Cloud Security Risk Often Lingers - Why That Should Alarm You!
Written by Tim Sedlack, Sr. Director, Product Management, BeyondTrust.
I think you’d agree that, today, “The Cloud” is ubiquitous. If surveys are to be believed, most of us are using more than one cloud service provider (CSP) to achieve our goals of speed of service, simplicity, and (generally) cost-savings.
At this point, I think most organizations have a good handle on the immediacy of risk for some of the more common cloud misconfigurations, such as an inappropriately open port. Enterprises understand that it’s important to ensure users—especially privileged users—have multi-factor authentication (MFA) turned on, and that storage is always encrypted. But there’s a layer of risk that persists for a variety of reasons, not the slightest of which is that cloud security is a layered, complicated practice.
Cloud security is a practice that takes constant vigilance and a PIP (process improvements process). We’ll cover some potential places where there might be risks you haven’t observed, and therefore might not have planned for all contingencies when it comes to protecting your resources and data.
Cloud Risk Whack-a-Mole
Even with a cloud-based, Zero Trust Network architecture, best-practices from the CSP, industry expertise and assistance from organizations like Cloud Security Alliance (CSA), and all the help you can get from the open-source community, there are still threats that are difficult to capture and mitigate.
Ephemeral resources, those that appear only when they’re needed and only last as long as the process takes, are difficult to account for when your security posture is based off a static set of resources. These resources appear, connect to other resources in your organization, usually take some action that has an affect on your data, and then disappear. Sometimes, they last only a few seconds, so assessing the effects of the relationships can prove a challenge. Imagine if they hold a role that grants access to sensitive data – and it’s a role that can be assumed by bad actors… so you’ve just left a door unlocked that gives a hacker access to your data. These ephemeral threats are sometimes difficult to capture and mitigate – let alone plan for every eventuality.
Identity & Resource Risk
IT security has long had a handle on controlling access rights and other privileges inside the walls of our own data centers. We (as information technologists) know how to monitor, manage, and control the on-premises joiners, movers, and leavers when we own and control all the resources. Cloud identities, even if they are federated from an IDP, can be challenging to monitor for dangerous behavior – especially when they act as a script, program, or assume a role of a machine account.
You also have the challenge of managing another set of identities that I mentioned above – machine identities. A good measure for the count of machine accounts to humans is a ration of 5:1 – that’s typically 5 machine accounts to 1 human account. Entitlements are granted to these accounts to accomplish specific tasks. Machine accounts usually have very structured execution and predictable access patterns. Non-human accounts are easy to overlook and, typically, not under the same close observation as human user accounts.
Policy Intricacies in the Cloud
When policy is complicated, it’s easy to make mistakes. To those who don’t work in cloud policy, it can seem like complicated incantations that no one can understand. There can be up to 8 different policies to determine if an identity has access to a resource in the cloud. Understanding identity-based policy, resource policy, permission boundaries, access control lists (ACLs), service control groups, and policy and session policy can be a lot to process – but getting to what the effective access truly is can be daunting.
Policies aren’t static either…people can and do make changes all the time. It can seem like a full-time job understanding and managing policy for a single Cloud Service Provider, let alone having to parse it across multiple cloud providers. Make sure you have a good understanding of policy settings and develop your own best practices that help you keep tight control on who can change policy.
Vigilance & Diligence
In the always-on, forever changing world of cloud security, even secure and confident organizations with the latest toolsets need to do everything they can to remain vigilant. You must be in a state of constant security and risk assessment, attentive and automated monitoring, AND have a rapid response team that wields deep skills in cloud security.
In the cloud, it’s a never-ending story that services and entitlements do change (adding, deprecating, and changing). With each new service or new option, a well-constructed and strong security practice can be undone when someone in your organization consumes a new service or assigns some new privilege that creates a tunnel or bridge to your data.
Diligence is always the answer, in the cloud—it can help you stay ahead of misconfigurations or worse. And that leads to educating your end users. When people understand the “why” of security, it’s easier to gain their trust and have them working with you, rather than taking perfunctory actions because, you know… “Security”.
Give your end users the benefit of the doubt. They want to do the right things, when they understand why they are doing them. Endeavor to have the most informed user community to help you in the battle against cloud risk.
About the Author
Tim is Sr. Director of Product Management at BeyondTrust and has been in Product Management for over 20 years. Prior to BeyondTrust, Tim was serving as the Director of Product Management for Identity and Access Management at Micro Focus. Tim has managed product across the security spectrum including Security, Compliance, IAM and GRC for a variety of companies and in a few different countries, including a 5 year stint in Munich, Germany! Tim enjoys travelling around the world and exploring new cultures and engage with locals wherever he goes.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.