Jump to Content
Security & Identity

I Hate IAM: but I need it desperately

April 17, 2023
Michele Chubirka

Staff Cloud Security Advocate, Google

Max Saltonstall

Developer Advocate

While identity brings headaches it can also enable much stronger policies for securing your cloud infrastructure.

While technology organizations seem to be in agreement regarding the necessity of well-structured Identity and Access Management (IAM) for securing their cloud deployments, they’re often ill-prepared for the level of effort required. 

Putting your house in order is hard: think of IAM as the blueprint for building a solid cloud house. You need a good structure, with room for all the necessary and desired elements, or the house will be unstable. Management of identities and their related access to resources and applications is foundational for minimizing risk in your cloud environment. The problem is how challenging identity and access control can be to administer. 

First there’s the issue of ownership. No one really agrees where IAM belongs in an IT organization. 

Is it a security control or a necessary component for managing the infrastructure? 

Or should it be a collaborative effort between the teams that oversee each? 

Resolving this question is often fraught with politics, because the owner of IAM holds the keys to the cloud, making crucial decisions about who will have authority over the infrastructure. But once IAM becomes complex enough, it can also become organizationally radioactive because no one wants to own the inevitable cleanup that becomes necessary after the role explosion that occurs with a poorly planned IAM architecture. 

If access control represents the intersection of resource governance and identity management, IAM is essential to achieving the laudable goal of a zero trust architecture. Unfortunately, too often IAM is considered a just-in-time effort, becoming a neglected trash heap that increases organizational risk. Attaining your zero trust goal means taking the time to build a comprehensive domain model that illustrates the business relationships in an organization with an agreed taxonomy of roles

https://storage.googleapis.com/gweb-cloudblog-publish/images/IAM_personas.max-1000x1000.png
IAM personas

IAM shouldn’t be improvised, it must be designed. Cross collaboration in planning is required to develop an IAM architecture that reflects the structure of an organization, including separation of duties and least privilege, i.e. who is responsible for what in your cloud presence. 

In the meantime, what can you do to repair and evolve your existing IAM configuration as you move towards identity architecture bliss?

Google Cloud has tools for that!

Within the Policy Intelligence suite, there are various capabilities that can assist you in troubleshooting and optimizing your IAM configuration as you move towards your goal of least privilege. First, there’s IAM Policy Analyzer which can help you identify how much access a principal, aka users, service accounts, groups, or domains, have in an account. By providing visibility into account principals’ current access, it becomes easier to limit it to only what is necessary. Alternatively, with IAM Policy Troubleshooter, you can easily determine why a principal’s access isn’t working, pinpointing those permissions needed for the role. Finally, by leveraging IAM Recommender, you can determine excess permissions of principals, using the machine learning findings from Policy Insights, to understand how to better optimize your access control. 

Used together, these capabilities can support you in building a better identity foundation for your cloud infrastructure.

What should be your next steps towards taking your organization’s IAM to the next level? 

  1. Check out this tutorial that covers adding and revoking IAM roles. 

  2. Feeling more adventurous and want to investigate how well your IAM deployment meets a least privilege model? Follow this how-to video on using Policy Troubleshooter.  

  3. If you’re looking for more granularity in your IAM model, explore attribute-based access control (ABAC) using Google Cloud’s context and conditions.
    By using conditions or tags, such as time of day, port in use, or any key-value pair you want, you can reduce blast radius and heighten your access control approach. 

  4. Start using Google Cloud’s analysis and recommendation tools to take back some control over your IAM roles and principals. Use these capabilities to thoughtfully perform an identity spring cleaning, then re-evaluate your existing IAM lifecycle to identify how you can begin to improve your entitlement granting processes.

Identity management doesn't have to be a headache.

Remember: we all find IAM painful and frustrating at times. But it's the key to unlocking trust, responsibility, and security in the cloud. 

Posted in