When a company operates in the cloud, effective cloud user management is essential. Employees have access to IT resources at their fingertips, and this can create security and cost issues if access isn’t controlled. However, cloud user management can be incredibly complicated—especially when companies operate in multi-cloud environments and use different management tools for each cloud.
At the same time, making sure employees have access to the resources they need to do their jobs is key for productivity, innovation, and profit. But you don’t want to give employees access to more resources than they need or for which they lack the know-how to use them securely. And you certainly don’t want to give unauthorized parties access to your digital assets.
Consequently, cloud user management is a fine balancing act between applying the right policies, setting permission boundaries, and denying access to anybody for whom access rights are not enabled. Fortunately, cloud service providers make granular cloud management tools available to help manage user permissions. These vary in their capabilities and ease of use.
AWS Identity & Access Management
AWS’s Identity & Access Management (IAM) is arguably the most granular cloud user management tool. There are four types of identity- or resource-based policies that govern who can access resources, what they can do with them, and how long they can access them. You can apply permission boundaries, session policies, and control access to resources via tags.
To help navigate the wealth of options, AWS provides an IAM Access Analyzer tool that analyzes public and cross-account access. The tool uses automated reasoning to determine all possible access paths to help identify unintended access and continuously monitors policies and permissions to help administrators better understand potential security implications.
Azure Role-Based & Attribute-Based Access Controls
Azure´s Role-Based Access Controls (RBAC) work by assigning users Azure Roles. Each role consists of a security principle (i.e., user, group, managed identity, etc.), a role definition (i.e., permissions to read, write, delete, etc.), and a scope (i.e., management group, resource group, resource, etc.). There are more than 140 built-in Azure Roles, and you can create custom roles.
In May 2021, Azure announced Attribute-Based Access Controls (ABAC), which add a further level of granularity to cloud user management. Attribute-Based Access Controls enable administrators to apply conditions to Azure Roles so that (for example) an employee with a resource group scope can be granted access to specific resources within the resource group but not others.
Google Cloud Identity & Access Management
Google Cloud´s Identity & Access Management (IAM) is a hybrid of AWS’ IAM tool and Azure’s attribute-based access controls, as employees are assigned roles (Basic, Predefined, or Custom) to which policies that grant permissions and determine employee access levels are assigned.
Like AWS, Google Cloud also has a tool that can make “Smart Access” control recommendations, allowing administrators to modify over-permissive access. Google Cloud recently launched a BeyondCorp Enterprise service that enables administrators to configure access policies based on user identity, device health, and threat and data protection intelligence.
Alibaba Cloud Resource Access Management
Alibaba Cloud’s Resource Access Management (RAM) is a scaled-down version of Azure’s Role-Based Access Controls—although no less granular. Administrators create RAM users, RAM groups, and RAM roles and assign them access rights via built-in or custom policies. Each policy can contain hundreds of permissions.
While Alibaba Cloud’s RAM service simplifies cloud user management, not all services can be managed through API calls. For example, if you want to create, amend, or delete a user’s access via the CloudSSO service, you must use the Alibaba Cloud Management Console.
How to Reduce Cloud User Management Complexity in Advance
Retrospectively managing user access for new deployments is often a complicated process due to the large number of possible policies and permission options available for each cloud provider. However, if you integrate policies and permissions into the development process prior to deployment, you can reduce cloud management complexity in advance. This is an easy process when you take advantage of Quali´s Environments-as-a-Service capabilities.
Torque (public cloud deployments) and CloudShell (on-prem and hybrid deployments) enable developers to self-provision test environments in minutes from a catalog of pre-approved components based on RBAC permissions and orchestration logic. The platforms remove the barriers that create development bottlenecks while reducing the cloud user management overhead.