Expanded adoption of the public cloud has resulted in unanticipated security challenges, one of which has been the explosion of non-human identities.
In traditional network settings, user identities in the form of individual accounts are the primary security focus. However, the public cloud provides access to applications, databases, data stores, and other identities, necessitating a more robust approach to security.
Unfortunately, traditional security tools lack the means to handle this significant shift in resource management requirements. As a result, over-provisioning and other issues have plagued cloud environments, exasperating many security risks.
Today’s Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions were not designed with the public cloud in mind and remain primarily focused on authentication to address the security challenges that come with today’s cloud environments.
In fact, even existing cloud security tools are not always up to the challenge, and with 92% of today’s enterprises employing a multi-cloud strategy, inconsistencies and security gaps have left many cloud environments dangerously exposed. Ultimately, organizations need a new paradigm to address these challenges better —one that provides end-to-end visibility and the ability to scale with the needs of today’s enterprises.
Understanding the Problem
Last year, Gartner released a publication titled “Managing Privileged Access in Cloud Infrastructure” that included several concerning statistics and predictions. The publication estimated that by 2023, 75% of cloud security failures would result from inadequate management of identities, access, and privileges. This finding is a significant increase from the 50% estimated in 2020, and Gartner notes that the growing number of identities and entitlements substantially increased both the complexity and risk involved.
Whether they are running a single cloud or a multi-cloud infrastructure, many security challenges consistently plague today’s organizations:
- The Volume of Identities: The sheer number of identities and entitlements in the public cloud has introduced a new level of complexity. Organizations used to dealing with hundreds of identities are now dealing with thousands or more. The dynamic nature of the cloud can make it challenging to track access and accountability.
- Privileged Access: Many organizations use traditional IAM tools and techniques in the cloud, but the static and longstanding access these tools grant increases risk.
- Excessive Access: Some identities often have more access and resources than they truly need in the interest of convenience. Similarly, some organizations sync Active Directory (AD) identities with the cloud, which means an endpoint exposure can quickly become a cloud breach. The recent SolarWinds breach is an excellent example of this.
- Limited Visibility: It can be problematic to have a consistent and comprehensive view of the entire cloud environment, making it difficult to assess risk. Multi-cloud environments, each with its own user interface, can exacerbate this issue.
Addressing Vulnerabilities
With traditional IGA and PAM not designed for the unique challenges posed by the cloud, other tools have risen to fill in the gaps. Existing cloud security tools like Cloud Security Posture Management (CSPM) systems, Cloud Workload Protection Platforms (CWPPs), and Cloud Access Security Brokers (CASBs) have successfully addressed some areas of cloud security.
However, they usually do not have identity and access controls, leaving potentially dangerous security gaps. Even manual methods to ensure a least-privilege approach to cloud security do not generally scale in an environment with thousands of identities—and even more entitlements—to manage.
As organizations embrace least privilege and zero trust concepts, the need for automated tools has become increasingly apparent. Unfortunately, identity-based attacks have become more common in recent years. Microsoft has identified specific threats seeking to compromise Active Directory. At the same time, the 2021 Verizon Data Breach Investigations Report noted that 61% of all breaches involved credential data, driving home the need to protect identities.
As security professionals seek to combat these new threats and address the growing need for identity-based security, several key priorities have risen to the top. With cloud environments expanding and the number of identities increasing, modern cloud solutions must discover all identities, resources, and entitlements at any scale.
Tracking changes to entitlements over time is also essential to discover changes made by attackers and validate that obsolete permissions are not still active. With the rise in multi-cloud environments, today’s solutions must also consistently support multiple cloud services.
Visibility to cloud identity issues is critical but alone does not suffice. Organizations must have end-to-end visibility from the endpoint to Active Directory to the cloud, helping defenders better visualize entitlements and risk from multiple points of view. Defenders also need to clearly and quickly mitigate risks as they become apparent, which means possessing a more expansive view of the network and potential attack paths to detect and derail attackers wherever they are active.
Comprehensive Permission Management Is Needed
Gartner has coined terms like CSPM and Cloud Infrastructure Entitlements Management (CIEM), but these more broadly fall under the umbrella of Cloud Permission Management (CPM).
Rather than debating the virtues of CSPM, CIEM, or any other option within the current alphabet soup of cloud security options, organizations should ask themselves what vulnerabilities they most need to address and where their most significant visibility gaps are. Most will find that they need a solution that provides greater visibility, scalability, and discovery of identity risks and entitlement exposures—and that they need this visibility to be comprehensive, covering the endpoint to AD and into multi-cloud environments.
Cloud security tools are becoming more advanced, but attackers continue to find ways to slip through the cracks. Only with more effective and comprehensive cloud permission management—and the visibility needed to address policy drift and exposures—can modern organizations truly begin to protect themselves.
About the Author:
Carolyn Crandall is the Chief Security Advocate at Attivo Networks