In this post, I will show you why IAM is critical and essential for compliance in the cloud.
Cloud adoption is more and more popular in 2023, but with it comes great responsibility. Compliance with international standards is necessary in every company's security program.
Becoming compliant with ISO 27001, SOC 2, PCI-DSS, or other frameworks, shows that your organization cares about its cloud security posture and customer data.
IAM (Identity and Access Management) is the mechanism of ensuring that authentication, authorization and accounting are implemented in an organization’s infrastructure. From MFA to role-based access control to security policies, IAM is a comprehensive set of best practices and rules that is key to protecting a cloud environment.
In this article, we will understand what compliance standards say about IAM and how your cloud security teams should approach this topic.
Table of Contents
ISO 27001 is a compliance standard destined for ISMSs (Information Security Management Systems) that describes best practices for information security.
In ISO 27001, various controls refer to IAM. A few examples are:
A.5.15 Access control
This control refers to all procedures implemented to ensure that only authorized entities can access the company's systems. A few best practices include:
- Implementing RBAC (Role-Based Access Control) to ensure compliance with The Principle of Least Privilege,
- Reviewing logs to check that no authorized access has been allowed in the cloud infrastructure,
- Enforcing Separation of Duties in the cloud environment.
A.5.16 Identity management
Managing user identities is an important aspect for cloud security posture. To achieve compliance with ISO 27001:2022, companies should ensure a smooth process of onboarding, provisioning, de-provisioning, and verification of users.
Features like MFA (Multi-factor authentication) should be enabled for all users in the cloud.
A.5.17 Authentication information
Management of user secrets should be done carefully by encrypting them in transit and using industry-recommended algorithms to protect them.
Moreover, password policies cannot be neglected; passwords should have a minimum length of 14 characters and should include the following:
- at least one number,
- at least one symbol, and
- a mix of lowercase and uppercase characters.
Additionally, passwords should not be reused across platforms.
A.8.2 Privileged access rights
Privileged accounts, such as administrators, should be closely monitored. The consequences could be immense if such an account were to be compromised.
Regularly reviewing logs, limiting the number of permissions users have, and implementing PIM (Privileged Identity Management) to give users just-in-time access to resources are a few best practices that can be used to manage privileged access rights.
SOC 2 (Service and Organization Controls 2) is an international compliance standard that defines data security, processing integrity, availability, confidentiality, and privacy requirements for B2B organizations.
It has 64 Trust Service Criteria (TSC) based on which organizations that undergo the process of becoming SOC 2 certified must define controls.
Some examples of TSCs that tackle IAM are:
- Requires Additional Authentication or Credentials—Additional authentication information or credentials are required when accessing the system from outside its boundaries.
It is no surprise that SOC 2 also mandates the use of multi-factor authentication (MFA) to enhance the security of the authentication process. When authenticating users from outside the organization's network, SOC 2 requires an additional authentication factor, such as a token or biometric. This helps ensure that only authorized users can access the system and that their identities are properly verified before granting access.
Applying this condition to the cloud, all users should use MFA, since they connect remotely to access cloud resources.
- Restricts Access to Information Assets—Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.
Using data classification to inform access to resources is an efficient way of implementing granular access control for the cloud.
By determining which data is sensitive and labeling it as such, access control policies can be applied for that label and therefore target only the desired cloud assets. This feature is supported by cloud service providers such as AWS, Microsoft Azure, and GCP.
- Uses Role-Based Access Controls—Role-based access control is utilized to support segregation of incompatible functions.
RBAC is an essential mechanism for controlling access to cloud resources, as it allows organizations to define different levels of access based on the roles and responsibilities of their users.
PCI-DSS (Payment Card Industry Data Security Standard) governs how credit and debit card data should be managed. PCI-DSS contains controls that refer to the processing, storing, and transmission of customer card data.
This framework contains twelve requirements. The requirements that we will focus on are the IAM-related ones.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
Five out of twelve requirements are related to IAM. This highlights the importance of access control and authentication.
Companies that store customer card data in the cloud must fulfill these conditions in their infrastructure.
A Final Word
After looking at ISO 27001, SOC 2, and PCI-DSS, we have understood how critical correctly implemented IAM best practices are in the cloud environment. For example, one wrong permission, one weak password, one role with too many privileges can lead to a data breach.
To become compliant with international standards, ensure that:
- you have MFA activated for all users,
- you’re using role-based access control policies,
- you enforce the usage of strong passwords and don’t use default secrets,
- you log and continuously monitor activity in the cloud, and many others.