Why managing identities and entitlements is so important to securing your cloud infrastructure
First, a parable
A wolf sneaks into an organization’s cloud infrastructure (Grandma’s house). It compromises an identity (Grandma) and uses its excessive entitlements to devour sensitive data (Little Red Riding Hood).
Why didn’t the organization’s cloud security mechanisms stop the wolf in the first place? Well, that’s a tough one. Cloud data breaches are going to happen. A recent IDC survey found that almost 100% of organizations suffered a cloud data breach in the past 18 months.
The real question is: once in, how did the wolf run ripshod over cherished and ostensibly protected sensitive data?
Here’s the moral of the story: Organizations typically focus their cloud security posture assessments on best practices, industry benchmarks and regulatory compliance policies (CIS, GDPR, SOC2, PCI DSS, ISO, HIPAA…). This approach helps map multi-cloud assets, uncover general misconfiguration risks — emphasis on general — and, of course, helps tick compliance checkboxes. But hackers get through in so many other ways.
How, once your house is breached, do you minimize the harm an imposter Grandma can do?
Focus on entitlements to cover all bases
What’s being ignored is entitlements – the permissions that grant an identity’s access to sensitive data. Permissions are the all-important gatekeepers that let identities — human and machine — move around in the organization’s cloud infrastructure, getting to what they need and doing with those resources what they need to, to do their job and keep the business running.
In hyper complex and very dynamic cloud infrastructure, permissions are at the same time a security toxin, the means for wreaking untold damage. Cloud Service Provider (CSP) security policies are often widely permissive and lacking in granularity. We’ve discovered repeatedly in client PoCs and deployments that, on average, 85% of cloud infrastructure environments are overprivileged. Make no mistake: excessive permissions — such as unjustified admin privileges and permissions to identities no longer with the organization — are the key to sensitive resources that hackers use once inside.
CSPM, CASB, CWPP – important, but not enough
This is what Gartner says (the header above). Every cloud security area deserves attention. But where will an overstretched security/IT team striving to build their cloud security maturity get the greatest impact? Which tool will reduce the most or greatest risk?
As mentioned, many organizations — and understandably — start with cloud security posture management (CSPM). CSPM, though, is a “short blanket.” Its broad visibility lacks the granularity — and capabilities — necessary to see, stop and pre-empt permissions risk. Gartner predicts that “By 2023, 75% of cloud infrastructure failures will result from mismanagement of IAM privileges.” Avoiding those failures requires going beyond security misconfigurations to look at cloud security posture inclusive of identities, network, compute, and data risk.
Cloud infrastructure entitlements management (CIEM) is an architected, cloud-native solution that offers a deeper and different prism into cloud security posture. It focuses on the identity lifecycle and governance of access controls to unveil risks hidden by the complexity of cloud infrastructure environments, which have tens of thousands of human and service identities, and thousands of policies and configuration settings.
CIEM tools discover and visualize all cloud accounts and entitlements across all identities. They analyze access policies, quantify and prioritize risk, and offer mitigation and least privilege policy auto-remediation that integrates with ticketing and other workflows for easy “shift left” collaboration across security and engineering.
Taking the fear out of least privilege
Let’s pause for a moment on the quest for least privilege. For all the talk of its importance, there’s a security joke going around that says least privilege is what you tell your auditors you’re doing but aren’t. The biggest pain for security teams and engineers around minimizing — or removing altogether — access privileges from users is fear of being disruptive to the business. Clients tell us about “security technical debt” in which they, for business reasons, such as to meet a product development milestone, knowingly over-privilege users, planning to revert and downsize the privileges after the need has passed, but never do. Good CIEM is, bottom line, a least privilege enabler. It applies access intelligence to suggest right-sized policies based on least privilege philosophy — and integrates them in your workflows for smooth approval and easy execution downstream.
So focusing on permissions isn’t just reactive, it automates and helps embed security-health into your cloud infrastructure. It removes fear of disruption by offering solid policies based on deep analysis of your users’ activities and factoring in far more parameters and information than possible for a human engineer trying to define a least privilege policy. CIEM also offers other proactive capabilities such as anomaly and threat detection. Effective next gen cloud security solutions offer both CIEM and CSPM, providing identity-first inventory, permissions and configurations management in a single, multi-cloud platform including AWS, Azure and GCP.
Write your own, forward-thinking cloud security narrative
Citing the IDSA report “Identity Security: A Work in Progress,” a blog that posted previously in this space noted that: “Only 34% of those who described their security culture as “forward-thinking” experienced an identity-related data breach in the past year.” Managing entitlements and identities is precisely the kind of forward-thinking security approach that will help protect your cloud infrastructure.
And is, of course, the perfect offense to curtailing damage from any wolf posing as Grandma.
About the Author: Shai Morag is Co-founder and CEO at Ermetic. He has more than 20 years of product management, technology leadership and senior executive experience. Before Ermetic, he was co-founder and CEO of Secdo, a cyber security company, where he led the company from its inception to a successful acquisition by Palo Alto Networks in only three years. Prior to Secdo, Shai was CEO of Integrity-Project, a company specialized in connectivity, networking and security solutions, eventually acquired by Mellanox.