Investing in Privileged Identity Management Should be a #1 Priority
September 23, 2019

Balaji Parimi
CloudKnox Security

Cloud infrastructure has seen accelerating levels of automation over the past few years. While the new, unprecedented level of automation delivers benefits like speed and agility, it also introduces enormous risk. With automation, enterprises are now able to create or destroy a data center with a single script — something that wasn't a possibility even 15 years ago and has allowed enterprises to reach newfound heights in both efficiency and scale.

The probability of identities misusing privileges (whether intentional or not) has also increased greatly for any enterprise planning a cloud migration or already embracing the cloud:

Consider the recent Capital One breach. Based on public information, a major contributor to the incident was the fact that an excessive amount of privileges were provisioned to an IAM role on an EC2 server. The hacker got into to an EC2 instance and obtained the access key and secret key needed to assume a role. This role had privileges to enumerate many S3 buckets and download all the data. Without these elaborate set of privileges, the issue would have been much more subdued.

Typically, when these roles are created, the set of privileges that the role needs are determined completely based on assumptions. Almost everybody errs on the side of provisioning more and never reviews the actual usage, as it is almost impossible to do manually.

Enterprises are generally aware of and want to fix the fact that any crack in their cloud infrastructure, regardless of how trivial, can cause significant damage — but the larger issue is that they usually do not know where to start or what to do. Another problem is that they rarely have the level of visibility needed to understand which actions identities are authorized to perform across multiple, complex, and vastly different cloud operating models.

The problems don't stop there. As the example above illustrates, automation has inadvertently created what are known as "Super Identities." These identities have extraordinary — and oftentimes, unnecessary — power and responsibility. IT teams now have to manage more than 30,000 privileges across the four major cloud platforms and more than 50% of them can disrupt business. These are growing almost on a daily basis as the cloud providers are introducing new services and features at a faster rate.

These Super Identities are not just limited to humans; many are actually non-humans, such as machine identities, service accounts, bots, API keys, etc., which only require a small subset of privileges to do simple and repetitive tasks.

If and when the credentials of even just one of these Super Identities fall into the wrong hands, the probability of the damage being catastrophic is huge. As a case in point, an IAM role on an EC2 server that had an excessive amount of privileges was the major culprit of the Capital One breach, for instance. Severe damage like this through privilege misuse is certainly not ideal for any enterprise embracing the cloud.

Manual Processes vs. Automation

Due to a lack of tools and solutions in the market to combat the over-provisioning problem, enterprises have been forced to use manual processes.

The biggest flaw is that these manual processes create static roles based on assumptions — either pre-defined roles that cloud providers provide or custom roles created by the enterprises. The only way to fix this issue is by using a data-driven approach. In order to make these roles much more dynamic, organizations need to continuously monitor the usage and right size them to eliminate excessive privileges. Resorting to automation is the only way to achieve this.

It's also no surprise that enterprises are struggling with the impossible task of keeping up with the endless additions of new privileges, roles, resources, and services across multiple cloud platforms, as they barely have the time or resources.

This is exactly why I always urge enterprises to press the pause button before following through with a cloud migration in order to take a full inventory of their human and non-human identities, roles and privileges. It's critical that enterprises take the time to understand what actions their identities are performing on which resources in the cloud, especially on the more critical resources. It's important to start building out identity and resource risk profiles to refer back to both before and during a cloud migration. During this time of transition, enterprises have an opportunity to maximize visibility across complex cloud operating models to prevent and decrease risks down the road.

Multi-Cloud, Added Complexities

As enterprises increasingly turn to multi-cloud environments to achieve the benefits of cost savings and reduced time-to-market, the tradeoff is often a significant increase in complexity.

For example, as enterprises grow and add new services and infrastructure types, it's vital that the correct authorization policies remain intact and it's important to understand how privileges will be provisioned and maintained across systems. This will be key in order to mitigate the risk of accidents and insider threats both during and after the cloud migration process.

Are Your Identity Privileges in Check?

Identity privilege management — especially of machine identities — is crucial and should be central to any cloud migration strategy. Without a plan in place, enterprises cannot successfully combat the expanding insider threat risk surface, whether it's the result of a simple operator error or malicious intent.

By prioritizing and investing in the continuous monitoring and management of machine and human identities before embarking on a cloud migration, enterprises have the extra time and resources to ensure proper authorization policies are in place once the cloud migration is complete. Identities are the new perimeter, according to Gartner — so there is no better time than now to make managing them a priority.

Balaji Parimi is CEO and Founder of CloudKnox Security
Share this

Industry News

October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.

October 02, 2019

Kong announced an acquisition and several new products.

October 02, 2019

Contrast Security announced the availability of .NET Core support on Contrast Community Edition (CE).

October 02, 2019

Checkmarx earned Amazon Web Services (AWS) Security Competency status for its Software Security Platform.

October 01, 2019

Parasoft announced the release of its newest product, Parasoft Selenic, a UI testing solution that makes Selenium smarter, to help organizations find real bugs faster.

October 01, 2019

Micro Focus announced the general availability of Deployment Automation 6.3, offering new deployment improvements for its Release Orchestration solution set.

October 01, 2019

Compuware announced enhancements to Topaz for Total Test and a partnership with OpenLegacy to help large enterprises speed mainframe software development and delivery while improving quality.

September 30, 2019

Deque Systems announced Axe Pro, a key addition to Axe, the web accessibility testing browser extension.

September 30, 2019

NIIT Technologies and mabl, Inc announced a partnership to deliver AI-driven automated solution for faster, economical and better application testing services.

September 30, 2019

Rockset announced the capability to analyze raw events from Apache Kafka in real time.