Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cloud access management in multi-cloud: where are controls failing?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Cloud security access management is under strain as multi-cloud, manual credential handling, and incomplete lifecycle controls leave organisations exposed, according to Bravura Security’s analysis of 100 security leaders and cited breach data. The core issue is not tooling volume but whether identity governance can keep pace with changing access, rogue accounts, and recovery demands.

NHIMG editorial — based on content published by Bravura Security: cloud security access management risks and control gaps in multi-cloud environments

By the numbers:

Questions worth separating out

Q: How should security teams reduce cloud identity risk when passwords and credentials are still widely shared?

A: Security teams should remove informal credential sharing first, because shared spreadsheets and chat-based secrets create invisible persistence.

Q: Why do rogue cloud accounts increase security risk so quickly?

A: Rogue accounts matter because they preserve access after the organisation has lost the business reason for that access.

Q: When should organisations prioritise JIT access over standing privileges?

A: Organisations should prioritise JIT access whenever elevated access is used for recurring but task-scoped administrative work.

Practitioner guidance

  • Eliminate spreadsheet-based credential handling Move cloud passwords and application credentials into managed secret workflows, then remove email and messaging as distribution paths for anything that authenticates to production systems.
  • Set revocation SLAs for cloud identities Define maximum removal windows for rogue accounts, compromised passwords, and leaver access, then measure actual revocation time against those thresholds across environments.
  • Unify JML across human and machine access Treat joiner, mover, and leaver events as a single governance process that covers employees, contractors, service accounts, and cloud workloads.

What's in the full article

Bravura Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • The survey context behind the cloud access management findings and how the numbers compare with earlier years.
  • The article's breakdown of password management, JML, JIT access, MFA, and audit trail use in cloud environments.
  • The specific SLA and remediation discussion around compromised passwords and rogue accounts.
  • The vendor's suggested approach for evaluating where identity controls should be centralised across cloud systems.

👉 Read Bravura Security's analysis of cloud security access management risks →

Cloud access management in multi-cloud: where are controls failing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cloud access management is really lifecycle management under a cloud label: The article’s central weakness is not cloud complexity alone, but the absence of durable identity lifecycle control across passwords, access grants, and revocation. That is why JML, JIT, and rogue-account handling appear together in the same failure pattern. Practitioners should treat cloud access as a lifecycle governance problem, not a tooling checklist.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.

A question worth separating out:

Q: What does a unified identity lifecycle approach change for cloud governance?

A: A unified identity lifecycle approach replaces isolated onboarding, access review, and offboarding steps with one control model that follows the identity from creation to removal. That matters because cloud risk often appears when one team believes another owns revocation. A single lifecycle view reduces gaps between HR, IT, security, and cloud operations.

👉 Read our full editorial: Cloud security access management gaps are widening in multi-cloud



   
ReplyQuote
Share: