Consistently Managing Entitlements for All Identities

Written by Sam Flaster, CyberArk.

Today, we see identity at the heart of every trend in tech. What’s growing more complicated is the sheer size and scope of identities each organization must manage to prevent attackers from manipulating misconfigured or misaligned permissions.

It’s critical to establish consistency with identity security controls that cover all identities in hybrid and multi-cloud environments. By embracing multi-layered, consistent controls and processes, organizations can proactively mitigate risk and unlock operational efficiencies.

Identity is the new perimeter.

It’s not news that identity has replaced the traditional security perimeter, but embracing that new reality is no small feat. Security architecture teams must build IAM programs that scale beyond the traditional risk boundary of the corporate office to our homes, couches and nomadic devices.

Here are three catalysts of the new risk boundary:

1. Accelerating cloud adoption. Cloud computing comes without a perimeter. Introducing new services across Infrastructure-as-a-Service, Platform-as-a-service, Software-as-a-Service and mobile apps also brings new identities. But the societal changes we’ve seen over recent years have accelerated the pace of cloud migrations. 90% of organizations increased their move to cloud-hosted systems in 2020, according to the Flexera State of the Cloud report.
2. Remote work and inconsistently defined workforces. It’s easier than ever to do business with contractors and third parties that you’ve never seen face to face. It’s not just easy — actually, it’s commonplace. This adds to the total number of identities accessing corporate resources in the cloud. This, in turn, grows the attack surface.
3. Changing regulatory landscapes. Longtime compliance frameworks are evolving to reflect cloud-hosted business models. We keep seeing new privacy regulations from national and local governments, along with an increased sensitivity to data privacy across society.

These trends accelerate the risk profile of modern identity security, while we continue to spin new infrastructure and services.

But we cannot slow our digital transformation — and we cannot slow these three trends. That’s why it’s more important than ever to take stock and have a detailed plan in place to cover the different types of users, accounts and identities that exist across your cloud environments.

Cloud Identities — A Quick Taxonomy

There are several key categories of identities in today’s cloud environments:

1. Human users. These are employees with direct accounts and credentials to access a corporate environment.
2. IAM roles accessed via federation. Many organizations invest in single sign-on tools to connect their Identity Provider (IdP) to their cloud environments. This reduces credential sprawl (and associated risks), while simplifying access for employees. Once a user has logged in, they can access a shared IAM role.
3. Third-party contractors and remote vendors. Cloud environments are complex to set up and manage, so many organizations leverage external help. CSP best practice guidelines and specialized tools recommend organizations provide only temporary access to their environments for third-party contractors.
4. Machine identities accessing critical workloads and applications. These identities often correspond to compute infrastructure or applications that interact with CI/CD pipelines and DevOps environments. An over-permissioned machine identity can be extremely valuable in an attacker’s hands.

Dynamic environments call for dynamic security.

Across AWS, Azure and GCP, there are now more than 24,000 permissions (and counting) that must be securely managed (CyberArk Cloud Entitlements Catalog). This rapid permissions growth is directly connected with cloud provider innovation — as CSPs add new services, they also must add new permissions to access those services.

The cloud providers issue clear guidance that organizations should treat all access as privileged access and embrace the principle of least privilege access.

This is far easier said than done. But like many security processes, organizations can achieve quick wins by adopting a mindset of continuous risk reduction, tackling Identity Security in phases.

Security architecture teams should implement multi-layered controls for all identities in all IT environments. From risk-aware multi-factor authentication (MFA) to right-sized permissions for shared roles and even just-in-time privileged access workflows, consistency across environments is mission critical.

Standardization is the key to security at enterprise scale. Explore key planning considerations for your hybrid and multi-cloud environments in our recent webinar “Managing Entitlements for All Identities – Shared and Federated.”