The world is quickly changing all around us. The coronavirus pandemic may have slowed down our fast-paced commuter life, but digital transformation initiatives are picking up pace like never before.
This escalation, however, brings with it a new set of cyber security vulnerabilities. New services from cloud providers are creating an explosion of identity and entitlements. Through the eyes of an attacker, each cloud identity represents a potential opportunity and first step toward a company’s most valuable assets. So what can be done to overcome these new vulnerabilities?
Least privilege access: the foundation of every zero trust policy
The adoption of public cloud services, SaaS applications and remote access have dissolved the traditional network perimeter, establishing identity as the key line of defence for most organisations to the outside connected world. As modern zero trust models take hold, authentication and authorisation of all identities are becoming paramount.
In cloud environments, any human or machine identity can be configured with thousands of identity and access management (IAM) permissions to access cloud workloads containing sensitive information. User, group and role identities are typically assigned permissions depending on their job functions, but many organisations unintentionally configure identities with permissions they don’t actually use or need.
These excessive permissions pose a major challenge for organisations as they move toward zero trust security frameworks, which demand that every identity attempting to access corporate resources be verified and have their access intelligently limited. Our recent ESG study found that over-permissioned accounts and roles are the top-ranked cloud service misconfiguration. Not surprisingly, attackers have taken notice of this too. The same survey ranked overly permissive privileges as the most common attack vector against cloud applications.
By compromising a cloud identity with overly broad permissions, an attacker can access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.
Implementing least privilege – where all identities only have the minimum necessary entitlements to perform their ongoing responsibilities – is an established best practice to address this challenge. Least privilege also limits the number of entities that can grant or configure new permissions, making it difficult for attackers to escalate privileges and reach their goals.
As organisations continue on their cloud journey, the same approach to zero trust must be introduced or extended to all cloud environments. There are four main reasons to do so:
The increasing link between data breaches and cloud identities
Digital transformation only moves forward. As businesses shift their attention to the cloud, so do attackers. But while attackers are targeting new environments, they rely on the same old tactics. The 2020 Verizon Data Breach Incident (DBIR) identified that identities remain the weakest link in most organisations, as credential theft was employed in 77% of cloud breaches.
These trends reinforce the case for least privilege access in cloud environments. By implementing least privileged access, organisations proactively protect themselves from insider threats while greatly limiting the potential damage of external attacks. Even if an attacker is able to hack a single account, their lateral movement becomes extremely restricted. This protects mission-critical workloads, buying valuable time to detect and respond to an attack.
Shrinking the expanded attack surface
Several aspects of cloud environments make proper configuration of privileges and permissions a challenge. A thorough entitlements audit process may identify any excessive permissions and limit them to the least privilege required for a service to work properly. Other organisations fail to account for outdated permissions, such as failing to remove developer access to storage buckets and container pods at the close of a project.
Establishing and continuously validating least privilege is therefore a critical step to shrinking the attack surface, lowering risk by dissuading insider threat actors and impeding external attackers.
The multiplication of cloud services and associated configuration risks
The leading infrastructure as a service (IaaS) platforms – Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – are constantly introducing new services to differentiate themselves from other platforms. This blistering innovation boosts business productivity, as powerful tools for specialised needs like data streaming, blockchain networking and Internet of Things (IoT) analytics are more accessible than ever before.
But that accessibility can come at a price. Configuration of cloud services is challenging for any organisation, and one simple misconfiguration can open doors for attackers. The 2020 IBM Cost of a Data Breach report, for instance, found attackers used cloud misconfigurations in nearly 20% of data breaches.
Least privilege models place emphasis on managing permissions to identify potential misconfigurations that result in excessive, unauthorised access to key cloud services, mitigating risk while enabling necessary access to advanced workloads.
A call for action from industry leaders and regulations
Recognising the dangers of over-permissioned identities and the difficulty of securely configuring services in immense cloud environments, AWS, Azure and GCP all specify least privilege access as a security best practice.
Consortiums like Cloud Security Alliance’s Cloud Control Matrix also stress the importance of continuously reviewing permissions. Meanwhile, highly regulated organisations can even face financial penalties if breached for failing to establish least privilege. Hence, organisations should continuously verify least privilege across their on-premises and cloud workloads to ensure compliance.
Least privilege is recognised as a security best practice for a reason. But it cannot come at the expense of end-user productivity or overburden IT teams. Effective least privilege enforcement brings the right mix of privileged access management practices together with flexible controls. This allows organisations to balance security and compliance requirements with operational and end-user needs. If done right, any security vulnerabilities associated with cloud migration can be overcome, allowing companies to establish themselves as leaders in the post-pandemic world.
Author: David Higgins, EMEA Technical Director at CyberArk