you will create for each one of them, as well as their respective rights and permissions.  Once this has been done, then add in your employees to each of the groups that they will be a part of, and assign the right rights and permissions in an en masse format. 

Also, it is equally important to set up the permutations either the deactivation or total eradication of a particular individual once their job assignments have been completed.

Many IT Security teams fail to do this key task, and because of that, it leaves a huge, backdoor for the Cyberattacker to penetrate into.  You should never have to take a micro approach with an IAM Policy.  If you are, then that means something is not right and needs to be seriously reevaluated.

Finally, don’t discount the use of your log files that are outputted from your network devices. They will give you all the information that you will need when it comes to calculating the patterns of when your employees log in and log out of all your Cloud based applications.  This can also be useful in crafting out a good IAM policy.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...