Skip to main content

Taking a zero-trust approach to protecting cloud identities

cloud
(Image credit: Shutterstock / issaro prakalung)

The world around us continues to evolve rapidly, with the pandemic still heavily impacting our daily lives and the world economy in equal measure. The tentative first steps being taken in vaccine rollouts offer hope on the horizon, however, and many businesses are rapidly laying the digital foundations to accelerate their way out of this crisis. These efforts also come hot on the heels of widespread adoption of off-premises technologies and cloud-native applications, which many organizations quickly turned to in order to power virtual interactions during this prolonged period of physical restrictions.

This digital race, however, brings with it a new set of cyber security vulnerabilities. New services being delivered by cloud providers are creating a plethora of new identities and entitlements, all of which represent a potential opportunity for hackers and a first step towards a company’s most valuable assets. So how can these vulnerabilities be overcome?

Starting with least privilege access

The adoption of public cloud services, SaaS applications and remote access has further eroded the traditional network perimeter, firmly establishing identity as the primary line of defense for most organizations to the connected world outside. As modern zero trust models take hold, authentication and authorization of all identities are becoming increasingly important.

In cloud environments, any human or machine identity can be configured with thousands of identity and access management (IAM) permissions to access cloud workloads containing critical information. User, group and role identities are typically assigned permissions depending on their job functions, but many organizations unintentionally configure identities with permissions they don’t use or need.

These excessive permissions pose a major risk for organizations as they adopt zero trust security frameworks, which demand that every identity attempting to access corporate resources be verified and have their access intelligently limited. A recent ESG study found that over-permissioned accounts and roles are the top-ranked cloud service misconfiguration. Unsurprisingly, attackers have taken notice of this too. The same survey ranked overly permissive privileges as the most common attack vector against cloud applications.

Compromising a cloud identity with more permissions than necessary means they can not only access critical workloads undetected, but also escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take down entire cloud deployments.

Implementing least privilege – where all identities only have the minimum necessary entitlements to perform their ongoing responsibilities – is an established best practice to address this challenge. Least privilege also limits the number of entities that can grant or configure new permissions, making it difficult for attackers to escalate privileges and reach their goals.

As organizations continue on their cloud journey, this same approach to zero trust must be introduced or extended to all cloud environments. There are four main reasons to do so:

Digital transformation has an incessant forward trajectory. But attackers are shifting their attention to the cloud just as quickly as enterprises. And even though they are targeting new environments, they often rely on the same old tactics. The 2020 Verizon Data Breach Incident (DBIR) corroborates this: it identified that identities remain the weakest link in most organizations, as credential theft was employed in 77 percent of cloud breaches.

These trends reinforce the case for least privilege access in cloud environments. By implementing least privileged access, organizations proactively protect themselves from insider threats while greatly limiting the potential damage of external attacks. Even if an attacker is able to hack a single account, their lateral movement becomes extremely restricted. This protects mission-critical workloads, buying valuable time to detect and respond to an attack.

2. Cloud services bring a multitude of configuration risks

 The leading infrastructure as a service (IaaS) platforms – Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – are constantly introducing new services to differentiate themselves from other platforms. These burgeoning innovations, including powerful tools for specialized needs like data streaming, blockchain networking and Internet of Things (IoT) analytics, are more accessible than ever before and boosting business productivity significantly.

But accessibility comes at a price. Configuration of cloud services is challenging for any organization, and one simple misconfiguration can open doors for attackers. The 2020 IBM Cost of a Data Breach report, for instance, found attackers used cloud misconfigurations in nearly 20 percent of data breaches.

Least privilege models emphasize managing permissions to identify potential misconfigurations that result in excessive, unauthorized access to key cloud services – mitigating risk while enabling necessary access to advanced workloads.

3. Reducing the attack surface

Several aspects of cloud environments make proper configuration of privileges and permissions a challenge. A thorough entitlements audit process may identify any excessive permissions and limit them to the least privilege required for a service to work properly. Other organizations fail to account for outdated permissions, such as failing to remove developer access to storage buckets and container pods at the close of a project.

Establishing and continuously validating least privilege is, therefore, a critical step to shrinking the attack surface, lowering risk by dissuading insider threat actors and impeding external attackers.

4. Responding to advisories from leaders and regulations

The likes of AWS, Azure and GCP all recognize the dangers of over-permissioned identities and difficulty of securely configuring services in immense cloud environments, and specify least privilege access as a security best practice.

Consortiums like Cloud Security Alliance’s Cloud Control Matrix also stress the importance of continuously reviewing permissions. Meanwhile, highly regulated organizations can even face financial penalties for failing to establish least privilege if breached. Hence, organizations should continuously verify least privilege across their on-premises and cloud workloads to ensure compliance.

Least privilege continues to be recognized as a security best practice for a reason. However, it should not come at the expense of end-user productivity or overburdening IT teams. An effective approach to least privilege should ensure privileged access management practices are balanced against the appropriate flexible controls. When done right, this allows organizations to integrate security and compliance requirements with operational and end-user needs, and mitigate all security vulnerabilities associated with cloud migration. Organizations can then continue to invest in innovation that delivers the agility needed to flourish post-pandemic.

David Higgins, EMEA Technical Director, CyberArk

David Higgins is Director of Customer Development EMEA at CyberArk.