Skip to main content

Solving the CISO Cloud paradox: how to put the genie back without losing the magic

(Image credit: Image Credit: Melpomene / Shutterstock)

The proliferation of cloud-based services and applications has proved a great leveler. Almost overnight control over who has access to which corporate resources and what they can do with them has been handed over to the user.

Securing cloud-based services – whether Security or Infrastructure-as-a-Service (SECSaaS or IaaS) - is becoming an increasingly complex issue for CISOs and IT security teams in general.

Having oversight of an organization’s security posture is crucial to ensure they are safe. Back when organizations only had a handful of cloud solutions with only a few employees within the business using them, it was relatively straight forward to control who had what level of access to each one.

However, cloud usage has changed and expanded rapidly. The average enterprise is now using close to 2,000 cloud-based services, many of which have been added by employees and departments without the knowledge of those in IT. This will have risen even further following lockdowns as a result of the Covid-19 pandemic, with employees being forced to work remotely, some of them for the first time, all needing to access key applications, internal tools, infrastructure and documents.

To ensure this increase in all things cloud does not impact the organization’s IT security, CISOs need to deploy a continuous authentication and authorization model across traditional applications, endpoints infrastructure, and all areas of the cloud. This will provide CISOs with the granular visibility and control to adapt their security standing as needed.

Cloud flying high

Digital transformation projects are driving more and more organizations to adopt cloud technologies. While this trend has been steadily climbing in the last few years, the recent Covid lockdowns have seen a huge acceleration in the number of cloud services enterprises are now using. This is clearly demonstrated in research that shows 82 percent of organizations have increased their cloud use to facilitate remote working during the pandemic. Two-thirds of those surveyed for the research said the increase in cloud use will continue for some time to come.

A majority of this rise appears to be spending on cloud Infrastructure as a Service (IaaS) platforms, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud-based collaboration tools have also seen an increase in use, with Slack, Teams and Zoom all proving popular. Industries such as Telehealth and online Education has seen a major increase in usage during the lockdowns.

There’s no doubt that cloud tech has been indispensable during these turbulent times, enabling many businesses to at least keep the lights on. However, a sudden increase in new cloud tech can present security challenges if not managed and remediated properly.

Everyone is becoming a privileged user

Being able to manage access to privileged accounts and data has been a cornerstone of cybersecurity for some time now. Using the principle of least privilege, which state that users should only have access to the assets needed to do their work, businesses have protected their sensitive data and systems through Privilege Access Management (PAM). This is based on a “never trust, always verify” approach to anything inside or outside the network looking to gain access. Combined with system oversight, IT security teams are able to control who can access what, for how long and when to secure resources and comply with regulations.

This has been complicated by employees now working remotely, as well as the need for third parties to access the network. Predominantly using and relying upon IaaS, SaaS and web-based applications has resulted in asset sprawl that is difficult for an IT security team to keep tabs on. Further, the rise of cloud collaboration platforms now means that anybody can potentially have privileged access and make administrator changes. Take for instance Microsoft Teams. Users can add members to groups and give them access to privileged information without having to run these changes by IT security.

There is a similar issue with web applications, including social media. Once a user has access to a business account on one of these platforms, they can do what they like. This means that organization must apply the principle of least privilege everywhere including cloud services and web applications.

Granularity provides greater control

Key to applying PAM to the vast array of cloud-based assets the average organization now uses is granularity. This focuses on the end to end enforcement of policies, such as MFA and session recording, whether in the cloud or on-premise. In a similar way, through the use of automated, centralized solutions the IT security team can precisely control down to the smallest details what users can see and do in cloud apps and platforms, even including social media.

Using Role Based Access Controls, IT administrators can assign bespoke authorization levels to groups of users depending on what their job function is. These can then be automatically checked in real-time when a user logs into an application. For example, if an employee needs to use Salesforce, they will only be able to see what is appropriate for their authorization level. Anything else will either be blanked out, such as sensitive information, or have functionality disabled.

Central to granular control is continuous authentication and authorization. This is an adaptive risk-based model that allows security teams to increase and decrease the security fence as needed. For example, if user credentials have been put at risk by a data breach elsewhere, the IT security team will be able to change passwords to protect accounts while at the same time tighten security controls.

Such a dynamic security stance means that we need to move away from humans generating passwords. Instead complex passwords should be automatically generated, rotated and connected to systems via proxies.

Remote working is now considered the norm for a majority of organizations, either on a full or part time basis. Cloud applications and infrastructure are significant enablers of this, but can clearly represent significant security challenges. By being able to expand PAM into the cloud, organizations can rest assured that they are providing workers with only the exact tools they need to do the job and keep themselves protected.  All users are becoming privileged, privileged access is going beyond the traditional perimeter and the principle of least privilege should be the strategy.

Joseph Carson, chief security scientist, Thycotic (opens in new tab)

Joseph Carson is an award-winning cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in blockchain, endpoint security, network security, application security & virtualization, access controls and privileged account management. Joseph is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications. He is a cyber security advisor to several governments, critical infrastructure, financial, transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at Thycotic and author of Privileged Account Management for dummies.