Identity and Access Management (IAM) is a crucial part of building a solid cloud foundation. After all, access to the cloud platform’s API to deploy and manage cloud resources is akin to providing the keys to a virtual data center. IAM covers the life-cycle of identities as well as controls for authentication and authorization. Leveraging the cloud platform’s IAM systems like AWS IAM, Azure RBAC or GCP IAM is therefore crucial to achieve cloud security.

Key Activities in Multi-Cloud IAM

The IAM pillar of the Cloud Foundation Maturity Model encompasses the following key activities and capabilities

As the cloud foundation approach is all about integrating the capabilities of its constituent pillars, the Identity and Access Management pillar has several important links to other cloud foundation capabilities

🗂 Tenant Management

🔖 Security & Compliance

  • The scope of permissions granted to application teams should reflect the responsibility split defined in the cloud foundation’s Shared Responsibility Model Alignment.

  • Permissions are often a key component of Resource Configuration Scanning reports (e.g. to ensure principle of least privilege, preventing public access etc.).

  • IAM changes should be included in Centralized audit logs. This is also important to document correct handling of Joiner/Mover/Leaver-Processes.

💵 Cost Management

  • The Resource Authorization Management should ensure that non-technical project stakeholders have enough access to cost reporting capabilities, without requiring technical access to cloud resources.

🛠 Service Ecosystem

  • Cloud Foundation teams should evaluate how they can leverage existing permissions and IAM concepts to also grant teams access to internal services via an Internal Service Marketplace.

Designing a Multi-Cloud IAM Strategy

Especially when considering a multi-cloud scenario, cloud foundation teams need to design an identity and access management strategy that they can implement consistently across all cloud platforms.

The Cloud Identity and Access Management Guide for 2021

Take a look into the IAM Guide 2021 for a comprehensive guide to Cloud Identity and Access Management.

Read the IAM Guide

Stakeholders to Involve for Multi-Cloud Tenant Management

Cloud Foundation teams should have team members with first-party expertise of the organization’s existing IAM infrastructure and the established compliance processes. These can be “liaison officers” to the Enterprise IAM teams that already exist in most organization. This helps the cloud foundation team build a Federated Identity and Authentication architecture for all cloud platforms that is already aligned with the central IAM team.

Cloud Foundation teams should also involve legal or compliance stakeholders to review data security concerns. IAM systems naturally deal with personally-identifiable information (PII) that is subject to high regulatory attention and scrutiny, e.g. through the EU GDPR.

Building a cloud IAM architectures on the “green grass” without considering existing systems, and, depending on the industry even regulatory requirements, can quickly stall an organization’s cloud journey. Since IAM is so fundamental to enabling using of the cloud, any mistakes in the decisions here proof very costly to change and reconcile later. This is why a strong alignment with Enterprise IAM teams and their compliance advisors is so important.