Best Practices for Cloud Identity and Access Management

In a world of cloud-based users and devices accessing public cloud-based services, the relevance of the legacy enterprise perimeter declines. Identity is the new perimeter. Specifically, the identities of users, administrators, devices, workloads, services, APIs and containers become key to establishing policies and monitoring security and compliance. The built-in IAM capabilities of the cloud providers are the foundation for this.

6 Cloud IAM Best Practices

1. Federate to Enterprise and/or Cloud Identity Providers for User Authentication

There is no need to create a separate island of authentication for the cloud. Authentication via single sign-on (SSO) and identity via SAML provide users with a consistent identity across clouds, ideally exchanging attribute information as well, providing additional granularity in setting permissions.

2. Use Identity as a Perimeter by Using Accounts to Segregate Business Units

IaaS/PaaS provider infrastructure is designed to be multitenant to keep one tenant strongly isolated from another. Use this to your advantage by having different groups use different IaaS account structures. In the event one group experiences an attack or outage, it won’t affect other accounts, improving overall resilience. Leading IaaS providers support this with consolidated billing and the use of read-only accounts for security

.3. Require Strong Authentication For All Cloud Access

In no case should a login to a cloud service or access to a cloud-based API be enabled based solely on username/password alone. Stronger authentication should be considered mandatory, and the leading cloud providers offer this capability built in. Ideally, an enterprise privileged access management system would be used for tighter visibility and control of administrative access.

4. Use Granular Permissions and Use IAM Roles

Other than initial setup, no all-powerful administrative accounts should be used. Fine-grained permissions should be used to reduce the scope of capabilities of a specific user and used to meet separation of duties requirements of auditors and regulators. Further, cloud security can be greatly simplified through the use of standardized IAM roles and their use should be mandatory.

5. Evaluate Permissions Granted Versus those Us

Continuous monitoring of permissions used by all IAM principles (users, network, storage and so on) at runtime versus the permissions that were initially provisioned should be reported to administrators for review. This is done to proactively trim permissions to reduce the surface area for attack.

6. Expand the Scope of Your IAM Program

Many other entities other than users in public cloud IAM will be security principals as well (meaning they have rights defined in the cloud provider’s IAM system). All VMs, containers, serverless functions, APIs, etc., in cloud-native applications will need an identity and associated permissions defined. Your IAM program must embrace this.

10 Best Practices on How to Use Cloud IaaS More Securely Than a Data Center?


Gartner recommendations to – Minimize time to value and required effort for IAM initiatives by focusing on people and processes before selecting technologies. Establish and develop a successful IAM program by aligning IAM practices with the operational and business needs of stakeholders across and outside the organization and its ecosystem.

Gartner also recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.

Talk to Our Migration Experts