Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Research Topic

Identity and Access Management

Latest ResearchWorking Group
Identity Access Management Working Group Charter
Identity Access Management Working Group Charter

Download

Research Topics
About Topic
Working Group
Discussion Community
Publications
Home
Research
Identity and Access Management
What is Identity and Access Management (IAM)? 
Identity and access management is mapping some form of an entity (a person, system, piece of code, etc.) to a verifiable identity associated with various attributes (which can change based on current circumstances), and then making a decision on what they can or can’t do based on entitlements. 

How IAM is Different in the Cloud
Cloud services are becoming ubiquitous in all sizes, and customers encounter many obligations and opportunities for using Identity Access Management (IAM) systems with those cloud services. However, as an area of emergent technical focus, there is little independent analysis and guidance in the public domain for addressing the intersection of IAM and cloud services. 

In cloud computing, the fundamental problem is that multiple organizations are now managing the identity and access management to resources, which can greatly complicate the process. For example, imagine having to provide the same user on dozens—or hundreds—of different cloud services. Federation is the primary tool used to manage this problem.

Other key differences are that in the cloud IAM:
  • tends to change faster
  • be more distributed (including across legal jurisdictional boundaries)
  • add to the complexity of the management plane
  • rely more (often exclusively) on broad network communications for everything, which opens up core infrastructure administration to network attacks. 

These shifts also bring challenges. Moving to federation at scale with multiple internal and external parties can be complex and difficult to manage due to the sheer mathematics of all the variables involved. Determining and enforcing attributes and entitlements across disparate systems and technologies bring both process and technical issues. Even fundamental architectural decisions may be hampered by the wide variation in support among cloud providers and platforms.

IAM spans essentially every domain of cloud security. To read best practices for managing IAM in the cloud in key domains, read the CSA Security Guidance: Domain 12.

Identity and Access ManagementShared Responsibility Model

Discuss this topic in Circle

View discussion community

Participate

View the working group

Press MentionSourceDate
5 Multi-cloud Security Challenges You Can AvoidITPro TodayNovember 14, 2022
Cloud infrastructure security is having an identity crisis. Can CIEM help?The RegisterSeptember 13, 2023
Daily Briefing: Defining Shadow Access: The Emerging IAM Security Challenge The CyberWireSeptember 14, 2023
Cloud Security Alliance Sheds Light on 'Shadow Access' IAM ProblemVirtualization ReviewSeptember 14, 2023
The Best Multi-Cloud Identity Management PracticesSifyMarch 18, 2024
View all

Guidance from CSA

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

The 2020 State of Identity Security in the Cloud

The 2020 State of Identity Security in the Cloud

Read the results of a survey to understand cloud IAM challenges other enterprises face when undergoing a digital transformation. You will also learn methods of addressing cloud IAM challenges as well as identify the teams and roles responsible for cloud IAM. In the wake of the COVID-19 public health crisis, many enterprises digital transformations are on an accelerated track to enable employees to work from home. CSA surveyed these organizations to better understand how cloud services are being used during this transition and how organizations secured their operations over the next 12 months.

Read more
Identity and Access Management Guidance

Identity and Access Management Guidance

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of Security as a Service (SecaaS)

Read more
Domain 12 of the Security Guidance: Identity, Entitlement, and Access Management

Domain 12 of the Security Guidance: Identity, Entitlement, and Access Management

This domain of CSA’s flagship research paper addresses managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management. If you are new to IAM in the cloud we recommend starting here. 

View this paper
View All Research

Webinars

Cloud Attack Vectors: Build Cyber-Defense Strategies to Protect Cloud Resources
Cloud Attack Vectors: Build Cyber-Defense Strategies to Prot...

September 19 | Online

Learn more

How Does Your Cloud Security Compare, and Where Do You Go From Here?
How Does Your Cloud Security Compare, and Where Do You Go Fr...

October 25 | Online

Learn more

Achieving least privilege across Multicloud with Cloud Infrastructure Entitlement Management (CIEM)
Achieving least privilege across Multicloud with Cloud Infra...

December 6 | Online

Learn more

How to Fortify Your Salesforce Ecosystem Security
How to Fortify Your Salesforce Ecosystem Security

June 20 | TBD

Learn more

View All Webinars

Blog Posts

10 Tips to Guide Your Cloud Email Security Strategy
Read Now
The Widening Overlap Between Cloud Workloads and Cybersecurity
Read Now
Securing Non-Human Identities: Lessons from the Cloudflare Breach
Read Now
View All Blog Posts