Investing in Privileged Identity Management Should be a #1 Priority
September 23, 2019

Balaji Parimi
CloudKnox Security

Cloud infrastructure has seen accelerating levels of automation over the past few years. While the new, unprecedented level of automation delivers benefits like speed and agility, it also introduces enormous risk. With automation, enterprises are now able to create or destroy a data center with a single script — something that wasn't a possibility even 15 years ago and has allowed enterprises to reach newfound heights in both efficiency and scale.

The probability of identities misusing privileges (whether intentional or not) has also increased greatly for any enterprise planning a cloud migration or already embracing the cloud:

Consider the recent Capital One breach. Based on public information, a major contributor to the incident was the fact that an excessive amount of privileges were provisioned to an IAM role on an EC2 server. The hacker got into to an EC2 instance and obtained the access key and secret key needed to assume a role. This role had privileges to enumerate many S3 buckets and download all the data. Without these elaborate set of privileges, the issue would have been much more subdued.

Typically, when these roles are created, the set of privileges that the role needs are determined completely based on assumptions. Almost everybody errs on the side of provisioning more and never reviews the actual usage, as it is almost impossible to do manually.

Enterprises are generally aware of and want to fix the fact that any crack in their cloud infrastructure, regardless of how trivial, can cause significant damage — but the larger issue is that they usually do not know where to start or what to do. Another problem is that they rarely have the level of visibility needed to understand which actions identities are authorized to perform across multiple, complex, and vastly different cloud operating models.

The problems don't stop there. As the example above illustrates, automation has inadvertently created what are known as "Super Identities." These identities have extraordinary — and oftentimes, unnecessary — power and responsibility. IT teams now have to manage more than 30,000 privileges across the four major cloud platforms and more than 50% of them can disrupt business. These are growing almost on a daily basis as the cloud providers are introducing new services and features at a faster rate.

These Super Identities are not just limited to humans; many are actually non-humans, such as machine identities, service accounts, bots, API keys, etc., which only require a small subset of privileges to do simple and repetitive tasks.

If and when the credentials of even just one of these Super Identities fall into the wrong hands, the probability of the damage being catastrophic is huge. As a case in point, an IAM role on an EC2 server that had an excessive amount of privileges was the major culprit of the Capital One breach, for instance. Severe damage like this through privilege misuse is certainly not ideal for any enterprise embracing the cloud.

Manual Processes vs. Automation

Due to a lack of tools and solutions in the market to combat the over-provisioning problem, enterprises have been forced to use manual processes.

The biggest flaw is that these manual processes create static roles based on assumptions — either pre-defined roles that cloud providers provide or custom roles created by the enterprises. The only way to fix this issue is by using a data-driven approach. In order to make these roles much more dynamic, organizations need to continuously monitor the usage and right size them to eliminate excessive privileges. Resorting to automation is the only way to achieve this.

It's also no surprise that enterprises are struggling with the impossible task of keeping up with the endless additions of new privileges, roles, resources, and services across multiple cloud platforms, as they barely have the time or resources.

This is exactly why I always urge enterprises to press the pause button before following through with a cloud migration in order to take a full inventory of their human and non-human identities, roles and privileges. It's critical that enterprises take the time to understand what actions their identities are performing on which resources in the cloud, especially on the more critical resources. It's important to start building out identity and resource risk profiles to refer back to both before and during a cloud migration. During this time of transition, enterprises have an opportunity to maximize visibility across complex cloud operating models to prevent and decrease risks down the road.

Multi-Cloud, Added Complexities

As enterprises increasingly turn to multi-cloud environments to achieve the benefits of cost savings and reduced time-to-market, the tradeoff is often a significant increase in complexity.

For example, as enterprises grow and add new services and infrastructure types, it's vital that the correct authorization policies remain intact and it's important to understand how privileges will be provisioned and maintained across systems. This will be key in order to mitigate the risk of accidents and insider threats both during and after the cloud migration process.

Are Your Identity Privileges in Check?

Identity privilege management — especially of machine identities — is crucial and should be central to any cloud migration strategy. Without a plan in place, enterprises cannot successfully combat the expanding insider threat risk surface, whether it's the result of a simple operator error or malicious intent.

By prioritizing and investing in the continuous monitoring and management of machine and human identities before embarking on a cloud migration, enterprises have the extra time and resources to ensure proper authorization policies are in place once the cloud migration is complete. Identities are the new perimeter, according to Gartner — so there is no better time than now to make managing them a priority.

Balaji Parimi is CEO and Founder of CloudKnox Security
Share this

Industry News

November 07, 2019

To help developers increase the speed and quality of their SQL coding, enhance efficiency, and take advantage of the latest improvements in SQL Server, Redgate has released a major upgrade for its most popular tool, SQL Prompt.

November 07, 2019

CloudBees announced a partnership with Atos and VMware surrounding a solution to help customers adopt DevOps best practices at scale on Atos’ recently announced Atos Digital Hybrid Cloud (DHC) powered by VMware Tanzu and CloudBees cloud native continuous integration/continuous delivery (CI/CD) enterprise solution.

November 07, 2019

Fugue announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks.

November 06, 2019

Red Hat and the Quarkus community announced Quarkus 1.0.

November 06, 2019

Copado announced its Winter 20 release to provide Salesforce customers the fastest path to continuous innovation.

November 06, 2019

Applause announced its new solution for AI training and testing.

November 05, 2019

Broadcom announced an expanded collaboration with Infosys to help SAP customers mitigate risks and costs associated with the upgrade to SAP’s next-generation enterprise resource planning application, S/4HANA.

November 05, 2019

Opsani AI is now generally available for services providers running on Microsoft's Azure cloud computing platform.

November 05, 2019

Wind River announced the release of its latest version of Wind River Simics.

November 04, 2019

Red Hat announced the latest release of Red Hat Process Automation, unveiling new applied artificial intelligence (AI) capabilities for predictive decision modeling, and support for the development of process- and decision-based business applications using micro-frontend architectures.

November 04, 2019

JFrog announced the availability of the JFrog Platform package Cloud Pro X in the Microsoft Azure Marketplace.

November 04, 2019

Volterra​, a provider of distributed cloud services, launched from two years of stealth operations with over $50 million in funding to date.

October 31, 2019

Redgate this month celebrated its 20th anniversary as a software company dedicated to creating advanced database development solutions ...

October 31, 2019

Tidelift announced integration with the Bitbucket code collaboration platform.

October 31, 2019

Rancher Labs announced that The Cloud Native Computing Foundation (CNCF) has accepted the company’s vendor-neutral container storage solution - Longhorn - as its latest Sandbox project.