Cloud Explosion Catapults Privileged Access Management and Identity Security to the Forefront
By Justyna Kucharczak from CyberArk
2020 introduced a host of unexpected challenges for cybersecurity teams. Not only must they protect increasingly complex IT environments, they’re now charged with deploying new models to enable mobile and geographically dispersed workforces. As they move forward rapidly, skyrocketing cloud adoption, fast-tracked digital transformation initiatives and dramatic changes to business operations have created a perfect storm for cyberattacks.
While opportunistic threat actors work in overdrive, their approach remains the same. They consistently target privileged credentials – those that have elevated access and permissions – and use them to gain access to an organization’s most critical systems and data. Today, more than 80% of breaches tied to hacking involve brute force or the use of lost or stolen credentials.
In this new reality, physical network boundaries have disappeared and digital defenses have shifted from endpoint to identity. Now, any identity can become privileged under certain conditions, underscoring the need to secure privileged access everywhere it exists – including in cloud environments. In fact, 68% of CIOs say they have doubled down on cloud services in COVID-19’s wake.
Organizations just beginning their cloud journeys are implementing SaaS applications to enable digital business. Many others are ramping up cloud usage, buying up cloud infrastructure (IaaS) and shifting more resources to the cloud. And as organizations scale their programs, they’re building cloud-native applications with platform-as-a-service (PaaS). As attackers continue to hone in on the cloud, the time to prioritize privileged access management (PAM) to protect cloud assets is now.
5 Cloud Questions to Ask Today to Secure Your Organization’s Tomorrow
The cloud offers organizations a myriad of benefits, but every deployment also introduces risk. The number of users (employees, remote workers and vendors) and application and machine identities that require powerful privileges multiplies in cloud environments. Add in core DevOps components, such as containers and microservices, and automation technologies like RPA, and the privileged attack surface expands exponentially.
The challenges organizations face in managing and securing access for all these human and machine identities today will only grow as cloud programs evolve. As you continue to build out your cloud security strategy, here are five critical questions to ask today:
1. How Do I Help Ensure the Right Access to the Environment?
Incorporating multi-factor authentication (MFA) in front of a PAM solution is a security best practice. MFA becomes particularly important in cloud infrastructure and consoles where cloud accounts and identities are easily spun up in seconds and security can be often overlooked. MFA adds an extra authentication layer, providing added protection for valuable cloud assets.
According to Microsoft research, an account is more than 99.9% less likely to be compromised if MFA is in place. Advancements in machine learning and passwordless technologies are creating new ways for organizations to authenticate users – wherever they are located – and protect access to critical systems without disrupting end user or administrator workflows.
Using specific contextual attributes, such as location, system, network and time of access requests, organizations can build a baseline profile for each identity, assign risk levels to each access request and generate dynamic permissions policies. This eliminates the need for users to repetitively request re-authentication each time they need to access a system.
2. Where Are My Blind Spots?
You can’t secure what you can’t see – or what you don’t know exists. An important first step to assess your cloud environment is to locate privileged identities and their associated credentials, such as passwords, SSH keys and AWS access keys.
Take advantage of discovery and open source toolsthat can pinpoint unsecured access and uncover previously unknown vulnerabilities. These can be particularly helpful for identifying weaknesses in hybrid environments, giving administrators the visibility they need to reduce risk.
3. How Do I Measure What Identities Have Access To?
The ability to create or access cloud resources is governed by identity- and resource-based permission policies. But how do you know how far each user’s permissions extend (remember that in the cloud, we’re talking about thousands or even hundreds of thousands of users)?
Trying to keep track of permissions manually is virtually impossible. Organizations need a way to take stock of their entire cloud permissions and entitlements landscape. This visibility is necessary to understand where excessive permissions exist across cloud environments and where to focus least privilege or remediation actions in order to reduce risk of external and insider threats.
4. How Do I Approach Access in the Cloud to Reduce Risk?
In recent months, many remote workers were granted standing, or “always on,” access to critical assets so they could do their jobs without overburdening IT. While convenient for users, this creates a potential security gap, particularly in the case of SSH keys, which are often mismanaged and easily compromised.
Enterprises and industry analysts alike see just-in-time (JIT) access as a game-changer, because it dynamically provides users (both human and non-human identities) with elevated access only when it’s required. In other words, it gives the right user the right access to the right cloud resource at the right time (and only as long as its required) for the right reasons.
Gartner predicts that by 2024, 50% of organizations will have implemented a JIT privileged access model, which eliminates standing privileges, experiencing 80% fewer privileged breaches than those that don’t.*
5. How Do I Manage Identities at Scale?
Machine and application identities are ubiquitous in cloud and DevOps environments – and in many cases, their secrets are stored in tools, embedded in applications or in public GitHub repositories. Attackers recognize these risky habits and target unsecured secrets.
Trying to manage secrets with individualized policies, or by relying solely on cloud vendors’ native capabilities, will create complexity and security issues as cloud use expands. Instead, it’s important to establish a centralized approach that leverages automation wherever possible to control, enforce, monitor and manage identities consistently across your cloud environment.
According to Gartner, by 2024, 65% of organizations that use privileged task automation features will save 40% on staff costs for IT operations for IaaS and PaaS, and will experience 70% fewer breaches than those that don’t. *
Today, as security teams pivot to address new realities, they’re tasked with moving fast, keeping costs down all while not sacrificing security – and adopting cloud solutions is a way they are able to keep their businesses running. One of the best ways to secure cloud identities and reduce risk is to implement strong privileged access management controls.
To learn more about how you can protect against emerging cyber threats and embrace the cloud with confidence, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management*: https://lp.cyberark.com/gartner-mq-pam-leader
* Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.