Katie Curtin-Mestre, VP of Product, CyberArk, shares advice on the best practices for securing cloud-based applications and infrastructure.
Public cloud adoption shows no signs of slowing down. According to our Threat Landscape Report published earlier this year, 94 percent of global organisations use cloud services.
Digital transformation projects mandated by the c-suite and demands from developers to streamline development processes are forcing even heavily regulated industries such as financial services and healthcare to speed up their adoption cycles.
More often than not, these cloud initiatives are deployed without security being factored into the equation. The fault for this can’t be laid at the feet of cloud architecture and DevOps teams though. They often lack the expertise to address - and ensure the mitigation of - the risks associated with extending privileged access.
As a result, they often opt not to make security a priority due to the strict mandate to bring new digital services to market quickly and efficiently. With this in mind, it’s crucial security teams collaborate to integrate security before poor practices become entrenched in product development cycles.
Whether based in the cloud or on-premises, one thing is for sure - organisations’ infrastructures remain vulnerable to attackers’ tried and trusted hacking techniques. These individuals and bodies continue to seek the path of least resistance, so privileged access management (PAM) is vital to securing the attack path.
The difference between on-premise and cloud attacks
During a typical on-premises breach, attackers begin by looking for ways to compromise a user, leading them to start with an attack on the endpoint. For instance, an attacker could start with phishing to get their hands on privileged credentials. Once the stolen privileged credentials are secured, they could move laterally through the network by escalating privileges and work their way up to owning a domain.
In modern cloud environments, an attacker can save steps by compromising one privileged user and then leveraging this access to compromise, for example, a cloud management console. Hijacking these types of privileged credentials allows attackers to shut down said cloud environment.
It’s impossible to say whether the cloud is more or less secure than on-premises. Regardless, misconfigurations across these open, more centralised environments can ripple in an exponential way that you don’t see in traditional deployments. Securing privilege in the cloud has therefore become an enterprise imperative.
Bringing developers and security teams closer
Application credentials typically outnumber those associated with human accounts, so controlling, managing and auditing non-human privileged access for these applications is no small feat. A similar approach must be taken to securing the application credentials of cloud native apps.
Organisations can quickly find themselves leveraging native secret stores provided by their cloud, DevOps and Robotic Process Automation (RPA) vendors. This leads to a heavily fragmented approach and “islands” of security. Then, when the security teams are asked to help secure these applications, the main questions are: where do these secrets live, and who is responsible for rotating them? Questions developers often have no answer to.
Organisations seek centralisation, but development teams, are often more focused on high velocity, code sharing, ad-hoc tooling and full-on automation. It therefore becomes the job of the security team to get the developers on board.
When you have so many applications, focus becomes paramount. The priority must be removing application secrets for RPA – this has the advantage of facilitating cross-team visibility, adoption and quick wins – which is useful for demonstrating benefits to developers.
From there, the next step is migrating to a shared services security model, with the end goal that non-security teams provide internal financing for cyber security projects. This creates cross-functional teams, allowing organisations to bring DevOps and security teams into alignment and fostering collaboration for stronger overall security.
Extending security to the cloud
A recent CyberArk study shows that nearly 70 percent of organisations do not secure business-critical applications deployed on the cloud any differently to how they secure low-value applications or services. Organisations must take steps to protect what attackers target most as cloud applications proliferate: privileged access.
This means locking down the powerful human and application-to-application credentials used by SaaS applications and cloud-native applications built using DevOps methodologies to reduce the risk of an attack.
When data and applications are moved to the cloud, it’s easy to provide all developers access to any cloud resource, postponing the tedious permissions management to later. However, – the more it is postponed, the harder it is to impose stricter security permissions.
A previous study of attendees of InfoSecurity Europe 2019 showed that 37 percent of organisations have already experienced attacks that could compromise their data and applications to the cloud. According to industry experts, nearly all cyber attacks involve privileged access. In cloud-first environments, access therefore not limited to the network and the perimeter is no longer defensible.
Security strategies must therefore shift to protecting what’s most important from within. Zero trust security models, where organisations trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access, are making this possible - Practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy will allow organisations to implement a zero trust framework that helps to drive down risk while maintaining business velocity.