Identity, access, and entitlement management (IAM) is an integral part of any cloud service provider offerings, and it is incredible to see how various Cloud Service Providers ( CSPs ) continue to evolve their offerings, enriching and making them more secure. Further, as attack surfaces continue to expand exponentially, insights into digital identities are of greater significance now. A brief overview of how three major cloud service providers (CSPs) are building their cloud-native IAMs.
- The approach these service providers have taken to build IAM service is completely different from traditional IAM vendors, however, they all started with building the basic user management, compliance, federation services directory sync etc. Building IAM product is a complex but lucrative business, for CSPs - it is more about building a frictionless user experience along with leveraging the interaction to secure its own cloud ecosystem.
- Managing secure identities in the cloud is the most vital part of any cloud service provider offerings, greater the maturity model, more lucrative the whole cloud service offerings. You can get better insights about security by feeling the pulse about how a user interacts with various contexts and devices.
- Every CSP offers a distinct framework for users, resources and policies. Having a matured identity service is a competitive advantage as CSPs continues to fight over their own pie of burgeoning cloud business.
- Data churn out by digital identities and its interactions with various services creates troves of data, which gets seeded into the AI/ML system, providing multi-faced benefits in the data science product development and improving overall security.
Microsoft no doubt has one of the matured identity services, and it is commending that how it continues to evolve various functionalities, and enriching and security the entire ecosystems. It was very well understood early on about it, and always showcased Azure AD as the crown jewel of the services. The plethora of functionalities being provided is awesome, and the kind of innovation that Azure is putting around is significant in order to provide lucrative cloud service providers as compared to other vendors. Microsoft has already kept its focus on building a robust and innovative IAM ecosystem while leveraging the Active Directory and ADFS product stack.
- The identity aspect of various acquisitions made by Microsoft is to bring gazillions of identities, be it GitHub, LinkedIn or the recent one Activation Blizzard. These acquisitions give Azure a significant boost into the insight on these identities were managed, and how to chart a new course to integrated with Azure AD and leverage all underlying functionality.
- As users identities are concerned, Gaming World is significantly opposite with the user set as compared to LinkedIn or GitHub. The new insight into this user base, and how to slowly consume within the large ecosystem will provide Azure with an incredible technical experience as compared to other CSPs.
- Within Azure, permission can be scoped based on subscription, which allows access to all resource groups. It has defined an excellent way to make a resource group unique with Azure which helps in reducing permission duplicity.
- Features like Conditional Access, Identity Protection provides organisations with confidence and assurance about user accessibility.
It is no doubt that Google on a larger scale has a bigger pool of identity markets with it its own Google Ecosystem and billions of identities interacting within its various services. Google already knows how to manage and run identities efficiently and securely. However, allowing customers to manage and assign resources within the Google Cloud is a different ball game. Its cloud customer will have varied needs with regards to integrating its services, and disparate applications stack. Federating Cloud Identities with external systems is something new to them, and the learning cannot be fast-track due to the complexity of the entire IAM framework. Within GCP, identities can come from various Google ecosystems like Google Workspace, Google Accounts or Customer Accounts etc, there are some restrictions on each account that can be utilised, similar to GCP, Azure has a similar identity ecosystem that is managed via a subscription-based model.
- Google started off its Cloud Identity with the acquisition of Bitium which offered single-sign-on and other identity management and access tools for cloud-based services. Google continue to build a comprehensive solution for IAM which works across modern cloud and mobile environments. It continues to invest in building partners in identity management space with Okta and OneLogin and will rely on customer leverage these partners deep-build functionalities with the specific AuthN and AuthZ needs.
- With the design, it has started to simplify IAM with hierarchical org model, file system scoped to the inherited access. They have made it easier to assign permission if things get aligned to the already built organisation strutted. Has a nice way to build various independent projects, and clean them up whenever required. For a newcomer, it will take a while to get a feel of human vs service accounts, and how to tie them to the various built-in roles for authorisation requirements. There is still a learning curve on how to build the custom policies and map with the group and other authorisation requirements. It provides a lot of pre-defined roles which could be of great use if you don’t have your own custom requirements, they have put in a lot of effort to create the entire policy-based framework, and it is a kind of extension in terms of authorisation requirements. There is an extensive OIDC based developers community which makes it easier for a dev to build authentication and authorisation requirements of application workload.
- Google Cloud is using its AI/ML capabilities to offer various monitoring solutions, which can help the organisation know about the IAM consumption and how it further tighten security around.
- Features like Contextual Access, Recommender and hierarchical org structure provides the organisation with better visibility and control on various services users are accessing.
Last but not least. AWS has built Cloud-native IAM in a more non-obtrusive way, and shown the path of a least expensive way to manage identities, and the financially first time it never highlights that consumption of services is directly attached to user’s volume - its IAM was always free for all, and for your specific IAM requirements, it facilitated in building a partner-driver ecosystem.
Okta is an excellent example of how AWS helped it offer its customer a rich and extensive IAM service based on organisations requirements, however, it also developed a free kind of service like AWS Cognito to utilise application workload for federation authentication requirements. It offers an Identity Federation service to extend cloud-native identities.
- AWS provides AWS SSO which provides SSO, integration with AD and external Data Stores, MFA, tagging of resources, Single Sign with AWS applications and EC2 Windows instances.
- If you looking for a fine-grained authorisation requirement, you can leverage various ABAC-based functionalities and requires configuration at times on both the user/group or resources side as well. Most of the configurations are intuitive and you will never lose while defining your security requirements. As an old CSP, it offers wider flexibility with role and policy to custom authorisation requirements.
- AWS continues to integrate various services with IAM in a more granular manner in order to provide greater control to organisations on how they want to provide access to users or resources.
- They continue to add additional information within the logs as part of audit trails to provide greater visibility on how user's are accessing services, it is extremely organisation to understand the consumption and security.
- Features like Access Analyzer, Custom Roles, AWS SSO provide strong IAM foundations.
