Most enterprises have embraced the advantages a cloud infrastructure can bring to their computing, storage, network or other needs, and many are juggling multiple cloud platforms, some private and other public.
This comes with an unprecedented levels of automation that allows enterprises to scale to new heights in efficiency, but also introduces new risks and an increased probability of a security incident.
“Regardless of your cloud deployment model, a one-line script by an authorized identity can result in the most catastrophic damage, whether it is through negligence (e.g., typo) or malevolence (e.g., compromised credential or malicious insider),” Balaji Parimi, CEO and founder of CloudKnox Security, told Help Net Security.
“The best example of the former is the AWS outage of 2017, when one incorrect command knocked dozens of websites and applications offline, impacting hundreds of thousands of businesses and causing millions of dollars in lost revenue.”
Luckily, enterprises are beginning to understand that managing security in the cloud is much different than securing a traditional IT environment with well-defined perimeters – different public cloud services and software as a service (SaaS) solutions stretch the edges of the network to the point where any device or end user becomes the edge.
And things are about to become even more complex as we move to containers and serverless computing, he points out. Those companies that embrace cloud-based solutions and automation as the foundation of their cybersecurity strategy will definitely be in a better position to succeed fulfilling it.
Challenges of safeguarding hybrid-cloud infrastructures
Parimi says that the most significant challenge facing enterprises that aim to protect their cloud environment will be the loss of overall visibility and the associated lack of control over critical aspects of it.
“Newly appointed CISOs should first get a true understanding of the organization’s risk posture by gaining the right level of visibility and insight into its environment,” he advises.
“Who can touch the infrastructure? How many identities have access to the infrastructure? What privileges do they have? What can they do with those privileges? What privileges are they actually using? Not using? Which resources are they performing actions on? These are all questions that need to be answered before any action is taken.”
Based on these findings, a risk mitigation plan can be put in place by identifying identity privilege right-sizing opportunities.
“Most trusted identities use less than 1 percent of their privileges to perform their day-to-day jobs. Of the remaining 99 percent of unused privileges, approximately 50 percent are considered high-risk (e.g., destroy instance, export instance). Any misuse of a high-risk privilege – accidental or malicious – can cause service disruption, service degradation, data leakage or a complete business shut down,” he notes.
Implementing least privilege
Implementing the concept of least privilege should, therefore, be a priority. But while that concept is simple to understand, it can be very complex to effectively implement especially when you consider the many variables:
- Diverse computing environments (e.g., virtual, private cloud, hybrid cloud, multi-cloud)
- Different types of workloads (e.g., servers, virtual machines, containers, serverless, etc.)
- The various unique flavors of identities (e.g., employee, third party, bot, service account, API keys, resource, role, group)
- A growing number of privileges across all the private and public cloud platforms (e.g., AWS has over 3600 privileges).
A solution that leverages a Role-Based Access Control (RBAC) model will not work, he says, as with RBAC the identity belongs to a static role that comes by default with a pre-determined (and too wide) set of privileges.
Finally, he also stresses the need for a continuous monitoring of identities’ activity and behavior to re-assess the risk profile on a regular basis, as well as for the ability to quickly produce a forensic tail of all privileged identity activity and resources impacted (helpful for compliance, auditing, but also for incident prevention and remediation).