This post was previously published on The New Stack.
If you help to manage cloud environments, you’re probably familiar with the concept of identity lifecycle management. Identity lifecycle management helps you keep track of who is allowed to do what within your cloud.
But merely understanding identity lifecycle management isn’t enough to administer modern cloud identities effectively. You also need a way to automate identity lifecycle management at massive scale.
After all, if your cloud environment is like most modern cloud environments, it contains thousands of different identities, and thousands of “entitlements” — meaning permissions and access roles — associated with each one. What’s more, those entitlements change constantly. User roles evolve all the time, and entitlements evolve with them.
As this article explains, automated identity lifecycle management using a tool like Torq is key to ensuring that identities and their associated entitlements in the cloud are up to date and free of security risks.
Identity Lifecycle Management Defined
Identity lifecycle management is the process of ensuring that the identities in your cloud environment, and their associated permissions or entitlements, are kept up to date as the roles of the users associated with those identities change.
That’s important because, again, identities tend to change constantly. Employees come and go. So do contractors or other external stakeholders. And even when the identity of a given user remains the same, the specific entitlements that he or she needs could change.
An IT engineer may need temporary permission to create or destroy a cloud resource during an incident management operation, for example, but that need will expire when the incident is resolved. Or an employee may move from one department to another, necessitating a change in that employee’s cloud entitlements.
Identity Lifecycle Management Process: A Breakdown
That, at least, is a general overview of the sorts of events that identity lifecycle management addresses. But to take a more systematic approach, we can break identity lifecycle management down into specific types of operations.
When users (who could be IT engineers, nontechnical employees or external contractors) join or leave the organization, you may need to create or remove cloud accounts for them. Those accounts will need to be provisioned with the specific entitlements that the user requires to perform his or her role.
Attestation is the process of determining who has which entitlements within your cloud environments. In other words, it allows you to “attest” that your entitlement configuration aligns with organizational requirements.
Attestation doesn’t involve changing identities or entitlements, but it’s an important part of the identity lifecycle management process because it helps you track the status of existing identities and entitlements.
Users in your cloud environment may temporarily require certain entitlements in order to perform a given task. An employee may need to pull data out of a storage bucket to generate a report, for example, or a developer may need to create a new type of resource in order to deploy an application.
In situations like these, you need to create new entitlements, then make sure that the entitlements expire when they are no longer needed. Identity lifecycle management ensures that you can do this in a systematic, organized way — instead of escalating privileges in ad hoc fashion and hoping that you remember to scale them back later.
Separation of Duties
When you separate duties within the context of identity lifecycle management, you distribute entitlements across a group so that no single user has the sole ability to perform a given action. Doing so helps you spread out risk and prevent abuse by individual users.
Validating entitlements to confirm that they properly separate duties — and, if necessary, modifying them to do so — should be a central part of your identity lifecycle management process.
Manual vs. Automated Identity Lifecycle Management
There’s nothing stopping you from managing cloud identities manually, or at least trying to do so. You can manually update cloud entitlements whenever a user’s role changes.
That approach, however, requires considerable effort. It’s not practical if you have hundreds or thousands of users and entitlements to keep track of.
Just as important, manual identity lifecycle management can lead to inconsistent results and unclear rules. One cloud admin may take a different approach from another when managing identities and entitlements.
Automated identity lifecycle management solves both of these problems. It lets you work at virtually unlimited scale. It also ensures that your identities are managed in a consistent way.
That’s because, when you automate identity lifecycle management, you configure rules that define when and how entitlements should change. Then, using a tool like Torq, you can integrate those policies into your broader business processes.
The result is a fully automated workflow that aligns changes within your business with changes in your cloud. When an employee joins or leaves your organization, for example, entitlements can be automatically adjusted accordingly. If a user requires a temporary escalation of privileges, the grant can be triggered automatically, then revoked when the workflow that triggered it is complete.
In these ways, automated identity lifecycle management ensures that you can manage identities efficiently and securely.