In their quest for faster time-to-value and an optimized digital supply chain, businesses are increasingly turning to hybrid IT’s blend of public and private cloud solutions with traditional on-prem gear and composable infrastructures. But they’re hitting a speedbump on the way. Identity and access management (IAM) systems, long recognized as a core component of IT security strategy, are showing signs of strain in a hybrid world.
Users perceive today’s IAM controls as overly complex, slowing down access to the tools and data they need for their work and as a result making them less productive. They often have to juggle multiple sets of identity factors and credentials.
IT staff end up spending too much time on what should be straightforward tasks like authentication and account provisioning/deprovisioning when they’re working across multiple environments, often including solutions from different cloud providers. They’re hampered by AIM technology “islands” that lack support for open, flexible identity and access control standards. Identity and access control data may have different levels of security, privacy and availability protection, depending on the location from which it’s consumed or the platform where it’s stored.
It’s time to move towards a modern, integrated identity management system that spans cloud and on-premises infrastructure and provides a common control plane to manage your identities, credentials, devices, and applications, as well as access to them. Here are five steps you can take to get there.
1. Simplify your on-prem IAM. Most organizations have many different on-prem tools and solutions – for example, multiple directories, single sign-on (SSO) solutions, and strong authentication solutions. This kind of proliferation will make the integration with public cloud providers (such as AWS, Google Cloud Platform, and Microsoft Azure) more complex, so your first move should always be to simplify. Bear in mind that many of the disciplines you rely on for your on-premises infrastructure are the same ones you’ll need in the hybrid environment, so this is a great opportunity to review.
2. Honor the principle of least privilege. At many organizations, it’s not uncommon for sysadmins to use an administrator account to perform routine administrative tasks that can be done with a plain user account. This practice increases the risk exposure of privileged accounts. Limit the risk by giving admin accounts only the permissions they need to do their job, and only for the time they really need them. Sysadmins can use a plain user account for day-to-day work, then switch to an administrator account temporarily for tasks requiring higher privileges.
To do this effectively, you’ll need to build a privileged user management (PUM) or privileged access management (PAM) system spanning on-prem and public cloud. You’ll want to make sure it includes multi-factor and strong authentication, jump hosts, secure operator rooms and workstations, and detailed activity tracking for your admin accounts. PUM calls for a true holistic approach. The technical security controls are important, but they’re just part of the picture. They should be complemented with the right policies, processes and proof controls; for example, you may want to audit your admins and operators regularly to make sure they are correctly following procedures.
3. Evolve to a federated identity model. leveraging open standards – such as Security Assertion Markup Language (SAML) – to integrate on-prem and public cloud IAM and to provide a single sign-on experience. As a first step in that direction, most organizations start off with a directory synchronization engine: an on-prem master directory with slaves in the public cloud. But you’ll want to move from there to a full federated model, in which you become your identity provider and all public cloud providers are resource providers.
All public cloud providers support identity federation. Make sure that you set up the correct group and attribute mapping between your internal on-prem identity provider system and the different access control systems of the public cloud providers.
4. Integrate IAM with and security information and event management systems. Make sure that all of your event and alert sources – including compute, storage, networking, and security, and for both on-prem and cloud infrastructure – feed up to your security information and event management (SIEM) systems. Also ensure that SIEM is integrated with your enterprise dashboard and ticketing/helpdesk systems.
5. Leverage software-as-a-service and standard public cloud IAM features to the maximum extent. Reduce time-to-production for IAM solutions by making full use of IAM SaaS products and the built-in IAM features in public cloud offerings. This simplifies your ongoing IAM operations and maintenance. It will also reduce the CapEx needed to get started with IAM in a hybrid IT environment.
Different cloud providers provide slightly different identity access management tools, and they use different terminologies to describe them. At first glance this can be a bit confusing, but if you spend a little time working with them you’ll find that, to a large extent, they all offer basically the same controls.
HPE Pointnext can help you architect and build a tailored, future-proof IAM platform for your hybrid IT operation, one that empowers employees and enhances their productivity. Working closely with your team and our IAM solution partners, we can take you every step of the way, from an initial assessment of your existing environment, to roadmap development, to solution implementation. Learn more about HPE Pointnext Security services and start working with us today.