Five Approaches for Securing Identity in Cloud Infrastructure
Written by Shai Morag
As clouds have drifted into the mainstream of business, it has become clear that they offer numerous advantages. They streamline processes, cut costs and create new ways to work. In some cases, the benefits are transformative. However, there’s a dark side to the public cloud, tracking people and the assets and data that they can access, is extraordinarily difficult. This, in turn, creates enormous security risks.
Make no mistake, there’s a growing need for robust governance that spans multi-cloud environments. Forrester describes Cloud Identity Governance (CIG), as a critical factor in advancing enterprise security. It essentially allows security and risk (S&R) professionals to “continuously discover identities, fully map them out, and control them and their access rights in multiple cloud environments.”
This capability is also critical because cloud instances and containers often rely on transitive access rights based on roles and responsibilities. Unfortunately, there’s no single template for addressing CIG. The marketplace is somewhat fractured and as clouds, containers, APIs and other tools become more complex and intertwined—often spread over multiple cloud providers—it’s becoming more difficult to rein in the chaos.
The other primary cause of complexity is the enormous number of service identities. Every compute and data resource has an identity with access privileges, just like a human user. Those entitlements are the number one cause of lateral movement in cloud breaches today.
What makes cloud security particularly challenging is that every cloud platform offers different ways to define, manage and authorize users. In fact, some platforms, like AWS, offer multiple ways to accomplish the task. Yet, in IaaS or PaaS, with large numbers of machine identities and different system characteristics, more granular access policies may be required.
According to Forrester, the biggest problems typical revolve around three areas:
- Access controls in cloud platforms are powerful but too complicated. With no common framework or approach, access control policies vary within providers and across providers. In some cases, there’s also a need to use JSON scripting to append operations.
- Clouds present too many privilege challenges. The sheer number of access models that cloud services offer is problematic. While it’s possible to establish granular privileges for thousands of roles, the downside is that this often results in excessive access rights. Making matters worse: temporary cloud configurations that use lax controls designed for quick development boost risk.
- Numerous identity types with different organizational affiliations typically access clouds. It’s not uncommon for a cloud configuration console to have 70 or 80 accounts associated with it, Forrester reports. This includes line-of-business staff, financial groups and even outside consultants and contractors.
For most organizations, a more manageable and standardized cloud governance framework is in order. The right approach can also aid in compliance to key industry standards, such as CSA 4.1, ISO 27017, and SOC 2 Type II certifications. A best practice CIG approach should focus on five primary areas:
Cloud infrastructure entitlement management (CIEM).
This specialized approach uses analytics and machine learning to detect over permissioned identities, spot behavior anomalies and manage entitlements to enforce least privilege, and address the unique challenges created by multi-cloud environments. It’s valuable for complex and highly dynamic cloud environments that rely on IaaS and PaaS. CIEM shines because it removes manual oversight and instead grants, resolves, enforces, revokes and administers authorizations or privileges in an automated way.
Cloud Identity and Access Management (IAM).
Establishing a comprehensive framework for authentication and authorization is at the center of connecting clouds and managing them effectively. The right IAM solution simplifies account set up and deprovisioning across multiple applications or systems. With robust tools in place to manage identities, perform secure single sign on, reduce passwords, and assign privileges that precisely align with roles, it’s possible to improve and simplify security, and also improve audits and regulatory compliance.
No cloud framework or software should be without a way to validate the identity of a user. MFA has become a critical component. In the most basic form, an organization should require a text code or the use of an authenticator app that displays rolling codes. More advanced frameworks—which typically rely on a smartphone or wearable—incorporate physical or virtual tokens to automate and further improve the authentication process.
Privileged Access Management (PAM).
These solutions focus on preventing credential theft and privilege misuse. As the name implies, they provide additional access and protection to privileged groups—though monitoring, visibility and fine grained controls. PAM makes it possible to create different classes of accounts. For example, an organization might set up a super-user account for a high level IT administrator, a privileged business user account for an executive that needs to access IT systems, and an emergency account. However, PAM is not natively designed for the cloud or to support DevOps.
Zero Trust Network Access (ZTNA).
The concept of zero trust isn’t new. However, ZTNA offers an evolving framework to put an organization’s zero trust policies into practice. At a basic level, it ensures that only users who require access to an organization’s network to perform specific tasks obtain permission. The approach replaces virtual private network (VPN) devices, which allow unfettered access to a network.
Better cloud security is achievable. An approach that revolves around securing identities can elevate protection and deliver clear advantages.
Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired by Mellanox. Shai also served for 10 years as an officer in senior product development and management roles with the Intelligence Unit of the Israel Defense Forces.