One of the core challenges of cloud computing is its complex security needs. As organisations traverse the digital landscape, the convergence of systems, applications and users blurs traditional boundaries, requiring a reinterpretation of traditional data and identity silos.

Under the shared responsibility model for the public cloud, protecting identities and data is always the responsibility of the enterprise rather than the cloud service provider. Even in software as a service (SaaS), customers are still required to protect their own data, identities and application configurations.

Identity and access management (IAM) systems usually serve as the core method for defining access rights and permissions, enabling organisations to centrally manage authentication, single sign-on (SSO) and authorisation across multiple systems and applications. Yet legacy IAM systems struggle to adapt to the dynamic nature of cloud environments, where access requirements change frequently.

To address these challenges, the security industry has responded with innovative solutions designed to operate at cloud scale, such as cloud extensions to identity governance and administration (IGA) offerings and the adoption of attribute-based or policy-based access control (ABAC or PBAC).

The IAM landscape is further complicated by introducing new entities such as containers, serverless architectures and internet-of-things devices. These entities present unique access challenges, necessitating innovative approaches to identity management. By leveraging data awareness and automation, organisations can streamline their IAM processes and mitigate security risks in cloud environments.

Data protection solutions have evolved on a similar path to IAM systems. Data loss prevention (DLP) solutions have allowed organisations to discover, classify and monitor the movement of sensitive data within their networks, and apply adequate policies. As in the case of IAM, new data-centric solutions were introduced to tackle the challenge of protecting data in the cloud. Cloud access security broker (CASB) systems, for example, can be used to identify unsanctioned cloud applications, monitor and control data, and encrypt traffic to the cloud through a centralised platform.

Cloud security

However, the effectiveness of DLP solutions hinges on constant data classification and policy refinement, which can be challenging in dynamic cloud environments. While CASBs can be used to restrict user access to an application, they don’t address visibility and management of identities and permissions in the cloud at the user, application and resource level. Fortunately, cloud security posture management (CSPM) systems can help partially fill this gap, allowing organisations to continuously monitor cloud platforms and alert on misconfigurations and potential compliance issues. For example, CSPMs can detect misconfigured Amazon Simple Storage Service (Amazon S3) buckets that may expose organisations to the leaking or loss of sensitive data.

Much like identity-centric security lacks an awareness of the data side, neither DLP nor CASB and CSPM, nor a combination of these products can provide integrated insight into identities. Similarly, making decisions based solely on the sensitivity of data with no insight into user behaviour and contextual understanding of their actions may result in misidentification of major risks, multiple false positives and disruption to business.

As organisations are required to constantly adapt their policies and controls, IT and human resources (and consequently, budgets) are pushed to their limits. Many of these organisations are approaching a tipping point where the scale and flexibility of cloud environments may be too much to deal with, resulting in increased exposure to risk. The key to addressing the challenge of managing identities and permissions in the cloud at the user, application and resource level is to introduce automation, thereby reducing the level of required human resources.

Bringing down identity and data silos is essential for achieving this goal. By effectively leveraging data awareness, we can establish a decision-making framework that distinguishes between legitimate and excessive permissions based on contextual understanding of the risk they pose to critical data or resources – and enforce least privilege policies accordingly.

The disconnect between identity-centric and user-centric security is deeply rooted in existing cybersecurity paradigms. To create the necessary paradigm shift, a new security model should introduce capabilities based on several key principles.

Firstly, policies should ensure that users, applications, machines and services can access only the data and resources that are necessary for their legitimate purposes, per their current needs and status. The incorporation of data awareness into an access management framework could significantly improve its least privilege posture through a more accurate, ongoing assessment of risk.
Next – as said before – automation is the ultimate prescription for scale issues. The process of creating and enforcing least privilege policies (at least, in the most common cases) should be done rapidly, at scale and with minimal involvement of dev or ops teams. This way, organisations can gradually achieve least privilege while allocating other resources to identify and resolve complicated permissions and investigate unknown access events. It is also important to remember that not all access permissions are equal. Given the number of access policies in modern cloud environments, you must be able to differentiate between how you handle each of them. The level of risk can be attributed to the sensitivity of the data where it resides, the entity that holds the permissions, and so forth.
It is also crucial to identify the myriad entity types that are accessing cloud resources. From human users to applications and bots, similar principles and logic should be applied to all entity types to ensure comprehensive security across any cloud environment, without impacting application continuity or speed to market. Most importantly, security systems should be able to identify and mitigate access-related risks with minimum disruption to normal business operations.

While there will continue to be evolving security challenges in cloud environments, there are a growing number of tools and measures that can be implemented to mitigate risks and ensure that a robust security framework is in place at all times. By leaning into automation to ease the burden of managing data policies, organisations will face less issues with scaling their cloud environments and be able to free up critical business resources.