Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Op-Ed: Take control of identity security in the cloud

The past year has seen the massive acceleration of digital transformation initiatives in Australia to support the new hybrid work reality we’ve found ourselves in – all thanks to the cloud. And now, you probably rely on more cloud services and SaaS applications than you ever have before.

user iconAndrew Slavkovic
Thu, 25 Feb 2021
Andrew Slavkovic
expand image

Yet, as cloud usage grows – and increasingly spans across multiple cloud providers – the creation of human, application and machine identities has accelerated. Mapping relationships between all of these identities and cloud resources has become extremely complicated.

A recent ESG survey found that maintaining consistent identity and access management (IAM) controls across public and private clouds is the leading challenge for IT and cyber security professionals charged with IAM tasks. Despite this, achieving a unified approach to IAM is their top priority, which makes sense given the onus is on the cloud customer to manage and secure access in their cloud environments.

Implementing least privilege is a crucial step in securing privileged access and identities for cloud-based infrastructure and applications. In a perfect world, each identity is configured to have only the privileges and permissions needed to perform its intended functions – nothing more, nothing less.

============
============

This is the crux of the principle of least privilege and a core tenant of zero trust. But even the most sophisticated security team will tell you this is easier said than done.

Cloud permission misconfiguration

The dynamic nature of cloud roles, infrastructure, applications and services often leads to misconfigurations that can result in the accumulation of unused permissions, especially at scale. Through the eyes of a cyber criminal, these permissions create a pathway to gain access to critical cloud infrastructure, steal or alter sensitive data or interrupt cloud hosted services.

Over-permissioned accounts and roles is the top cloud misconfiguration today, according to the ESG study. Not surprisingly, cyber criminals have taken notice: the same survey ranked overly permissive privileges as the most common attack vector against cloud applications. They’ve been traced to some of the largest breaches in history.

The 2020 IBM Cost of a Data Breach study found that 19 per cent of all breaches were caused by misconfigurations of cloud servers and virtual machines (VMs) – and they’re costlier than other breach types at $4.41 million on average.

Implementing cloud least privilege

It’s clear that least privilege must become a top identity security priority. To get you there, here are six ways to reduce risk and drive change across people, process and technology:

  1. Get everyone on the same page

Responsibility for cloud IAM design and operations varies a lot between organisations. It’s important for stakeholders to align to identify which teams and individuals will “own” the implementation of least privilege strategies – and ensure these responsibilities are clearly understood.

  1. Don’t make security decisions in a vacuum

Consult cloud architects and developer teams on all process and technology decisions at the start of the program and throughout the implementation. This helps to maximise buy-in from key stakeholders and increase long-term effectiveness.

  1. Map all existing IAM permissions

Organisations can’t defend against threats they’re not aware of. Identify and visualise all IAM permissions across cloud provider environments and Kubernetes services. Then, map access relationships between identities and resources to uncover potential vulnerabilities.

  1. Remediate unused and risky entitlements

Excessive permissions for human, machine and application identities should be removed immediately. AI-powered recommendations can speed and simplify this process, and the most effective solutions can also uncover hidden, platform-specific risks like shadow admins. If you’re taking a phased approach, start by eliminating excessive privileges to your most valuable cloud assets – then apply least privilege policies more broadly over time.

  1. Make bare minimum permissions the default for new workloads

AWS is especially clear on this point, advising organisations to: “Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.”

  1. Consistently measure and verify least privilege

Least privilege doesn’t last forever. Structuring consistent, periodic reviews to clean up unused permissions that accumulate over time is essential to combatting permission creep. Quantify risk reduction over time with analytics-based assessments for each unique environment.

Consistent controls are key for scalable security

Most companies are using capabilities from multiple cloud providers for cost savings, increased availability or unique technical features. Configuring the countless combinations of user to application access – for any time and from any place or device – is a real challenge.

Add in the complexity of DevOps tools, increased automation and multiple on-premises data centres, and things get even more… cloudy. Cracking the code requires a unified approach.

The most effective strategies employ centralised, consistent IAM and privileged access management (PAM) controls that enable least privilege for all identities linked to resources – from cloud management consoles to SaaS applications – across hybrid and multi-cloud environments. It’s also important to layer these controls with single sign-on and context-based multi-factor authentication to further secure access to cloud environments.

Whether you’re focused on securing an initial project in a hybrid environment or fully embracing cloud native applications today, a consistent approach is the key to mastering privileged and identity access management in the cloud.

Andrew Slavkovic is CyberArk's solutions engineering manager, ANZ.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.