Investing in Privileged Identity Management Should be a #1 Priority
September 23, 2019

Balaji Parimi
CloudKnox Security

Cloud infrastructure has seen accelerating levels of automation over the past few years. While the new, unprecedented level of automation delivers benefits like speed and agility, it also introduces enormous risk. With automation, enterprises are now able to create or destroy a data center with a single script — something that wasn't a possibility even 15 years ago and has allowed enterprises to reach newfound heights in both efficiency and scale.

The probability of identities misusing privileges (whether intentional or not) has also increased greatly for any enterprise planning a cloud migration or already embracing the cloud:

Consider the recent Capital One breach. Based on public information, a major contributor to the incident was the fact that an excessive amount of privileges were provisioned to an IAM role on an EC2 server. The hacker got into to an EC2 instance and obtained the access key and secret key needed to assume a role. This role had privileges to enumerate many S3 buckets and download all the data. Without these elaborate set of privileges, the issue would have been much more subdued.

Typically, when these roles are created, the set of privileges that the role needs are determined completely based on assumptions. Almost everybody errs on the side of provisioning more and never reviews the actual usage, as it is almost impossible to do manually.

Enterprises are generally aware of and want to fix the fact that any crack in their cloud infrastructure, regardless of how trivial, can cause significant damage — but the larger issue is that they usually do not know where to start or what to do. Another problem is that they rarely have the level of visibility needed to understand which actions identities are authorized to perform across multiple, complex, and vastly different cloud operating models.

The problems don't stop there. As the example above illustrates, automation has inadvertently created what are known as "Super Identities." These identities have extraordinary — and oftentimes, unnecessary — power and responsibility. IT teams now have to manage more than 30,000 privileges across the four major cloud platforms and more than 50% of them can disrupt business. These are growing almost on a daily basis as the cloud providers are introducing new services and features at a faster rate.

These Super Identities are not just limited to humans; many are actually non-humans, such as machine identities, service accounts, bots, API keys, etc., which only require a small subset of privileges to do simple and repetitive tasks.

If and when the credentials of even just one of these Super Identities fall into the wrong hands, the probability of the damage being catastrophic is huge. As a case in point, an IAM role on an EC2 server that had an excessive amount of privileges was the major culprit of the Capital One breach, for instance. Severe damage like this through privilege misuse is certainly not ideal for any enterprise embracing the cloud.

Manual Processes vs. Automation

Due to a lack of tools and solutions in the market to combat the over-provisioning problem, enterprises have been forced to use manual processes.

The biggest flaw is that these manual processes create static roles based on assumptions — either pre-defined roles that cloud providers provide or custom roles created by the enterprises. The only way to fix this issue is by using a data-driven approach. In order to make these roles much more dynamic, organizations need to continuously monitor the usage and right size them to eliminate excessive privileges. Resorting to automation is the only way to achieve this.

It's also no surprise that enterprises are struggling with the impossible task of keeping up with the endless additions of new privileges, roles, resources, and services across multiple cloud platforms, as they barely have the time or resources.

This is exactly why I always urge enterprises to press the pause button before following through with a cloud migration in order to take a full inventory of their human and non-human identities, roles and privileges. It's critical that enterprises take the time to understand what actions their identities are performing on which resources in the cloud, especially on the more critical resources. It's important to start building out identity and resource risk profiles to refer back to both before and during a cloud migration. During this time of transition, enterprises have an opportunity to maximize visibility across complex cloud operating models to prevent and decrease risks down the road.

Multi-Cloud, Added Complexities

As enterprises increasingly turn to multi-cloud environments to achieve the benefits of cost savings and reduced time-to-market, the tradeoff is often a significant increase in complexity.

For example, as enterprises grow and add new services and infrastructure types, it's vital that the correct authorization policies remain intact and it's important to understand how privileges will be provisioned and maintained across systems. This will be key in order to mitigate the risk of accidents and insider threats both during and after the cloud migration process.

Are Your Identity Privileges in Check?

Identity privilege management — especially of machine identities — is crucial and should be central to any cloud migration strategy. Without a plan in place, enterprises cannot successfully combat the expanding insider threat risk surface, whether it's the result of a simple operator error or malicious intent.

By prioritizing and investing in the continuous monitoring and management of machine and human identities before embarking on a cloud migration, enterprises have the extra time and resources to ensure proper authorization policies are in place once the cloud migration is complete. Identities are the new perimeter, according to Gartner — so there is no better time than now to make managing them a priority.

Balaji Parimi is CEO and Founder of CloudKnox Security
Share this

Industry News

March 27, 2024

WaveMaker has updated its platform in response to customer demand for more sophisticated API and code management tools.

March 27, 2024

Vercara announced the launch of UltraAPI™, a product suite that protects APIs and web applications from malicious bots and fraudulent activity while ensuring regulatory compliance.

March 27, 2024

Legit Security announced the launch of its standalone enterprise secrets scanning product, which can detect, remediate, and prevent secrets exposure across the software development pipeline.

March 26, 2024

Progress announced a strategic partnership with Veeam® Software, the #1 leader by market share in Data Protection and Ransomware Recovery, to provide customers with an enterprise-ready cyber defense solution that strengthens the security of their business-critical data.

March 26, 2024

GitGuardian released its Software Composition Analysis (SCA) module.

March 26, 2024

DataStax announced a milestone in its journey to simplify enterprise retrieval-augmented generation (RAG) for developers by integrating with Microsoft Semantic Kernel.

March 25, 2024

Check Point® Software Technologies Ltd. is collaborating with NVIDIA to enhance the security of AI cloud infrastructure. Integrating NVIDIA BlueField DPUs, which feature a broad range of purpose-built, innovative security capabilities, the new Check Point AI Cloud Protect solution will help prevent threats at both the network and host levels.

March 25, 2024

Sentry announced the release of Autofix, an AI-powered feature to debug and fix code in minutes, saving important time and resources.

March 25, 2024

Apiiro announced a product integration and partnership with Secure Code Warrior, the agile developer security training platform, to extend its ASPM technology and processes to the people layer.

March 21, 2024

Progress announced that Progress® Semaphore™, its metadata management and semantic AI platform, was named a Champion in SoftwareReviews’ 2024 Metadata Management Emotional Footprint Awards.

March 21, 2024

The Cloud Native Computing Foundation® (CNCF®) has partnered with Udemy, an online skills marketplace and learning platform.

March 21, 2024

GitLab has acquired Oxeye, the provider of a cloud-native application security and risk management solution.

March 21, 2024

GitHub announced that code scanning autofix, powered by GitHub Copilot and CodeQL, is available in public beta for all GitHub Advanced Security (GHAS) customers.

March 21, 2024

NetApp is collaborating with NVIDIA to advance retrieval-augmented generation (RAG) for generative AI applications.

March 21, 2024

CalypsoAI launched the CalypsoAI Platform, an advanced SaaS-based security and enablement solution for generative AI applications within the enterprise.