The flexibility of public cloud environments enables customers to provision resources with the click of a button, spin up containers based on dynamic scaling requirements, and more. A typical public cloud deployment can quickly turn into a vast maze of interconnected machines, users, applications, services, containers and microservices.
Keeping track, evaluating risks and defining access policies and permissions for a multitude of machine (applications, services, etc.) and human identities is therefore a huge undertaking, especially as more and more organizations adopt a multi-cloud strategy.
Some of the most high-profile cybersecurity incidents in recent years were the direct result of customers failing to properly configure their cloud environments, or granting excessive or inappropriate access permissions to cloud services, rather than a failure of the cloud provider in fulfilling its responsibilities. Since access policies must be frequently adjusted over time, the potential for human error increases sharply.
IDC: The Problem of Excessive Permission in the Cloud
This rising concern over excessive permissions in the cloud is reflected in a recent IDC survey where more than 71% of respondents cited detection of excessive permission in the cloud as either very important or extremely important.
In addition, only 20% of respondents reported that they were able to identify situations in which employees in their organization have had excessive access to sensitive data. These numbers clearly reflect the gap between the importance decision makers attribute to the issue, and their limited capabilities.
Meanwhile, excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. This is where the human factor comes into play: an overworked security or IT admin may fail to identify and remove such permissions and create a significant vulnerability that may only be detected after the fact.
According to the survey, early detection doesn’t necessarily guarantee prevention; more than 13% of respondents that detected excessive permissions reported that they were unable to mitigate the risks before data was exposed.
Given these challenges, it’s not surprising that more than 79% of the survey respondents reported they had experienced a cloud data breach in the last 18 months. Even worse, forty three percent of respondents reported that they have experienced ten breaches or more.
Many of the organizations that reported the largest number of cloud data breaches were among those who identified excessive access to sensitive data among their employees. According to the survey, the healthcare industry appears to be particularly exposed to this risk as 31.25% of organizations in this sector reported they have identified a situation where employees had excessive access permissions.
CISO Taking Action
The steps taken by many CISOs to mitigate risks stemming from excessive permissions reflect the growing interest in the least privilege model which is based on limiting every human or machine identity, every user or application, to the exact permissions required to complete legitimate work activities in order to protect cloud environments.
Least privilege relies on continuous and accurate understanding of the relationships between entities – whether human or machine identities – and the systems they need to access to perform their job. However, defining and enforcing dynamic, least privilege access policies involves significant challenges.
Most notably, in a typical cloud environment consisting of multiple applications, services and dependencies, implementing least privilege permissions for even a single user could be a daunting task – let alone when dealing with multi-cloud environments.
In this regard, the proliferation of machine identities exacerbates the difficulty of achieving least privilege. Unlike human identities that employ usernames and passwords to authenticate and access resources, machine authentication is based on certificates and encryption keys.
Enforcing Least Privilege
For organizations that rely on cumbersome manual processes and homegrown tools to manage and track their certificates and keys, enforcing least privilege is virtually impossible. Especially in dynamic cloud environments where machine accounts are frequently created for multiple entities, many of which have a lifespan of only a few days or hours, resulting in limited visibility and control.
These difficulties were evident in the survey where “ensuring that users, applications, and services can access only the cloud data and cloud resources that are necessary for their legitimate purposes” was selected as the top cloud data protection challenge among organizations of all sizes. Least privilege was mentioned as the main challenge to protecting sensitive data in banking and healthcare, two of the most regulated industries in relation to data protection and privacy.
As more workloads are running in IaaS and PaaS, and more sensitive data is located outside the corporate datacenter, least privilege capabilities are becoming critical. Given the scale and flexibility of IaaS and PaaS environments, organizations require an automated, centralized approach for managing least privilege that reduces their reliance on manual processes and compensates for the lack of adequate and qualified IT resources.
Fortunately, new technologies are emerging that can analyze access policies at scale across massive human and machine identity populations and continuously compare them against actual access patterns to identify anomalies, excessive permissions and risk, and adjust them accordingly.
ABOUT THE AUTHOR:
Sivan Krigsman, Chief Product Officer and co-founder of Ermetic.