Cloud Security: The Fundamental Role of Identities

Originally published by Tenable.

Written by Christopher Edson, Senior Cloud Solutions Architect, Tenable.

In the ever-expanding realm of the cloud, one thing is certain: vulnerabilities and misconfigurations are lurking just around the corner, waiting for attackers to exploit them and expose sensitive data. To mitigate these risks and eliminate dangerous combinations of privileges, it's imperative to establish a solid cloud posture and entitlement management strategy.

When it comes to implementing and configuring cloud security posture management (CSPM) solutions, the sheer magnitude of assets that need monitoring can be overwhelming. From web applications to Kubernetes clusters, each asset boasts its own unique service identity to configure and keep an eye on — not to mention the task of continuously scanning for vulnerabilities and misconfigurations within the infrastructure. In the face of this daunting challenge, many organizations resort to an assortment of security tools and point solutions, each brimming with their own alphabet soup of security acronyms. Unfortunately, this approach often results in skyrocketing costs associated with configuration and implementation of all these disparate tools.

Compounding the complexity, each of these tools generates its own set of security findings, often assessed using different criticality metrics. This disparity forces security teams to descend into the depths of "spreadsheet hell" as they struggle to reconcile and prioritize the avalanche of findings.

The crucial role of safeguarding identities in the cloud

The foundation of a more effective security strategy begins with a clear understanding of what threat actors aim to achieve when breaching cloud infrastructure. Recent developments have underscored the fact that nearly all cloud breaches seek to gain access to identities. According to a recent survey by the Identity Defined Security Alliance (IDSA), a staggering 84% of companies have experienced identity-related breaches in the last year. Why? Because identities are intricately woven into every facet of what we run and build in the cloud. Whether it's a public Amazon EC2 instance or a misconfigured infrastructure-as-code (IaC) setup, when these vulnerabilities are exploited, attackers make a beeline to an identity. This access allows them to escalate privileges and gain entry to sensitive data and resources. Given its far-reaching consequences, securing identity and entitlement is an indispensable cornerstone of a holistic cloud security program.

Don’t take my word for it. Check out this recent CISA advisory, which warns that a notorious cyber espionage group is evolving its tactics towards gaining initial foothold in targeted environments via the cloud by compromising identities.

The advisory states: “They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider.”

It’s no longer a question of where the perimeter is for the cloud. If identities are the perimeter and if those identities and related entitlements are the connective tissue for operations in the cloud, then security teams need to shift priorities, focusing first on identities and entitlements as being the connective tissue for security in the cloud.

Distinguishing between service and human identities

When discussing identity security, it is crucial to distinguish between service identities and human identities, as each requires different approaches to achieve the principle of least privilege. Service identities are designed to serve workloads and operate predictably. Since they are programmed for specific purposes, their permissions can be fine-tuned to the minimum necessary based on their typical activities.

As the CISA advisory explains, the cyberthreat actors are actively and successfully targeting service accounts, which are equivalent to service identities.

“There is no human user behind [service identities] so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”

It is critical to keep up on the hygiene of permission sets for service identities. Least privilege is non-negotiable. However, rightsizing isn’t enough. You need continuous monitoring and anomaly detection in order to ensure the permissions configuration hasn’t been changed and that it only has access to services and data that it needs access to, and nothing more.

In contrast, human identities are intended for use by real individuals, making them unpredictable. This unpredictability poses a challenge when it comes to right-sizing permissions for specific resources and actions, particularly when ad-hoc tasks arise.

Failure to account for these distinctions can lead to friction between DevOps and IT teams. Fulfilling the promise of DevSecOps means embedding security seamlessly into workflows, which is where integrated cloud infrastructure entitlement management (CIEM) and cloud native application protection platforms (CNAPP) tools come into play. The integration between these tools provides visibility and control over Kubernetes clusters, containers, IaC, identities, and workloads, offering a remedy to the acronym soup dilemma.

Addressing alert fatigue with context

Many security teams dedicate significant effort to fine-tuning controls and policies to combat alert overload. However, a more effective approach is to integrate security tools like CNAPP and CIEM into a single platform that provides context across the entire attack surface. With integrated security tooling, you can establish a standardized understanding of what truly constitutes "critical." This approach allows you to gain a deeper insight into the attack pathways that potential adversaries could exploit to inflict harm within your environment. Moreover, it simplifies the process of updating defenses when new threats and zero-day vulnerabilities emerge.

For instance, consider an environment with 100 public workloads. Suppose only 10 of them have critical vulnerabilities, and among those, only five possess critical vulnerabilities and high privileges. This context provides security teams with a clear direction on where to focus their efforts, addressing the most likely points of exploitation. Too often, security teams find themselves overwhelmed, attempting to address all 100 public workloads because point solutions lack the integration and identity details needed for efficient threat mitigation.

Integrated capabilities help in assessing risk holistically, instead of just from an infrastructure or vulnerability perspective, they can dynamically adjust risk based on real-time events occurring in your environment.

For a more in-depth exploration of securing identities in the cloud, you can watch the on-demand webinar "Managing Security Posture and Entitlements in the Cloud."

About the Author

Christopher Edson is a tenured senior solution architect specializing in helping Tenable's largest and most strategic customers design and secure their modern cloud infrastructures. Chris has been with Tenable for over nine years and brings a unique perspective of expertise across the entire Tenable product portfolio. As a power user of Nessus prior to joining Tenable, Chris started his career as a Tenable fan and is passionate about helping the community and customers transform and upgrade their cloud security programs. Chris holds a Bachelor of Science in Information Security from University of Maryland, Baltimore County and is certified in Amazon Web Services (AWS) solution architecture, design and security.