As businesses transition from on-premises infrastructure to cloud-based solutions, managing digital identities and access to resources presents new challenges. Organisations must now monitor and manage not only their internal users and services, but also external sources interacting with their environment, while ensuring varying levels of access are properly controlled. This is where Identity and Access Management (IAM) comes into play. IAM is a crucial component of cloud security that enables businesses to oversee digital identities such as users and services, as well as control their level of access to cloud resources.
IAM frameworks rely on the Authentication, Authorisation, and Accounting (AAA) model to establish effective access control. This model serves as a foundation for IAM, ensuring that the appropriate individuals or entities are authenticated, authorised, and their activities tracked. This article illustrates on how the IAM framework and the AAA model's three components - authentication, authorisation, and accounting - function collectively in a cloud environment.

During the authentication step, the IAM framework verifies that the digital identity of a user or service, which is typically represented by a cloud-based account or workload, matches the environment's records. The authorisation step follows this, determining what the confirmed identity can access within the environment. In cloud environments, this step often employs mechanisms such as Role-Based Access Control (RBAC) to assign permissions to users and services. IAM roles contain a predefined set of permissions that can be assigned to any user or service account based on their function and objectives, for eg. Finally, the accounting step monitors environment activity, keeping track of identity sessions and the resources they accessed. This process not only allows organisations to effectively restrict an identity's permissions but also generates an audit trail for security-related assessment.
IAM workflows are deeply ingrained into every aspect of an organisation's environment, making it crucial to know how to approach them efficiently. In the following section, we will examine best practices that businesses can adopt at each layer of the AAA model to enhance their IAM systems and thereby strengthen each layer of their infrastructure.
Considering Identities as Novel Boundaries

The distinction between an organisation's managed network and external networks, such as the public internet, becomes more intricate in cloud environments compared to on-premise setups. Cloud infrastructure is continuously evolving to facilitate modern applications, leading to an extensive range of entry points that organisations must consider. Moreover, control plane APIs responsible for managing cloud infrastructure are readily accessible to any user with the appropriate credentials, which contributes to the fluidity of these boundaries. Consequently, the borders of cloud networks are less distinct than those of traditional on-premise networks.
While inventorying critical entry points like public-facing web servers can aid in establishing a secure boundary around a cloud environment, it may not provide complete resource protection. In contemporary times, organisations are bridging these gaps by treating identities as a novel form of boundary. This entails shifting their emphasis towards monitoring the identity of who or what is accessing an environment, rather than solely tracking the source of the traffic.
Regularly auditing an organisation's identities is crucial to visualise the boundaries of their environment accurately and improve its security. Orphaned user accounts, for instance, are a prevalent form of identity that exposes an environment to attack. These identities usually belong to third-party contractors or ex-employees and pose a significant risk. In addition, identities for applications, services, and resources that run indefinitely in the background or leverage long-lived credentials can also be vulnerable to attack. Due to their specific roles, these identities are less likely to be monitored and may not comply with the organisation's current security protocols, which makes them easy targets for threat actors to exploit.
After organisations have obtained a comprehensive understanding of the identities that interact with their environments, they can then concentrate on securing them, which we'll explore in the following section.
Implement robust Passwords & Multi-factor Authentication methods for User Accounts.

As identities are considered a boundary, organisations need to prioritise their authentication controls, which is the first component of the AAA model. As previously stated, the authentication step confirms that an identity seeking access to resources corresponds to an organisation's record of that identity.
Weak authentication controls leave identities and their associated accounts exposed to threats like account takeover.
Weak passwords are a significant security concern for user accounts, as they can easily be compromised by threat actors. Examples of weak passwords include using a single word, common combinations like "password123," or personal information like a name or street address.
Attackers can exploit these weaknesses through dictionary-based, phishing, or brute-force attacks, or by using publicly available, shared, or breached information to gain access to an account. To address this issue, organisations should enforce strong password policies that require users to create complex passwords and change them regularly. Additionally, implementing multi-factor authentication (MFA) adds an extra layer of security, as it requires users to provide an additional form of verification, such as a code sent to their phone or a biometric scan.
Hardware-based MFA tools, such as Yubikeys, offer a more secure form of multi-factor authentication by requiring a physical device to be present during login attempts. This eliminates the risk of SMS codes being intercepted or stolen. Organisations can also implement location-based authentication, which uses the geographic location of the user's device to verify their identity. By combining these methods with strong passwords and periodic expiration rules, organisations can significantly reduce the risk of account takeovers and other security breaches.Hence, these security measures limit attacks on user accounts. But more steps needs to be taken, to ensure an organisations managed identities are also as secure as possible.
Service accounts are non-human accounts that are often used to allow applications, services, and other automated processes to interact with cloud environments. While they do not require the same level of access as human accounts, they can still provide an entry point for attackers if not properly secured.
Limit the use of static, long-lived credentials for service accounts
Digital authentication credentials, commonly known as secrets, are used by identities in cloud environments to securely access different parts of a system and data. However, due to the rapid scalability of cloud environments, organisations often resort to user-managed, hardcoded, or shared secrets for their services to prevent workflow interruptions. Unfortunately, in these scenarios, secrets are seldom updated and can be easily forgotten as the environment continues to expand.
Using static, long-lived credentials in cloud environments can significantly increase an organisation's attack surface. If these credentials are exposed, either accidentally or intentionally, they can be used by threat actors to gain access to other parts of the system. Such long-lived credentials are a common entry point for attackers looking to gain initial access to an environment.
By avoiding the use of static or shared credentials for identities, particularly those linked to services, organisations can achieve two main objectives. Firstly, it can minimise the time of exposure in the event of a data breach. When an exposed credential is set to expire, the likelihood of a threat actor exploiting it to gain access to an environment is reduced. Secondly, the use of unique credentials can restrict the actions that a threat actor can perform within a system, should they gain access.
Organisations can opt to use cloud provider identity management services, such as GKE Workload Identity or AWS IAM roles for EC2 instances, to replace static credentials. For example, GKE Workload Identity is designed to grant GKE-based service accounts access to Google Cloud services. By using this tool, organisations can map their Kubernetes service accounts to Google Cloud service accounts. This will ensure that the Kubernetes workloads associated with the accounts will have the appropriate access levels based on the assigned Google Cloud account. This approach allows organisations to take advantage of their provider's pre-built key management workflows. Workload Identity can also integrate with other cloud-based secret managers, which can help organisations to further reduce the number of static credentials in their environment.
A key part of identity management is developing controls that strengthen identities. The next step in the process involves organising them into logical groups as this serves as a link between managing these identities and their access level to the resources within an environment.
Organise identities into logical groups
The management of thousands of identities in cloud environments can create potential blindspots in terms of access to critical resources. To mitigate such risks, organisations can group identities based on their role or function. These logical groups enable organisations to globally assign permissions and comprise a collection of users.
The grouping of identities varies based on the structure of the organisation. The following diagram provides an example of how an organisation can group its users and services based on their roles:

The grouping of identities can vary depending on the organisation's structure. For instance, in the diagram provided, identities are grouped based on their role and team. This method enables organisations to decide how to assign permissions to each group based on the resources they require access to.
Organising identities in this hierarchical manner can greatly aid in the management of permissions at a higher level. If an employee changes teams, their identity can be easily reassigned to the appropriate group, which automatically grants them the necessary level of access. Additionally, grouping identities in this way provides more contextual information on who is accessing a given resource, which is crucial for effectively monitoring audit and authentication logs.
Logical grouping of identities allows for efficient identity management, providing a foundation for managing different levels of access. In the next section, we will discuss how organisations can effectively manage and grant access to resources based on these groups.
Assign permissions based on zero-trust and least-privilege principles
After authenticating with an environment, an identity can access resources based on its level of permissions, which is the third step of the AAA model. However, without an effective authorisation system, organisations run the risk of creating overly permissive policies for the users and services accessing their environments. This could lead to a situation where a threat actor can take over an account with elevated privileges, allowing them to access critical resources and data.
To prevent such scenarios, organisations must adopt a principle of least privilege and zero-trust mechanisms, assigning permissions as needed. These controls allow teams to systematically deploy the appropriate permissions at each level of their cloud infrastructure, including network infrastructure, endpoints, and data generation. This approach ensures that access to resources is granted on a need-to-know basis, minimising the risk of unauthorised access or privilege escalation.
Organisations can establish zero-trust and least privilege controls for IAM by taking into account certain factors when assigning access to a specific resource. These factors may include:

Identifying which identities should be granted access to the resource
Determining how the approved identity should access the resource and its associated data
Deciding when approved identities should be granted access to the resource
Establishing why these identities require access in the first place
Defining the specific data that the identities should be authorised to access
Specifying where the approved identities should be permitted to access the resource from
An effective way for organisations to implement authorisation controls is through role-based access control (RBAC) strategies, which can define who can access a resource, why they need access, and what data they are allowed to access. Additionally, organisations can implement internal VPNs as a means of connecting to resources, which is a crucial step in segmenting networks and ensuring proper access control.
RBAC is a widely adopted method for enforcing zero-trust and least-privilege controls in cloud environments. It allows organisations to group identities based on specific tasks or roles. For example, in the previous hierarchy example, both engineering teams A and B require access to the DB1 resource, but only team B needs to modify it. By assigning Team A a role with read permissions and Team B a role with write or edit permissions, both teams have the necessary level of access to fulfil their job responsibilities.
Managing the numerous permissions and permission sets that continuously evolve in cloud environments can also be challenging, similar to the management of a large volume of identities. Regular auditing of all components is necessary to prevent identities from having overly permissive access levels. This leads to the final step of the AAA model- accounting. As we proceed, we will discuss how does the organisations can use their logs to ensure the proper monitoring of IAM activity.
Monitor IAM activity using logs & traces
In order to ensure that an organisation's identity and access management system is functioning effectively, it is important to have a robust accounting process in place. This step integrates data from the authentication and authorisation controls to provide a comprehensive view of resource access, including details such as the identity of the user, the time and date of access, the method of access, and the purpose of the access. Cloud environments generate a large amount of telemetry data, making logs a valuable tool for monitoring user activity and identifying potential security threats.
Logs & Traces provide crucial information about user activity in cloud environments, which is important for monitoring and auditing purposes. This can be seen in the following log screenshot.

Implementing a centralised logging tool can assist organisations in aggregating logs from all their cloud environments. However, to efficiently detect security threats, organisations can supplement their log monitoring by utilising Cloud SIEM platforms. These tools use automated methods to flag potentially suspicious activity from the massive number of logs generated by a cloud environment in a short time. For instance, Datadog's Cloud SIEM Investigator allows organisations to visualise the entire trajectory of an identity, starting from the moment it authenticates with the environment, which simplifies the task of tracking down a potential threat.

By leveraging centralised logging and Cloud SIEM tools, organisations can establish monitoring workflows that are focused on identities. This approach helps to protect the perimeters of cloud environments and verify the effectiveness of their IAM controls. With identity-centric monitoring, organisations can detect and respond to security threats in a more efficient and targeted way. This is because such monitoring allows for the identification of anomalous user behaviuor, such as unusual login activity, excessive permissions requests, and policy retrievals. In this way, identity-centric monitoring provides organisations with a powerful defense against potential security breaches.
Craft a Robust IAM Strategy with Atsky
This article underscores the critical role of Identity and Access Management (IAM) in forming a thorough security strategy within an organisation. By embracing the AAA model (Authentication, Authorisation, and Accounting), you can establish a robust IAM framework that validates identities and equips them with the appropriate permissions. By maintaining a vigilant observation of IAM activities, you're empowered to spot potentially malicious events as well as recognise patterns from authorised users.
From our experience we know that security, quality and observability comes with the price, both capex and opex. In growing companies it requires constant review and update to improve those aspects, because with increased possible loss, one need to improve it's guarantees. Especially in companies which just succeeded on the market there is big security gap (as they were focused at delivering business content) that can pose threat to the business. In Atsky we know how to improve it gradually without harm for dynamically changing environment.
For more insights into logging and security offerings, and to understand how you can leverage the power of DataDog for enhanced observability, don't hesitate to reach out to Atsky. Our team of experts are ready to assist you in fortifying your security posture and simplifying your observability journey with DataDog. Contact Atsky today for a stronger, more secure tomorrow!
Comments