We have seen a dramatic increase in the number of organizations experiencing data breaches in the cloud space – and the majority of those breaches had something to do with identities and their related entitlements. Analyst firm Gartner has reported that over the next three years, 99 percent of cloud security failures will be the customer’s fault, and 75 percent of these failures will be the result of improper management of identities, access, and privileges.
Thus, identity and access management is the most critical security vector and needs to be actively managed. As assets and resources are added and accessed from human and non-human identities in the cloud and own access privileges, enterprises need to secure who and what has access to them to effectively protect cloud environments.
Cloud providers have created their own native identity access management (IAM) tools and paradigms to help enterprises authorize identities to access resources in fast-growing environments, but these built-in mechanisms won’t work for enterprises operating in a multi-cloud environment. The scale, diversity, and dynamic nature of cloud IAM pose significant operational, security, and compliance challenges for cloud security personnel.
Common identity and access management challenges
Let’s look at some of the most common challenges faced by security professionals with identity and access management.
A scalable and diverse multi-cloud environment
With cloud infrastructure, corporate IT and security professionals are responsible for controlling and tracking access privileges for human, application, and machine identities across an ever-increasing variety and volume of attributes, including:
- Cloud resources such as files, virtual machines (VMs) / servers, containers, and serverless infrastructure.
- Cloud services such as business applications, databases, storage, and networking services.
- Cloud administrative accounts such as cloud management consoles, security admin consoles, and ordering and billing portals.
It is difficult to maintain and track access privileges in a diverse multi-cloud environment.
The dynamic nature of a cloud environment
The cloud is inherently dynamic. Applications and services are instantiated on demand, and containers are spun up and spun down continuously, making assigning entitlements and tracking access privileges even more challenging.
Lack of consistency and standards across multiple clouds
Each cloud provider has its approach to IAM security with distinct roles, permission models, tools, and terminology like multi-factor authentication (MFA), single sign-on (SSO), and role-based access controls (RBAC). Managing identities and entitlements can become a resource-intensive, time-consuming, and error-prone function.
As multi-cloud environments continue to become more complex, human error increases and misconfigurations become more prevalent.
One famous example is the Capital One data breach of 2019. The misconfiguration of the Capital One web application firewall (WAF) – designed to stop unapproved access – enabled a remote attacker to generate a temporary AWS token that could fetch data from an AWS simple storage service (S3). With full access to the web servers, the attacker executed a simple script of AWS commands used for system administration.
The first was the S3 list-buckets command to display the names of all the AWS S3 buckets, followed by a sync command that copied 700 folders and buckets of data containing customer information to an external destination. These are AWS commands used every day by cloud administrators that manage data stored in AWS virtual private clouds (VPCs). Data access and compromise occurred using simple AWS commands commonly used in the management interface. The attack did not trigger alerts because the volume of data transferred outside the Capital One network was in line with the regular daily load of network traffic.
Complex infrastructure and DevOps velocity make it challenging to enforce granular, least-privilege access policies where it counts the most. Other challenges for security teams include:
- Managing and analyzing data of thousands of identities, roles, and policies.
- A lack of contextual usage data to reveal risks and excessive privileges.
- Conflicting policies that leave crucial data exposed.
- Dev and Ops teams making frequent changes to code and configuration.
Organizations often grant privileges unnecessarily, creating additional risk and exposure. Over-permission can increase attack surfaces and make it easier for adversaries to move laterally across an environment and wreak havoc.
A key example of excessive privileges causing business disruption is Cisco., In 2020, a former Cisco engineer, who left the company in 2018, accessed the company’s cloud infrastructure hosted on AWS, deleted 456 EC2 servers, and temporarily deleted 16,000 Webex accounts. The biggest unanswered question is why, after two years, a former employee would still have access to the infrastructure and excessive permission to delete virtual machines.
If identity and access management processes are not effectively controlled, enterprises may be non-compliant with industry standards and government regulations. Also, in an audit, the enterprise is forbidden from presenting data and audit reports to support compliance and audit requirements.
Get identity and access management under complete control
Managing IAM in these contexts can be highly complex, but several promising approaches are emerging. One of the most popular is the use of cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM). These solutions help to address the most urgent challenges in detecting and mitigating identity and access related to risk and governing identities at scale.
More specifically, deploying a CIEM alongside CSPM will give you a few key security benefits:
Deep visibility into multi-cloud assets and access relationships
Gaining visibility into the complex relationships between identity, entitlements, and resources is the critical starting point for bringing enhanced security to multi-cloud systems.
Prioritization & remediation of privilege and configuration risk
Accurately detect and prioritize at-risk identities and resources, including toxic combinations, and mitigate risky privileges and faulty configurations while ensuring business continuity.
Enforce automated guardrails for identities, resources, and network configuration – from dev to production – preventing unauthorized access.
Detection of policy violation
Improve security posture and protect against policy violations with continuous risk analysis that checks for access anomalies against each cloud identity’s baseline.
Access control & cloud compliance assurance
Comprehensively audit compliance, customize reports of violations against leading industry standards, and investigate access, including evolving threats.
CSPM + CIEM can help govern identities, enforce least privilege policies, and access entitlements across multiple cloud platforms.
To remain competitive, enterprises worldwide must embrace cloud technologies and policies that enable productivity. However, it only takes one major data breach to negate all the benefits of multi-cloud investments. Strong identity and access management ensures that no IAM activities go unnoticed, helps with regulatory compliance and team collaboration, and enhances business productivity.
Get in touch for a comprehensive assessment of your IAM risks and rapid remediation.