As businesses continue to migrate to the cloud, identity and access management (IAM) in multi-cloud environments becomes a top concern. According to a Strata Identity and Forrester study, 78% of IT decision-makers said managing user identities between multiple clouds is the number one challenge. The Thales Data Threat Report 2022 stated “There is a lack of maturity in cloud data security with limited use of encryption.”
This limited use of encryption is especially concerning considering multi-cloud environments not only host human but machine identities as well. Machine identity and access management across multi-cloud environments has become very important because when machine identities are compromised, machines become vulnerable and companies experience costly data breaches.
IAM challenges in a multi-cloud environment
There are several challenges to implementing secure IAM practices across a multi-cloud environment. “Multi-cloud consumption raises concerns about the operational complexity of successfully managing both encryption and the corresponding keys across multiple providers, each with their own consoles and APIs,” the Thales report states. Without understanding the challenges facing machine IAM in the cloud, it is impossible to implement a solution.
- Machine identities are growing faster than human identities. Most enterprises are equipped to deal with human IAM in the cloud, but not as many know how to secure machine identities (SSH keys, X.509 certificates and other encrypted credentials) in a multi-cloud ecosystem.
- Public cloud native IAM tools don’t scale beyond their own environment. While many cloud architectures host their own identity and access management solutions, they are not built for protection in multiple environments.
- IAM tools control access, not activity. While many cloud native tools provide privileged access management (PAM), they do not allow the organization to monitor or audit the activity of the user or machine once inside.
- There is nostandardized multi-cloud security model. Currently, it’s every cloud for itself as no standardization exists for securing across hybrid or multiplatform environments. In the absence of a centralized IAM solution that can operate across platforms, teams are left to duplicate their efforts.
- The cloud itself comes with inherent security challenges,such as identity and key sprawl, vendor lock-in and lack of governance and policy.
When considering using additional cloud providers, there are specific security nuances to consider. What if you have an instance hosted by one provider (AWS) but are looking to switch and then have that instance hosted by another (Azure)? What happens to these keys and certificates? And are you comfortable having your key and certificate management split between different third-party providers? Before moving your machine identities to a multi-cloud or hybrid ecosystem, consider asking the following questions regarding certificate ownership.
- Would you feel comfortable giving your keys and certificates to someone you don’t know?
- What happens to your hosted digital identities when you want to change providers?
- Who maintains ultimate ownership over your machine identities when the relationship parts ways? Or are your identities currently split between multiple public clouds, doubling the risk of compromise?
The answer might be to take ownership of the machine identities in your own environment and manage them in a vendor-agnostic platform that allows you to control where they go.
Best practices for multi-cloud SSH machine identity management
As demonstrated above, it is all too easy to lose track of your valuable machine identities in the cloud—much less across multiple cloud platforms. To allay the concerns around some of these risks and maintain proper machine identity management across your hybrid or multi-cloud environment, the following best practices for multi-cloud SSH management can be put into place:
- Discover and maintain an inventory of all SSH keys
- Determine ownership and user case of every SSH key
- Remove any orphaned, shared or duplicate keys by mapping all trust relationships back to their machines (or users).
- Control SSH configuration files and known hosts
- Establish clearly defined SSH management policies and audit them regularly
It is important to note the utility of automation in each of the above best practices. Automating each step is becoming necessary as the unprecedented number of connected devices, APIs, application and platforms in use renders manual machine identity management “nearly impossible.” According to the Thales report, 34% of survey respondents use over 50 SaaS applications. Provisioning SSH security controls across them all by hand would be a nightmare.
IAM solutions for multi-cloud environments
When it comes to IAM in multi-cloud environments, “management complexity can be multiplied with each new cloud environment that’s added because each brings its own technology implementations, operational models and security tools,” the Thales report states. “Mastering all of them independently can be a huge resource commitment and, even if it is possible for an organization, can leave security gaps if management isn’t well coordinated.”
For that reason, it is important to find an IAM solution for machines that can work across multiple cloud environments and bring these disparate technologies together. Here is what to look for in a good multi-cloud IAM solution:
- Vendor agnostic. Cloud-native solutions struggle to keep up with the complexity of certificates across multiple platforms. Choose a vendor agnostic solution that can enforce access controls not based on environment, but on identity.
- Scalable. A cloud-agnostic solution reduces vendor lock-in and makes it easier to scale when other public cloud architectures are added to the mix.
- Visibility. Your solution should give you full visibility over the keys and certificates in your environment, and automatically account for new ones deployed.
- Intelligence. You should have all the information needed to successfully manage your certificate lifecycle in an easily accessible interface. This includes expiry dates, issuing CAs, organizational data and security configurations.
- Automation. To avoid silos and make it easier to remain vendor-agnostic, provisioning and renewal of certificates should be automatically deployed across all cloud architectures and managed from one central location.
A cloud-agnostic platform like the Venafi Trust Protection Platform centrally manages machine identities, allowing you to integrate multiple public cloud architectures while securing your machine IAM. It not only closes the security gaps between various platforms, but provides a centralized, vendor-agnostic certificate management solution to prevent outages caused by expired or compromised machine identities in the cloud.