Govern Cloud Access Based on Principle of Least Privileges

In the previous blog post (part 5 of the cloud governance series), we discussed cloud cost governance. In this blog, we discuss the fourth pillar OSCAR Governance framework – Cloud Access Governance.

Controlling and regularly reviewing who has access to what is not just an enterprise security mandate. It is a critical compliance necessity. Sarbanes-Oxley Act, PCI DSS, HIPAA, and GDPR all have mandatory user access review requirements, which, if not reviewed and fixed regularly, could land enterprises into serious trouble.

Hence, access control is a fundamental component of security and compliance programs that ensures access control policies are in place to protect confidential information.

It can be challenging to manage access in dynamic IT environments that involve on-premises systems and cloud services. Consequently, the access control systems can get very complex.

Understand how the access is utilized, identify violations, and fix them automatically. A few simple but important questions to ask are:

• Who has access?
• To what cloud resource?
• How did they get the access?
• Do they still need it?

When users are over-privileged, it leaves enterprises wide open to internal breaches. Define and enforce the policy of ‘Least Privileges’ to restrict access to only those cloud resources that a user absolutely requires to perform their immediate job functions. But, note that it is not just about removing privileges from the users who do not need them, but governing the access of the users who have them.

Conduct regular user account reviews to monitor, manage, and audit the lifecycle of user cloud accounts from creation to termination. Ensure privilege creeps are detected in these reviews and fixed with priority.

In the next blog, we will discuss the fifth pillar OSCAR Governance framework which is Cloud Resource Governance.