Tip: Best practices for IAM in the public cloud

Best practices for IAM in the public cloud

Tip: Best practices for IAM in the public cloud

Written by David Linthicum exclusively for Nelson Hilliard

So, what is the best way to defend your cloud-based systems from hackers, or, more likely, from misuse?  The path to good security practices for the cloud leads you down paths that can lead to better security for on-premises systems as well. 

Clouds are distributed systems with many moving parts that all work independently.  There are many variable resources, such as complete storage and compute systems, as well as small, more fine-grained services, or APIs.  Also, and more importantly, we need to track humans who use the systems, including the use of all cloud-based resources, applications, and databases that they leverage.  Finally, we need to be able to federate the security information between cloud-based and on-premises systems.  The solution is called federated identity and access management, or IAM. 

The best way to understand the best practices around IAM is to walk you through an example.  The first step is, if you use IAM or not, you create an account on your cloud provider’s platform, and that account is yours.  All other users do the same.  However, in order to provide the best integration, users in your company need to be authenticated in your corporate network, and then they don’t want to sign in again.  Thus, their identities are federated between the user directories that exist on premises, and the user directories that exist within your public cloud provider, sometimes providers. 

So, now that we understand who is using the system, their identities, and we can federate those identities between cloud and on-premises directories, we need to manage those identities as to what groups of users can do, as well as single users.  Groups in the world of IAM are simply collections of IAM users.

Groups let you specify permissions for a collection of users.  This structure allows you to deal with entire groups at the same time, versus each individual user.  Users can belong to many different groups, such as “accounting” and “company leadership.”  This allows you to grant permissions to two or more groups.  Groups can’t be nested, meaning you can’t add groups to groups, only users.  There are limits, at least on AWS your group is limited to 100, and there can only be 10 groups per user. 

All major cloud providers, including AWS, Microsoft, and Google, have some sort of IAM system within the cloud services they provide.  The basics patterns and federation capabilities are the same.  However, the interfaces and how they are used is not.  You need to understand how each provider approaches IAM, as described above, including groups.

What’s important is your use of an on-premises directory service that’s able to integrate with your cloud provider of choice.  For this, you need to look for the use of standards such as SAML-compliant directories. 

AWS, for instance, permits your federated user to access AWS cloud services.  This allows you to grant users permission to carry out any tasks in AWS that the users have been granted permission to do.  Microsoft also integrated with SAML-compliant directories, including their own Active Directory.  Google supports SAML as well. 

Some of the best practices when using IAM and cloud providers is to test your on-premises and cloud-based systems using whatever IAM approaches and technologies that you like.  This means ensuring that not only are the users and groups being managed properly but that they are granted and not-granted access as configured in the IAM system. 

Another best practice is to ensure that you plan out your groups correctly the first time.  What seems like a good idea, meaning grouping users as per geography, for instance, could lead to you having to change the grouping in the future, for example, grouping by department.  This means migration, retesting, and a lot of wasted time and money.  Do thorough planning up front.

Remember to Subscribe to our Youtube Channel for the Latest Cloud Computing Tech Jobs, News, and Cloud Shows.


David S. Linthicum is a managing director and chief cloud strategy officer at Deloitte Consulting, and an internationally recognized industry expert and thought leader.
Connect with David on LinkedIn and Twitter:

At Nelson Hilliard we specialise in cloud technologies, sourcing the top 20% of cloud professionals inspired to work for you through our specialised marketing and profiling. If you are interested in having a quick talk to me regarding your employment needs please feel free to reach out.

You can also check my availability and book your 15 minute discovery call here.

Brad Nelson