Cloud IAM Governance - Overview

Within the InsightCloudSec platform, the Cloud IAM Governance functionality is available through IAM-related Query Filters, Insights, Principal Activity (for AWS & Azure), detailed views through the Principal Explorer through our Resources page and the Identity Analysis feature.This page offers a high-level overview of IAM features to help existing and potential customers understand the capabilities available.

If you have questions about our IAM support reach out to your CSM or to our support through any of the options identified on the Getting Support Page.

What Is Identity and Access Management?

In the wider technical space, Identity and Access Management (IAM) is defined as "the tools and processes used to govern the privileges a user, role, or group has to access resources." In the traditional IT world, IAM may have previously been terminology meant to identify user access to files on a local network server, but as cloud adoption increases so has the use of IAM in the cloud. With cloud, organizations need visibility and management around who and what has access to a cloud resource. These challenges are what led us to create our Cloud IAM Governance capabilities.

To learn more about the value of IAM in cloud security, check out our white paper Gaining Control Over Cloud IAM Chaos.

What Problems Does InsightCloudSec IAM Governance Solve?

Cloud IAM Governance enables organizations to manage IAM challenges across the full scope of their cloud footprint.

In all clouds, security teams are challenged with identifying and eliminating risk as it relates to overly permissive or access pathways to key resources. Being able to identify unused permissions or risky permissions and pathways is key to reducing your cloud’s attack surface.

Understanding IAM Terminology

To better understand our IAM implementation and how some of the main components operate, check out some of the common terms and definitions:

  • Principal - A user, role, or group making a request for an action or operation on a resource. Federated users, IAM roles, and IAM users are all constructs that can be used to access cloud resources. We use principals to map the who to what and explains the how.
  • Resource - Any of the resource types that InsightCloudSec can harvest for AWS (S3 bucket, EC2 instance, etc.). Want to know which EC2 instances can access a critical S3 bucket, or which containers can access an SNS Topic? IAM allows you to view information at a resource-to-resource level.
  • Least Privileged Access - A principle that implies (in IAM terms) that a user should only have access to the permissions required for that person to perform their role or function. In InsightCloudSec, we can determine this from access patterns over a 90 day period to determine what someone uses regularly versus what permissions are unused and therefore likely not required for that person.
  • Risky Permission - A permission that if leveraged by an attacker could allow them to move laterally and/or inflict more damage than non-Risky permissions.
  • Application - A logical group of resources based on tagging or naming schemes. Your application and services are made up of cloud resources. Use your own tagging and naming scheme to group your resources to applications and then explore the other resources and principals that have access to those applications.
  • Federated User - Federated users rely on a single authentication ticket/token (often called single sign-on or SSO) to obtain access across numerous networks or IT systems (in this case cloud-based systems, services, and resources). A Federated user doesn't have to perform any other separate login processes. Federated identity is all about assigning the task of authentication to an external identity provider.
  • Effective Access - The net actions that a principal may perform on a resource taking into account the evaluation of relevant cloud IAM policies. The primary purpose of our IAM capabilities is to understand the relationship between principals, resources, and applications. Starting with any of these subjects users can explore access down to the principal -> resource level and understand the how and the why behind the access (Effective Access).
    • When starting with an Application, the context of the principals and resources is scoped to those associated with the application.

How Do We Handle IAM Governance?

InsightCloudSec harvests IAM policies from your cloud environment. InsightCloudSec performs an analysis of these policies, which establishes:

  • the connections between resources and principals
  • what permissions a role or resource has been granted
  • Which permissions are actually used
  • Analyzes and determines which ones are risky

What Does the Least-Privileged Access (LPA) Feature Offer?

Least-Privileged Access (LPA) is a feature built around the concept that a user should only have access to the minimum permissions required to perform their role or function.

In InsightCloudSec, the LPA feature collects and presents the actions executed by a given user or role within a given time period. These logged actions are collected and analyzed to provide administrators the ability to review access patterns over a 90 day period to determine what someone uses regularly versus what permissions are unused and therefore likely not required for that person.

Learn More about our support for LPA in detailed sections for the support Cloud Service Providers:

What is the Identity Analysis Feature?

Identity Analysis provides a unified location to view and explore principals and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more.

  • Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
  • Narrow the scope of your assessment with tools for search and filtering, and explore detailed information for individual principals.
  • Review permission usage summaries and remediation to take action on identified risks.

Learn more about it on the Identity Analysis docs page

What's Next?

If you have questions about using our IAM Governance capabilities or other InsightCloudSec features, we want to hear from you! Reach out to us through the Customer Support Portal.