Conventional approaches to privileged access and identity management are ineffective in today’s cloud-oriented DevSecOps environments. The concept of least privilege access still remains foundational – and traditional privileged access solutions can deliver effective security in situations where development and operations are segregated, and on-premises architecture predominates.
It is not enough, however, to simply grant permanent standing privileges to a human or non-human user, even if they are limited to only those permissions needed to do their jobs. Especially now, when teams are dispersed and working remotely, credentials are proliferating in the cloud (outside of on-premises security protocols) and are more exposed to theft or abuse.
With DevSecOps teams now commonly working across many clouds, each with their own permission sets and usage models, we need to rethink how we manage privileged access. Let’s consider the individual issues that are preventing DevSecOps teams from easily securing access to cloud resources, and explore potential remedies to these challenges.
In this eWEEK Data Points article, we discuss the four reasons it’s critical to manage privileges and access across your multi-cloud environments.
Data Point 1: Insufficient privilege management
The longstanding approach to cybersecurity in on-premises environments included ringfencing of users and assets—such as firewalls to keep out unwanted network traffic. Conversely, in cloud environments, it’s not possible to ringfence every application, resource, device, or user. Digital identity defines the new perimeter.
The problem is the new identity-defined perimeter has made managing access privileges magnitudes more critical than ever before. In addition, the privileged access and identity management practices optimized for on-premises situations are ineffective in today’s cloud-oriented continuous integration and continuous delivery (CI/CD) DevSecOps environments.
Recommendation: Today’s dynamic privileging platforms designed to support just-in-time (JIT) privilege grants enable DevSecOps teams to maintain a Zero Standing Privilege (ZSP) security posture in a way that accelerates, not slows, the CI/CD development process.
When dynamic privileging platforms are integrated with existing security tools, such as user and entity behavioral analytics (UEBA) and advanced security information and event management (SIEM) engines, DevSecOps teams can gain deep visibility into cloud application events and access changes.
These capabilities are critical in enabling DevSecOps to get a complete picture of user activity, making it possible to identify threatening user behavior to which security teams must respond. When events occur, administrators can quickly act to protect critical information and cloud services from breaches.
Data Point 2: Attack surface sprawl
Companies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. The result is that each human and machine user ends up having multiple identities and standing privilege sets sitting vulnerable to exploitation.
Recommendation: Again, as with core security concerns, the automated granting and expiring of permissions—JIT privilege grants—is highly effective at minimizing attack surfaces. These JIT/ZSP solutions work on the concept of Zero Trust, which means no one and nothing is trusted with standing access to your cloud accounts and data. With JIT permissioning, elevated privileges can extend either for the duration of a session or task, for a set amount of time, or when the user no longer needs access.
Once the task is complete, those elevated privileges are automatically revoked–all without sys-admin involvement. Where a user previously had standing access privileges potentially extending around the clock for months at a time, converting to JIT granting would compress that attack surface to several hours per month. Further, JIT permissioning largely frees organizations from having to maintain and pay for both privileged and non-privileged accounts. Dynamic secrets generation also provides a better model for securing temporarily deployed services and features.
Data Point 3: Unmanaged privilege drift.
User privileges tend to expand and change organically over time. This circumstance has long been recognized as a potential source of vulnerability in conventional privileged access solutions. In multi-cloud environments, privilege drift becomes exponentially more difficult to manage and keep consistent, and is far more likely to result in over-privileged users.
Recommendation: Enforce least privilege access (LPA) by automating privilege right-sizing. Dynamic privilege granting enables organizations to automatically monitor and adjust privileges to ensure users have only the privileges needed to do their jobs. As such, security admins can quickly survey assigned privileges in order to identify “blind spots” such as over-privileged users and machine identities. With insight like this across clouds, it becomes possible – with security oversight – to remove privileges where they’re not needed and right size privileged access overall.
Data Point: 4: Lack of centralized control
Privileges differ from cloud service to service, necessitating learning each service separately and implementing privilege sets. Additionally, many DevSecOps organizations have had to rely on externally stored or hardcoded credentials—and end up struggling to manage privileges across a diversity of disconnected secure vaults.
Recommendation 1: A more effective approach is to manage secrets through a central management solution, providing DevSecOps teams with real-time availability to all elements of secrets infrastructure across cloud and across secrets vaults, including certificates, keys, and tokens.
Recommendation 2: Employing a unified cross-cloud access model makes it possible to manage privilege sets across cloud services. Centralized provisioning automates privileging processes across all cloud resources, dramatically reducing the likelihood of errors that can place accounts and data at greater risk.
DevOps and DevSecOps are still new and fast-evolving concepts within the wider computer science and cybersecurity universe. No doubt, DevOps has been wildly successful in accelerating automation and speeding time to market for innovative applications and business services. To date, however, security solutions providers have struggled to accelerate privileged access solutions that could secure the devices, data, and resources used by DevOps teams, especially in cross-cloud environments. Dynamic privileging platforms using just-in-time (JIT) privilege grants and employing Zero Standing Privilege (ZSP) principles show great promise in solving these problems.
About the Author:
Art Poghosyan, CEO of Britive