Most business leaders understand that we live in a hyper-connected world. By embracing the convenience and flexibility cloud-based solutions provide, businesses have traded away the security (and rigidity) of services that once operated within the four walls of enterprise data centers. In making that shift, businesses have incurred new risks associated with an explosion of access privileges to networks, infrastructures, endpoints, applications and data. Complex as these risks may be to manage and contain, there’s hope. Security by design is both an imperative and a shared responsibility. It’s also achievable.
Identity and Access Management
Businesses benefit both in operational and security capacities from solid Identity and Access Management (IAM) programs. Mature IAM enables secure and simple use of Information Systems. Policies and standards form a program’s backbone; then IAM technologies provide capabilities to govern and monitor access, as well as correlate accounts and privileges with identities. IAM programs should provide visibility into who or what has access — and when, where and how access is used — throughout the ecosystem.
While this is important for all identities and accounts, it’s even more pivotal for privileged access which poses significant risk to organizations if used improperly, whether unintentionally or maliciously. Maintaining governance and security for sensitive and privileged accounts is an unending task as new technologies enter the environment and bad actors gain sophistication.
Privileged Access Management (PAM) warrants special focus within the IAM program; it’s through elevated privileges that the most sensitive credentials, capabilities and data get accessed. IAM and PAM both consider how to provide security, but they must do so by enabling the business’ innovation and agility – without giving away the keys to the kingdom.
The explosion of privileges
Privileged accounts are everywhere, and attackers know it. They’re aware that highly connected, interdependent enterprise ecosystems are a business’ greatest vulnerability. They also know that access to a privileged account would enable them to steal data, alter documents, impersonate users, disrupt operations and damage system integrity and resilience. Last July, Palo Alto Networks published its Unit 42 Network Threat Trends Research Report. Their study of several hundred thousand cloud identities showed fully that 99 percent were overprivileged.
Businesses now operate in multi-cloud environments, using (for instance) one service for infrastructure and applications, another for directories, and yet another for analytics and DevOps. Five years ago, teams may have had to master only one or two permissioning systems. With the proliferation of cloud environments and DevOps tooling, those same teams must now master multiple, unique permissioning systems. They are both granting privileges to human users as well as granting credentials to non-human entities in support of automation and microservices. In addition, developers create identities and permissions embedded within pipelines and code. More identities and more tools amount to higher risk of over-permissioned access and lack of visibility and control.
Gaining control over privileged access sprawl
As an example, we recently worked with an organization that was leveraging four different cloud vendors. These vendors’ guidance was typical; each counseled something like: “start with a few basic roles for cloud access.” Once an account had access to an IAM role, however, it could create new accounts with extremely privileged access to critical assets and data.
This organization already had developed a full IAM platform, including provisioning systems, as well as logging and monitoring tools, but their on-premises systems couldn’t detect new privileged accounts in the cloud. An assessment of their situation yielded evidence of hundreds of privileged accounts, some of which had existed unused for over a year.
Besides cloud providers’ well-intentioned advice, most businesses then extend their initial suggestion of “a few roles” into several more granular roles so that developers can align access to the principle of least privilege. This organization started there. Additional tools reached into cloud platforms to complete their access picture, and new development tools created additional excessive permission problems. The root cause of their privileged access proliferation? Custom code and microservice requirements (including Infrastructure as code and containers) were creating numerous identities with deeply embedded privileged access.
To remediate these challenges the organization needed to consider multiple technology angles, new skillsets among staff, as well as tight coordination between identity and cloud teams. Workflows, conceptual models and accelerators supported remediation and facilitated implementations of new technologies to provide a holistic and automated approach that reduced their risk. Some of the recommendations included the following technologies and processes:
- Role and attribute-based access controls (RBAC & ABAC)
- Cloud infrastructure entitlement management (CIEM)
- Cloud security posture management (CSPM)
- Cloud workload protection platform (CWPP)
- Cloud-native application platform (CNAPP)
- Privileged access management (PAM)
- Security analytics
- Dynamic secrets, key vaults and just-in-time (JIT) management schemes
- Security orchestration, automation and response (SOAR) capabilities
Solutions like these complement each other to provide better visibility and context and enable robust governance. They provide conceptual models and roadmaps to speed the organization’s journey to a more mature IAM program and a more secure ecosystem.
Access sprawl can’t be resolved with new tools alone however; it takes a team approach of strategizing with systems, processes and people engaged and impacted. In particular, privileged access security calls for a multidisciplinary team effort that’s critical to developing a zero trust architecture. To prevail over its access sprawl problem, this organization realized it needed to expand the shared accountability for IAM to its cloud platform and development teams. That meant building platform RACIs and enhancing developers’ IAM skills.
In addition, all employees had to learn to think as attackers do. Team training and education strengthened skillsets helped build an evangelical spirit around IAM. It came to light for them that IAM wasn’t there to make their work harder, instead it made it easier while making it more secure. The least-privilege model protected them from incurring unnecessary risks and made access reviews more efficient and effective.
There can be no doubt that cloud computing and automation have driven greater flexibility and innovation for businesses, and there’s no going back. Businesses and teams that are educated about the hazards of access sprawl can change toolsets and update skills to ward off the risks associated with an explosion of privileges.