Successful digital transformation depends on the security of your cloud environment. Modern organizations recognize the importance of securing identities in the zero-perimeter, Zero Trust world of remote work and cloud-hosted data. But this is, of course, easier said than done, as the number, types and interrelationships of identities massively expand across cloud environments.
It’s largely understood that cloud security is a shared responsibility between cloud provider and customer. But when exploring appropriate Identity and Access Management (IAM) controls for these environments, many organizations grapple with questions like: When are cloud-native tools sufficient, and when should we consider specialized solutions from other vendors?
It can be tricky to tell with all of the IT security jargon floating around (we security folks do love our acronyms). If you’ve ever found yourself stuck in this IAM alphabet soup, unable to differentiate between solution categories or pinpoint the optimal mix of controls for your organization’s cloud workloads, this definitive guide to cloud IAM acronyms is a good place to start.
Identity and Access Management (IAM): Identity and Access Management is a framework of controls and policies used to create, manage and secure identities – both human and non-human – and their permissions to access systems and resources.
IAM services offered by cloud providers, such as authentication, authorization and encryption, are foundational security components in cloud environments. They allow customer organizations to centrally manage and granularly control access across their cloud estates.
Each cloud service provider provides its own IAM paradigms with distinct definitions of entitlements to access resources. Whether a provider uses the term “entitlements,” “permissions” or “privileges” to define access rights – IAM platforms help cloud security teams manage who can access what. On each platform, organizations build IAM policies that grant access entitlements to their identities.
While terminology varies regarding user types, platforms generally define identities as users, groups and roles. A user is a single individual account. A group is a structure to manage several users that have similar responsibilities and require similar permissions. A role is a distinct identity that has permissions to perform a specific function. Often, roles are assumed by individual users to complete a given task.
It’s important to note that in the cloud, traditional designations of privileged access do not necessarily apply; generally speaking, any human or machine identity can be assigned permissions to access sensitive data and resources.
Role-based Access Control (RBAC): RBAC is a popular model for authorizing users that assigns permissions based on job function, in adherence to the rule of least privilege. RBAC is a tried-and-true authorization model that is widely adopted both on-premises and in cloud environments, most notably in Azure, where RBAC is a primary structure for organizations to manage entitlements to access Azure resources and services.
Attribute-based Access Control (ABAC): ABAC is a variation of the RBAC paradigm for user authorization popular on AWS. In an ABAC model, organizations can architect their permissions to access cloud resources in anticipation of future needs. Organizations classify their resources and assign common types of workloads with common tags. Certain identities can then be granted permissions to access all resources with this tag. This approach eliminates the need to manually provision access to new resources, but it also can make it difficult to enforce least privilege access if organizations take a broad, one-tag-fits-all approach to labeling their resources.
Access Control Lists (ACLs): ACLs are a control that allows organizations to create lists of users that can access specific cloud resources, most commonly virtual machine (VM) infrastructure. This permissions construct provides fine-grained control from a resource-centric view.
Single Sign-On (SSO): SSO solutions provide a centralized portal where users can access cloud workspaces and applications without remembering and entering passwords. Today, employees often have more credentials than they know what to do with. SSO controls provide quick, reliable access and eliminate the security risks of insecure or re-used passwords set by employees. They also eliminate the time and labor costs of IT teams resetting passwords.
Multi-Factor Authentication (MFA): MFA solutions verify the identity of users accessing cloud platforms or applications with additional factors such as a phone call, email or mobile push notification. Just as in on-premises apps, using MFA provides an additional layer of security for access to applications and sensitive resources and is widely considered a security best practice. Adaptive MFA, in which the method of authentication corresponds to the sensitivity of a given resource, is also growing in popularity.
Key Management Service (KMS): KMS offerings from cloud providers allow customers to create and manage the cryptographic keys that encrypt data and control their use across cloud services and workloads.
Cloud Access Security Brokers (CASBs): CASBs sit between users and cloud services to enforce enterprise security policies on cloud-based services. In effect, CASBs are “checkpoints” or “gateways” that govern and secure access to cloud services. CASBs are primarily used to protect SaaS application deployments and are particularly well-suited to detection of sensitive data in transit.
Cloud Workload Protection Platforms (CWPP): CWPPs help organizations protect the application workloads that run in their IaaS environments. As cloud-native DevOps becomes increasingly popular, key CWPP functions like system hardening, container protection and vulnerability management become increasingly important for securing cloud-native applications.
Cloud-Native Application Protection Platforms (CNAPP): CNAPPs is an emerging category of solutions that analyzes application and data context to protect cloud-native applications and their hosts, whether virtual machines (VMs), containers or serverless functions.
Cloud Security Posture Management (CSPM): CSPMs address risks of compliance violations and misconfigurations in enterprise cloud environments. CSPMs focus on the resource level to identify deviations from best practice security settings for cloud governance and compliance.
Cloud Infrastructure Entitlement Management (CIEM): CIEM solutions provide granular detection and management of risky IAM permissions. Organizations that rely on cloud-native IAM tools can quickly lose visibility and control of unused and misconfigured permissions to access resources like infrastructure, applications and serverless functions. This is even more difficult in multi-cloud deployments with siloed toolsets and entitlements definitions. CIEM solutions provide cloud-agnostic, granular detection and remediation of permissions that violate least privilege and allow organizations to defend against internal and external threats.
Don’t get lost in cloud IAM alphabet soup. Bookmark this page and refer back often.
And if you’re looking for ways to clean up permissions sprawl and protect identities across your cloud estate, give our CIEM solution – CyberArk Cloud Entitlements Manager – a free test drive. With no infrastructure needed, you’ll be up and running in about an hour so you can start rapidly reducing risk on day one.