Cloud
Security
BS Cyber Security & Digital Forensics
Week 9 – 10
� Identity and Access Management
(IAM) Basics
Lecture
Differences from Traditional IT
IAM Lifecycle (Request, Approve, Create,
Delete)
Contents IAM Authentication and
Authorization
Multi-Factor Authentication
Federated Identity
Roles and Centralized Authorization
�IAM Overview
Identity and Access Management (IAM) is crucial for securing
systems. It ensures only authorized entities can access
resources.
Identity: Representation of entities (users, devices, etc.).
Access Management: Controls what these entities can do.
Distinction: Authentication (AuthN) vs. Authorization (AuthZ).
3
�Authentication Concepts
What is Authentication?
Validates the identity of an entity.
Example: Presenting an ID card.
Techniques:
Passwords, PINs, Biometrics, and Multi-Factor Authentication (MFA).
Importance of strong passwords and MFA.
4
�Authorization Concepts
What is Authorization?
Determines permissions of an entity.
Example: Access levels at a military base.
Principles:
Least Privilege: Grant minimum access.
Separation of Duties: Prevent conflicts of interest.
5
�IAM in IT Security
Compromise of credentials is a major cause of breaches.
IAM integrates:
Authentication: Verifying identity.
Authorization: Granting permissions.
Lifecycle management: Creating and removing identities.
6
�IAM Lifecycle
IAM lifecycle ensures
entities are effectively
managed from creation
to deactivation.
Steps include Request,
Approval, Creation, and
Deletion.
7
�IAM Lifecycle - Request
Initiation of identity
creation or access
request.
Process:
Verified entity submits the
request.
Types of requests: Create,
Delete, Grant, or Revoke.
Example: Manager requests
access for a new employee.
8
�IAM Lifecycle - Approve
Decision phase to allow
or deny requests.
Details:
Approvals may be
automated or manual.
Example: HR approval for
new employee identity.
Anti-fraud measures are
often integrated.
9
�IAM Lifecycle - Create
Establishing the
requested identity or
access.
Details:
Automated via APIs or
manual actions by admins.
Ensures proper roles and
permissions are assigned.
10
�IAM Lifecycle - Delete
Removal of an identity or
access.
Details:
Revocation of credentials
and permissions.
Automatic and manual
methods.
Ensures deprovisioning to
prevent unauthorized use.
11
�Cloud Provider Identity Services
Table 4-1 lists some examples of identity services to
authenticate your cloud administrators with cloud
provider services.
12
�Business-to-Consumer and Business-
to-Employee
Identity Management Needs: Organizations need to manage identities for
both employees and external customers when accessing cloud services.
Self-Managed Identity Pitfalls: Creating a customer identity management
system in a database can lead to poor user experiences and security
risks.
Better Options for Identity Management:
Existing Identity Services:
Options include internal identity services for employees or third-party services like Facebook,
Google, or LinkedIn.
Requires trust in the identity service for user authentication and may reveal associations to users.
Application-Specific Customer Identities:
Use cloud services for managing customer identities.
While users have another credential, the organization does not need to verify it.
13
�ID Management Systems
Table 4-2 lists some examples from major cloud infrastructure providers as well as third-party
providers. 14
�Multi-Factor Authentication (MFA)
Combines:
Something you know (Password).
Something you have (Mobile).
Something you are (Biometrics).
Benefits:
Increases security.
Reduces reliance on passwords alone.
15
�Federated Identity
Linking identities across systems.
Example:
Google account login for third-party apps.
Benefits:
Reduces need for multiple accounts.
Improves user experience.
16
�Single Sign-On (SSO)
One login for multiple systems.
Process:
Centralized Identity Provider (IdP) authenticates users.
Benefits:
Enhances user convenience.
Limits credential exposure.
17
�Instance Metadata and Identity
Documents
Automation Identity Assumption:
Automation programs are presumed to have
assigned identities and methods to prove
them.
Creating Credentials: Traditional approach
involves creating a username and password
for the system.
Cloud Environment Methods:
Processes can contact a known endpoint to
retrieve metadata and prove system identity
using cryptographically signed documents.
However, any process can request this metadata,
raising security concerns.
Security Concerns:
Low-privileged processes can potentially
impersonate the system; thus, trust levels must
be managed.
In container environments, blocking containers
from accessing the metadata service is essential. 18
�Instance Metadata and Identity
Documents
Standardization Need:
The lack of a standard format for identity
documents complicates trust and authentication.
SPIFFE: A proposed standard for workloads
(containers, virtual machines) to authenticate with
other services.
SPIRE: Reference implementation of SPIFFE, not yet
widely adopted.
Shift from API Keys:
A transition from static API keys to identity
documents is anticipated, promoting dynamic trust
based on valid credentials.
Secrets Management:
Utilizing identity documents can reduce the need
for intense secrets management, allowing on-
demand access to secrets.
Despite the potential of identity documents, many
resources do not currently support them,
necessitating continued secrets management
practices.
19
�Centralized Authorization
Consolidates permissions into a single system.
Key Components:
Policy Decision Point (PDP): Grants access decisions.
Policy Enforcement Point (PEP): Enforces decisions.
Reduces scattered access records.
20
�IAM in Cloud Environments
Challenges:
All access is remote.
Persistent tokens may bypass login restrictions.
Solutions:
Automated offboarding.
Centralized IAM services by cloud providers.
21
�Managing Secrets
What are Secrets?
Credentials (passwords, tokens, etc.) for system-to-system
authentication.
Principles:
Encrypt at rest and in transit.
Regularly rotate secrets.
22
�Tools for Secrets Management
Options:
Ansible Vault, HashiCorp Vault, AWS Secrets Manager.
Benefits:
Secure storage.
Audit logs for access and changes.
23
�Roles and Groups
Roles: Define permissions for tasks.
Groups: Collections of entities.
Example:
Admin role allows creating/deleting VMs.
Groups simplify user management.
24
�IAM for Applications
Centralized Identity Management:
Unified access across apps.
Challenges:
Legacy systems integration.
Maintaining secure APIs and credentials.
25
�IAM for Automation
Identity for non-human entities (e.g., apps, VMs).
Use of instance metadata and identity documents.
Standards like SPIFFE streamline automation identity.
26
�Revalidation of Access
What is Revalidation?
Periodic review of granted permissions.
Types:
Positive Confirmation: Explicit approval needed.
Negative Confirmation: Retain unless revoked.
27
�Importance of Least Privilege
Definition: Grant only necessary access.
Implementation:
"Deny by default" policies.
Regular audits of permissions.
Reduces risk of data breaches.
28
�IAM Implementation Challenges
Complexities:
Integrating with existing systems.
Maintaining compliance with regulations.
Solutions:
Use IDaaS (Identity as a Service) tools.
Regular IAM audits.
29
�IAM Tools and Technologies
IAM Tools:
Directory Services (LDAP, Azure AD).
Authentication Protocols (SAML, OIDC).
Cloud IAM solutions (AWS, Azure, Google).
30
�Security Best Practices in IAM
Enable Multi-Factor Authentication.
Regularly review access permissions.
Enforce strong password policies.
Use automated deprovisioning for offboarding.
31
�IAM for Cloud vs. On-Premises
Differences:
Cloud: All access is remote, needs robust offboarding.
On-Premises: Physical security adds an extra layer.
Common Practices:
Use federated identities.
Employ centralized authorization systems.
32
�IAM in Action - Example
Scenario:
Employee joins, requests
access to an internal tool.
Steps:
Request sent by manager.
Approved by HR and IT.
Account created with
restricted permissions.
Revalidated quarterly.
33
�IAM in Action - Example
Scenario:
Employee joins, requests
access to an internal tool.
Steps:
Request sent by manager.
Approved by HR and IT.
Account created with
restricted permissions.
Revalidated quarterly.
34
