Best Practices for Standardizing Identity Security at Scale

Written by Sam Flaster, CyberArk

Dynamic identities. Dynamic environments. The sheer complexity of enterprise-scale cloud migrations can rapidly introduce new security challenges as organizations struggle to adapt their existing security programs to shifting IT paradigms.

Unlocking the technological and operational advantages of public cloud environments while maintaining proper security controls can be a difficult balancing act. And that’s before security architecture and operations teams even consider cost or additional business requirements like maintaining smooth user experiences or availability in global regions. All the while, most organizations face operational requirements or compliance considerations that will keep large portions of their IT systems on-premises for the foreseeable future.

Consistency is essential for any security program in this changing landscape. The days of clearly defined corporate networks are gone. Modern IT environments are permeated with dynamic applications, infrastructure, data and identities that exist — and often move — across on-premises and multi-cloud environments. Unifying Identity Security controls is mission critical in this new hybrid cloud paradigm.

Consider the to-do list of an architect responsible for cloud Identity and Access Management (IAM):

• Prevent data loss and leakage from excessive access
• Simplify access management controls like Single Sign-On and Multi-Factor Authentication (MFA)
• Provision efficient, secure access to resources (at scale)
• Secure machine identities without slowing development
• Monitor and audit cloud operations to maintain compliance

This list is challenging enough; it becomes nearly impossible with inconsistent tooling for disparate environments — especially when organizations report a major cybersecurity skills shortage.

Standardizing security programs — with people, processes and technology — that span on-premises and multi-cloud environments can help security teams navigate the tightrope between defending their organizations from attacks and enabling their diverse IT stakeholders.

The following best practices can help organizations do just that.

Classify your privileged identities

Generally speaking, identities with access to sensitive resources can be:

• Shared accounts – These are accounts tied to IT systems with built-in administrative passwords that must occasionally be used. Shared accounts are often best secured with privileged access management (PAM) solutions that securely manage and rotate passwords to reduce risk of credential theft.
• Accounts with operational access – Several types of identities have powerful access to perform sensitive operations. Examples range from end users with access to sensitive financial data to identity-federation scenarios in which an end user signs into their cloud provider and then assumes a role with advanced privileges. More and more organizations are moving to secure these accounts with just-in-time provisioning.
• Application accounts – These non-interactive accounts are often used within automated processes and applications that interact in DevOps environments. Secrets management solutions can remove hardcoded credentials in scripts and safeguard these “secrets” through automatic rotation.

When organizations clearly taxonomize the identities with access to sensitive applications, infrastructure and data, they can begin consolidating processes and systems for securing each.

Implement least privilege

On-premises and in the cloud, least privilege access is a key requirement for nearly all security guidelines and regulations. The reason is simple: identities cannot compromise systems and targets to which they do not have access. Least privilege is, therefore, an anchor of modern Zero Trust frameworks that aim to adapt security processes to validate all access.

Reduce standing access for operational access

Removing standing access rights is a key pillar of least privilege. In a just-in-time approach to hybrid cloud security, organizations designate identities that require operational access and allow them to achieve that access only when it is required — just-in-time.

Multiple business drivers are fueling the rise of just-in-time approaches. Restricting access to specific devices and time periods limits the potential for internal bad actors to leverage external or standing permissions. It also simplifies account management and identity administration tasks for operations teams, which leads to greater efficiency.

Monitor and isolate all mission-critical workflows

True insight requires actionable data. Most Identity Security solutions possess embedded analytics to help organizations identify and respond to risky behavior.

Pairing these analytics capabilities with video playback is invaluable in an incident response scenario, helping Security Operations Center teams quickly identify what went wrong. Similarly, audit and compliance teams can benefit greatly from reviewing session recordings with risk scoring from intelligent analytics. From web sessions to sensitive applications to administrative infrastructure access, organizations can benefit greatly from modern monitoring technology.

Looking for more strategies to build a scalable, complete Identity Security program? Tune in to our recent Cloud Security Alliance webinar to learn more best practices.