Digital Trust-Enhancing Identity Access Management in Cloud Environments

Robin Lyons
Author: Robin Lyons, Principal, IT Audit Professional Practices, ISACA
Date Published: 21 August 2023
Related: Google Cloud Platform Audit Program | Digital | English

We may have heard the term “digital native” or at least been aware of the concept of those who have always been connected via smartphones, computers and video games. In 2001, when Marc Prensky coined the term digital native, he noted that, at that time, the average college graduate had spent over 10,000 hours playing video games. Having known only a digital environment, one could make a case that digital natives may have an advantage in an environment defined by technology.

Similarly, those enterprises that began operations in the cloud (i.e., “cloud-native”) are deemed to have certain advantages. For example, a cloud-native organization does not face inconsistency in security processes and controls or variation in compliance management associated with the hybrid environment of organizations migrating to the cloud. While these advantages are a perk, they do not necessarily create immunity from the risk and maintenance challenges of cloud computing. In a survey of cloud risk, “Building Trust in Cloud Environments,” KPMG noted that malware moving laterally to cloud workloads was the top concern of respondents. Yet the second-ranking concern was shared by insecure use of application programming interfaces (APIs) and unauthorized access by a third party.

So, access concerns remain in cloud environments whether an organization has migrated to the cloud or was born in the cloud. Fortunately, some familiar controls can mitigate access risks: monitoring appropriateness of user roles and permissions and segregation of duties as examples. While the cause-and-effect approach to controls serves a purpose, digital trust enhances the control environment even more through encouragement of continuous monitoring and consideration of all elements: people, process, technology and organization. In its recently released Google Cloud Platform Audit Program, ISACA explores those elements. Examples from the audit program’s Identity and Access Management section are:

  • The enterprise enforces confidentiality, integrity and the availability of data through periodically requiring reauthentication and revalidation of the authorization credentials of users.
  • The enterprise maintains environmental security by governing the lifecycle of user accounts and job responsibilities and restricting user access to necessary accounts.

Both of these objectives support an audit approach founded on a view of continuity, lifecycle and collaboration across the enterprise. They also show the ongoing relevance of known risks and objectives to all enterprises. So, organizations born in the cloud may have some advantages; however, they still share some of the risks that non-native enterprises have been encountering for a while now. As both types of organizations pursue digital trust, considering the four elements of digital trust and focusing on providing accurate information and feedback loops are great places to start.