The massive adoption of public cloud services is creating a new, sprawling attack surface with a scale that keeps growing. While this poses significant challenges, it’s important to recognize that the root of security remains identities and entitlements. 

Even though the cloud combines storage, compute, networking across multiple pieces of infrastructure, each with multiple paths in how it can be reached, identity is the primary avenue for breaches. What’s more, the cloud is constantly evolving, with large service providers, such as AWS, Azure, and GCP, constantly introducing new features, capabilities, layers of abstraction, and so on. All of this potentially impacts how services and their related data may be accessed. 

While cloud security entails many different layers of protection, from WAF (Web Application Firewalls) to encryption, a properly executed security strategy brings the focus back to identity and entitlement management, which is a set of practices designed to govern who can access which services and data. That’s because most interactions still start with confirming an identity and assigning the appropriate rights.

One of the major challenges facing organizations is that each cloud services provider uses proprietary approaches, tools and nomenclature when it comes to identity and entitlements. That, in turn, creates further complexity in managing cloud identity and entitlements for organizations with a multi-cloud strategy.

Also, permissions and entitlements in environments like AWS, Azure, and Google (News - Alert) Cloud are far more complex than they are in the data center. In addition to human identities, there are thousands of service identities, and determining the access permissions associated with each identity requires analysis of many different policies and configurations.

Therefore, discovery is one of the most important elements of identity and entitlement management in the cloud and is central to the practice of cloud identity governance. This involves the discovery and visualization of all cloud identities – both human and service – and entitlements. Of course, the next and no less important step is to analyze and prioritize risk. 

Then, once you  have defined your cloud services, removed excess entitlements and privileges, and reduced your attack surface, you can monitor for anomalies. Policies such as “User X can only access parts of Application Y during the hours of Z and only from location L on device D,” while requiring multi factor authentication, can be defined to control access and harden systems against intrusions.

If you are fully aware of who your users are, what they are allowed to do, and when and where they are allowed to do it, control becomes a concept that is fully enforceable. What’s more, policies can be defined to limit access based upon numerous factors, or even to suspend access after a certain date, which is handy for dealing with contractors and temporary workers.

Delving deeper into identity-based access, it becomes apparent that devices can have identities as well. In other words, connections between devices and applications can benefit from the granular control that policies offer. For example, a hosted accounts payable system may have a policy around it that limits its connectivity to an on-premises solution, meaning that batch processing can only occur during certain times of the fiscal year or month.

Gaining visibility into the complex relationships between identity, entitlements, and resources proves to be the critical starting point to bring enhanced security to hybrid and multi-cloud systems. Acting upon that information using policies is the net result of implementing identity and entitlement management into the security stack.

About the author: Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto (News - Alert) Networks, and CEO of Integrity-Project, a software outsourcing company acquired by Mellanox. Shai also served for 10 years as an officer in senior product development and management roles with the Intelligence Unit of the Israel Defense Forces.