Inactive identities can pose a security risk in any environment, including cloud environments. In a blog post, IBM Cloud explains how to identify and handle inactive identities using the APIs provided by IBM Cloud Identity and Access Management (IAM).

After receiving feedback from readers on how to proceed after identifying inactive identities, IBM Cloud provides steps for automating the cleanup process. These steps include revoking privileges, removing identity types from the account, and scripting and automating administrative tasks.

Recap: Inactive Identities

IBM Cloud IAM supports different forms of identities such as users, service IDs, and trusted profiles. If an identity or associated API key has not been used for a certain period of time, it is considered inactive. IBM Cloud IAM provides functionality to create reports on inactive identities.

To improve security, it is recommended to revoke access privileges from inactive identities and potentially remove them from the cloud account. However, there is an operational risk with special identities used for quarterly or annual processing. In such cases, it is important to keep track of how inactive identities and their privileges are cleaned up.

Automated Cleanup

Cleaning up inactive identities can be done manually, but automating the process is more efficient and improves security. The suggested steps for automated cleanup include generating a report on inactive identities, checking against a list of exempted IDs, removing the identity from all access groups, and deleting associated API keys.

Logging the findings and actions taken for audit and improvement purposes is essential. The frequency of cleanup (monthly or quarterly) can be determined based on corporate policies. It is recommended to maintain a list or database of identities that are excluded from cleanup to avoid removing important identities.

Users, Service IDs, and Trusted Profiles

In addition to revoking privileges, it is also recommended to consider deleting unused service IDs and trusted profiles, as well as removing users from the account. By periodically listing all users and checking their states, invalid or suspended users can be removed from the account.

IBM Cloud provides APIs to remove users from an account, delete service IDs and their associated API keys, and delete trusted profiles.

Conclusion

Regular account cleanup is important for both account administration and security. Automating the cleanup of inactive identities in IBM Cloud helps improve security and efficiency. However, it is necessary to maintain logs and exempted identities to avoid disrupting applications and workloads.

FAQ

1. What are inactive identities in IBM Cloud?

Inactive identities in IBM Cloud are identities (such as users, service IDs, and trusted profiles) or associated API keys that have not been used for a specific period of time.

2. What is the risk of inactive identities?

Inactive identities pose a security risk as they may no longer be maintained and can be easier to attack. Revoking access privileges from inactive identities and removing them from the cloud account helps improve security.

3. How can the cleanup process for inactive identities be automated?

The cleanup process for inactive identities in IBM Cloud can be automated by generating a report on inactive identities, checking against a list of exempted IDs, removing the identities from all access groups, and deleting associated API keys. It is also important to log the findings and actions taken for audit and improvement purposes.

4. What actions should be taken after revoking privileges from inactive identities?

After revoking privileges from inactive identities, it is recommended to consider deleting unused service IDs and trusted profiles, as well as removing users from the account. By periodically listing all users and checking their states, invalid or suspended users can be removed from the account.

5. How often should the cleanup process for inactive identities be performed?

The frequency of the cleanup process for inactive identities can be determined based on corporate policies. It is recommended to clean up monthly or quarterly and maintain a list or database of identities that are excluded from cleanup to avoid removing important identities.