Maintaining a comprehensive inventory of all system identities and their associated access levels is critical for effective identity and access management in cloud environments. Organizations should store this information in a centralized database that maps identities to the assets they can access. Regularly reviewing and updating this identity inventory helps ensure that access rights are appropriate based on each user's current role and responsibilities.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The Cloud Controls Matrix (CCM) is a framework published by the Cloud Security Alliance to help organizations assess the security risks associated with cloud computing and implement appropriate security controls. For more information on identity and access management in AWS cloud environments, refer to the AWS IAM documentation at https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html.
Who should care?
- Cloud security architects responsible for designing secure IAM practices
- Cloud administrators with the need to provision and manage user access
- IT managers overseeing operations of cloud-based systems and applications
- Compliance officers ensuring adherence to security policies and regulations
What is the risk?
Without a well-maintained identity inventory, organizations face several risks:
- Unauthorized access to sensitive assets by ex-employees or users who have changed roles
- Excessive permissions that violate least privilege, enabling insider threats or increasing impact of compromised accounts
- Inability to identify the source of malicious activity and unauthorized access
- Challenges passing security audits and demonstrating compliance
While an identity inventory alone cannot fully prevent these adverse events, it is a foundational control that enables effective governance of access rights. Detecting and removing inappropriate access in a timely manner significantly reduces the window of risk.
What's the care factor?
Managing access sprawl is one of the biggest IAM challenges organizations face as they adopt cloud computing. The dynamic nature of cloud environments makes it all too easy for access rights to become excessive or remain provisioned long after they are no longer needed. A well-maintained identity inventory should be a top priority for any organization that is serious about securing its cloud environment and data. The care factor is high.
When is it relevant?
Maintaining an identity inventory is relevant for virtually any organization operating a cloud environment, regardless of size or industry. It is especially critical for:
- Organizations subject to regulations that mandate strict access controls (e.g., HIPAA, PCI-DSS, GDPR)
- Enterprises with complex cloud environments spanning multiple CSPs
- Businesses with high employee churn
- Organizations that rely heavily on third-party contractors and partners
The identity inventory may be less relevant during early stages of cloud adoption when access is limited. However, it's good practice to implement it from the start and scale the process as the environment grows.
What are the trade offs?
While an identity inventory is highly valuable, it does require an upfront and ongoing investment to implement properly:
- Effort to centralize identity data that may be fragmented across disparate systems
- Time required to regularly review and update the inventory
- Potential disruption to users if access needs to be modified
- Opportunity cost of focusing on IAM hygiene versus other security priorities
Organizations need to balance these costs against the risks of not maintaining tight control over access rights. Automating inventory management and access reviews can help reduce the burden.
How to make it happen?
- Choose an authoritative source of identity data: Decide where the identity inventory will be mastered (e.g., HR system, IDaaS provider, IGA tool).
- Integrate identity data: Use APIs or SCIM to pull identity data from connected systems into the authoritative source. Ensure user attributes like name, email, job role are populated.
- Correlate identities with cloud access: Map each identity to their associated cloud access rights. Use CSP tools like AWS IAM, Azure AD, or GCP IAM to pull in granular entitlement data.
- Enrich the inventory: Add metadata to help assess access appropriateness like user role, manager, employment status, and last access time. Leverage APIs or manual input.
- Establish access review processes: Define policies for how frequently entitlements should be reviewed and certified (e.g., quarterly for all users, monthly for privileged access). Use IGA tools or custom workflows to automate access review campaigns.
- Monitor and remediate: Regularly generate reports of dormant and potentially excessive access. Integrate with ticketing systems to track remediation tasks.
- Repeat: Re-run the correlation, enrichment, review, and remediation processes on a regular cadence. Adapt policies and workflows as needed based on effectiveness.
What are some gotchas?
- Inconsistent identity sources: Carefully evaluate which system should be authoritative so the inventory is complete and accurate. Avoid replicating identity data.
- Access provisioning delays: Retroactively updating inventory after access is provisioned can create blind spots. Integrate inventory updates into provisioning workflows.
- Permission boundaries: Clarify the scope of access to the identity inventory itself and establish strict controls. The permissions
iam:ListUsers
, iam:GetUser
, iam:ListAccessKeys
, organizations:ListAccounts
and others are required to pull AWS access data. - Cross-cloud challenges: Deploying an identity inventory cross-cloud environments requires careful planning to normalize identity and entitlement data models. Consider using a third-party IGA or PAM tool.
- Automation pitfalls: While automation is key to reducing toil, over-automating access revocation can disrupt legitimate work. Allow flexibility to skip reviews or apply compensating controls.
What are the alternatives?
Some alternatives to a centralized identity inventory include:
- Decentralized inventories managed within each cloud account or application
- Manually compiling access reports on-demand before audits
- Relying solely on detective controls like UEBA to identify risky access
However, these approaches sacrifice the continuous visibility and governance benefits that a unified inventory provides.
Explore further
?