I’m often taken aback by the lack of granularity when it comes to security identity management. Although most security approaches and tools have the capability to partition security domains by people, roles, locations, devices, and parts of databases, most people set up cloud security with only a few domains.
For those of you who don’t deal with security operations, or secops, we can create groups using any number of dimensions or domains. An “identity” needs to belong to at least one domain, but it can belong to all or most domains as well.
This slicing and dicing of security domains means you have better control over security management, such as disallowing those using mobile devices, those who work for devops, those who are outside the United States, or those who have access to a cloud-based storage system for whatever reason that may be needed.