Investing in Privileged Identity Management Should be a #1 Priority
September 23, 2019

Balaji Parimi
CloudKnox Security

Cloud infrastructure has seen accelerating levels of automation over the past few years. While the new, unprecedented level of automation delivers benefits like speed and agility, it also introduces enormous risk. With automation, enterprises are now able to create or destroy a data center with a single script — something that wasn't a possibility even 15 years ago and has allowed enterprises to reach newfound heights in both efficiency and scale.

The probability of identities misusing privileges (whether intentional or not) has also increased greatly for any enterprise planning a cloud migration or already embracing the cloud:

Consider the recent Capital One breach. Based on public information, a major contributor to the incident was the fact that an excessive amount of privileges were provisioned to an IAM role on an EC2 server. The hacker got into to an EC2 instance and obtained the access key and secret key needed to assume a role. This role had privileges to enumerate many S3 buckets and download all the data. Without these elaborate set of privileges, the issue would have been much more subdued.

Typically, when these roles are created, the set of privileges that the role needs are determined completely based on assumptions. Almost everybody errs on the side of provisioning more and never reviews the actual usage, as it is almost impossible to do manually.

Enterprises are generally aware of and want to fix the fact that any crack in their cloud infrastructure, regardless of how trivial, can cause significant damage — but the larger issue is that they usually do not know where to start or what to do. Another problem is that they rarely have the level of visibility needed to understand which actions identities are authorized to perform across multiple, complex, and vastly different cloud operating models.

The problems don't stop there. As the example above illustrates, automation has inadvertently created what are known as "Super Identities." These identities have extraordinary — and oftentimes, unnecessary — power and responsibility. IT teams now have to manage more than 30,000 privileges across the four major cloud platforms and more than 50% of them can disrupt business. These are growing almost on a daily basis as the cloud providers are introducing new services and features at a faster rate.

These Super Identities are not just limited to humans; many are actually non-humans, such as machine identities, service accounts, bots, API keys, etc., which only require a small subset of privileges to do simple and repetitive tasks.

If and when the credentials of even just one of these Super Identities fall into the wrong hands, the probability of the damage being catastrophic is huge. As a case in point, an IAM role on an EC2 server that had an excessive amount of privileges was the major culprit of the Capital One breach, for instance. Severe damage like this through privilege misuse is certainly not ideal for any enterprise embracing the cloud.

Manual Processes vs. Automation

Due to a lack of tools and solutions in the market to combat the over-provisioning problem, enterprises have been forced to use manual processes.

The biggest flaw is that these manual processes create static roles based on assumptions — either pre-defined roles that cloud providers provide or custom roles created by the enterprises. The only way to fix this issue is by using a data-driven approach. In order to make these roles much more dynamic, organizations need to continuously monitor the usage and right size them to eliminate excessive privileges. Resorting to automation is the only way to achieve this.

It's also no surprise that enterprises are struggling with the impossible task of keeping up with the endless additions of new privileges, roles, resources, and services across multiple cloud platforms, as they barely have the time or resources.

This is exactly why I always urge enterprises to press the pause button before following through with a cloud migration in order to take a full inventory of their human and non-human identities, roles and privileges. It's critical that enterprises take the time to understand what actions their identities are performing on which resources in the cloud, especially on the more critical resources. It's important to start building out identity and resource risk profiles to refer back to both before and during a cloud migration. During this time of transition, enterprises have an opportunity to maximize visibility across complex cloud operating models to prevent and decrease risks down the road.

Multi-Cloud, Added Complexities

As enterprises increasingly turn to multi-cloud environments to achieve the benefits of cost savings and reduced time-to-market, the tradeoff is often a significant increase in complexity.

For example, as enterprises grow and add new services and infrastructure types, it's vital that the correct authorization policies remain intact and it's important to understand how privileges will be provisioned and maintained across systems. This will be key in order to mitigate the risk of accidents and insider threats both during and after the cloud migration process.

Are Your Identity Privileges in Check?

Identity privilege management — especially of machine identities — is crucial and should be central to any cloud migration strategy. Without a plan in place, enterprises cannot successfully combat the expanding insider threat risk surface, whether it's the result of a simple operator error or malicious intent.

By prioritizing and investing in the continuous monitoring and management of machine and human identities before embarking on a cloud migration, enterprises have the extra time and resources to ensure proper authorization policies are in place once the cloud migration is complete. Identities are the new perimeter, according to Gartner — so there is no better time than now to make managing them a priority.

Balaji Parimi is CEO and Founder of CloudKnox Security
Share this

Industry News

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.

July 30, 2020

New Relic delivered strategic updates to New Relic One.

July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.