Along with a plethora of pumpkin spice lattes and profusion of glorious mums, Halloween is bearing down upon us: At the moment, I’m envisioning security wizards – and sorceresses - with crystal balls trying to figure out how to protect their organization from the gremlins that are trying to compromise their cloud environments. Even though we’ve come a long way over the years, the enduring question of how to establish and maintain identity security in cloud environments remains – even as goblins trying to penetrate the cloud. Let’s take a quick look at how things were, and how things are going.
Where we’ve been …and where we are today
Scene: 5 years ago. A customer user group meeting. Las Vegas (where else, folks?)
Customers are sitting together in a packed room, and we ask the security specialists in attendance: “What is your top priority is over the next 3 years?”
90% of customer hands go up for moving data and workloads to the Cloud.
Scene: It’s 3 years later. A customer user group meeting. (Still Vegas, baby!)
Same packed room. This time, the question is “How far along are you in adopting cloud?”
A controlled chaos breaks out:
10% of customers have started moving workloads to the cloud.
20% are running Proof of Concepts.
Everyone else was still trying to figure out what to do. Questions flooded the room, such as:
“There’s no discipline in my organization – different Lines of Business are going to go rogue and spin up unsanctioned applications. How can we move forward without control?”
“How can I possibly gain visibility into identities and sensitive data in the cloud and provide security controls?”
“How do I know that Cloud Service Provider (CSP) admins aren’t mucking around posing as privileged users?”
At that time, most organizations were stuck in the mud, unsure of how to securely meet organizational mandates to adopt cloud environments.
Scene: Now it’s the present day, and more than 90% of organizations use the cloud (Source: O-Reilley). As we all know, business leaders pressed on to move data and many workloads and business processes to the cloud, but challenges remain:
- While 80% of organizations are using multiple public or private clouds,
- 97% of enterprise cloud apps are unsanctioned, because departments, teams, or employees purchase new tools to support their productivity efforts. Additionally,
- As reported in the Ponemon Cost of a Data Breach study:
82% of breaches involved data stored in the cloud – public, private, or multiple environments.
While the world turned and cloud adoption happened, organizations clearly are still struggling to apply sufficient security controls in cloud and hybrid environments to keep ever-more-sophisticated and clever gremlins and ghouls at bay.
Did you bring your crystal ball to work?
We’ve seen that the shift to cloud has caused security issues to proliferate, and two key questions security teams should be asking are “who is able to access sensitive and regulated cloud data” and “what can they DO with the data”? If 97% of enterprise cloud apps are unsanctioned (or if even half number were unsanctioned!), I’d say that most security teams would still need a crystal ball to answer those questions.
In multi- and hybrid-cloud platform environments, users are operating with privileges. Developers are checking in code, and admins are on-boarding users and assigning rights. Users frequently need more privileges to do their jobs, but those privileges are rarely removed after the fact. To complicate matters, as machines are automating processes, visibility and control can slip further away.
Machine identities, such as service accounts that run applications, virtual machine instances, and various background processes, usually vastly surpass the number of human identities in most public clouds. According to Microsoft, workload identities outnumber humans by 10:1, and they have privileges and are logged in with credentials that can be easily stolen.
The compromise of one cloud identity—human or machine—could seriously impact your organization. All these years later, you may still feel like a wizard or sorceress trying to conjure a view of what’s happening with identities in and across cloud environments … and figure out how to manage those identities on an ongoing basis.
Cloud Identity Visibility: No crystal ball required
An entitlement, or privilege, is a “right” assigned to an identity so that they have the access needed to fulfill their responsibilities. These authorizations are essential for secure cloud activities. For example, an EC2 (Amazon) cloud administrator has entitlements to manage the cloud instance and create new users or start services. A developer can check-in code. A virtual machine may have read/write access to a database to schedule backups. You need to be able to answer and respond to the question: Would I know if an identity in my organization—across my complex, constantly changing, multi-cloud infrastructure—was compromised? Most security specialists would be quite spooked by their response.
Cloud identity discovery and visibility exists to help answer this question and contain the sprawl of identity entitlements by detecting and removing excess privileges. There are four key capabilities that you should be looking for in a Cloud Identity Discovery solution to help you address the key questions raised above. They are:
- Visibility: Security teams need to be able to account for all human and non-human identities and understand their access pathways across multi-cloud infrastructure. (You can’t address it if you can’t see it!)
- Discovery of risky identities: Because of the complexity of most environments, teams need to rely on a solution that can automatically reveal misconfigurations and anomalous behaviors that are tied to privileged identities. The solution should be able to evaluate whether identities are validated with multi-factor authentication and apply analytics to create context around user behavior. That way, the solution can help you spot risky activities - such as an admin suddenly creating a massive number of admins.
- Ability to enforce least privilege to right-sizing entitlements to reduce risk without interfering with an identity’s task. This way, even if an identity in your cloud infrastructure is compromised, the damage is contained.
- Continuous monitoring of the environment for new users, shadow admins, and privileged users and evaluate identities for the proper level of entitlements. This reduces the risk that a stale or unused identity will be vulnerable to compromise. In today’s dynamic cloud world, there’s no such thing as once-and-done: Continuous monitoring is an essential part of a sound identity security strategy.
Oh, and one more thing: Once you’ve started continuously discovering privileged cloud identities – what do you do with them? Well, of course you need to vault them to keep them secure. Many customers here in Secret Society are Secret Server customers. You already understand the value and importance of vaulting (which is outstanding!). For you, it’s a very simple step to extend your on-premises vaulting and take the next step to fold in Cloud Identity Discovery to better secure your cloud environments too.
Delinea can help improve cloud visibility
Delinea can help you set down your crystal ball, remove your pointy magic hat, and get more control over what’s happening in cloud environments. The benefit we can provide is a seamless experience that helps unify vaulting and cloud identity discovery. You can discover privileged identities on premises and vault those identities already with Secret Server. Take the next step: Discover and monitor privileged identities in the Cloud and then value them in Secret Server, too. This approach enables centralized control and management to help reduce the attack surface – while also providing reduced complexity and improved efficiency.
If you’d like to learn more about Cloud Identity Discovery and how Delinea can help, please join us on November 5 for a customer-only webinar with our Delinea experts. Register here.