Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

The 6 biggest challenges to achieving effective ID and access management in the cloud

As Australian companies' adoption of cloud services and resources grows, so does the number of data breaches. Interestingly, many of these are occurring because of the mismanagement of identities. Steve Singer from Zscaler explains.

user icon
Mon, 25 Oct 2021
The 6 biggest challenges to achieving effective ID and access management in the cloud
expand image

According to analyst firm Gartner, 99 per cent of cloud security failures will be the customer’s fault during the next three years, and 75 per cent of these failures will result from improper management of identities, user access and privileges.

That should give CISOs, and IT teams pause for thought. As assets and resources are added and accessed from human and non-human identities in the cloud, enterprises need to secure who and what has access to these to protect cloud environments effectively.

Most cloud providers have developed their own native identity and access management (IAM) tools to help their customers with this challenge. However, these built-in mechanisms won’t work for enterprises operating in a multi-cloud environment. In additional, the scale, diversity and dynamic nature of cloud IAM pose significant operational, security and compliance challenges.

============
============

The six biggest challenges facing security teams when trying to achieve effective IAM in a multi-cloud world are:

  1. It’s a scalable and diverse environment.

Security teams are responsible for controlling and tracking access privileges for human, application and machine identities across an ever-increasing variety and volume of attributes when it comes to cloud storage. These include resources such as files, virtual machines and containers.

Also included are services such as business applications, databases, storage, networking and administrative accounts like management consoles and ordering and billing portals. The challenge of maintaining and tracking access privileges in this environment is significant.

  1. It’s a dynamic environment.

By its very nature, the cloud is inherently dynamic. Applications and services are instantiated on demand, and containers are continuously spun up and down, making assigning entitlements and tracking access privileges even more difficult.

  1. There’s a lack of consistency and standards.

Each cloud provider has taken its approach to IAM security and uses distinct roles, permission models, tools and terminology. Managing identities and entitlements can therefore become a resource-intensive, time-consuming and error-prone function.

  1. Misconfigured identities.

As the complexity of multi-cloud environments increases, so too does the chance of human error. For this reason, misconfigurations can, unfortunately, become more prevalent.

One high-profile example was the Capital One data breach in 2019. The misconfiguration of the Capital One web application firewall, designed to stop unapproved access, enabled a remote attacker to generate a temporary AWS token that could fetch data from an AWS simple storage service. With full access to the web servers, the attacker executed a simple script of AWS commands used for system administration.

  1. There are often excessive privileges in existence.

Organisations often grant privileges unnecessarily, creating additional risk and exposure. Over-permission can increase attack surfaces and make it easier for adversaries to move laterally across an environment and wreak havoc.

  1. Compliance management is difficult.

If identity and access management processes are not effectively controlled, enterprises may be non-compliant with industry standards and government regulations. Also, the enterprise is forbidden from presenting data and audit reports to support compliance and audit requirements in an audit.

Solving the IAM challenge

As a result of these challenges, effectively managing IAM is challenging, however, there are a number of approaches that are showing promise.

One of the most popular is cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM). These solutions help address the most urgent challenges by detecting and mitigating identity and access related to risk and governing identities at scale.

When an organisation deploys both CIEM and CSPM, some significant benefits are achieved. These include:

Achieving deeper visibility into multi-cloud assets: Gaining visibility into the complex relationships between identity, entitlements and resources is a critical starting point for bringing enhanced security to multi-cloud infrastructures.

Prioritisation and remediation of privilege and configuration risks: This approach will allow security teams to accurately detect and prioritise at-risk identities and resources and mitigate risky privileges and faulty configurations while ensuring business continuity.

More effective policy enforcement: Security teams will be able to enforce automated guardrails for identities, resources and network configuration, thus preventing unauthorised access.

Better detection of policy violation: This will help organisations improve their security postures and protect against policy violations with continuous risk analysis checks for access anomalies against each cloud identity’s baseline.

A CSPM plus CIEM combination can significantly improve an organisation’s IAM capabilities. Consider how adopting this approach to identity and access management could work within your cloud infrastructure.

Steve Singer is the regional vice president and ANZ country manager at Zscaler.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.