It only takes one over-privileged identity to do major damage to a cloud
While moving to the cloud increases efficiency and business agility, security strategies haven’t been adapted to account for this shift and traditional tools can’t effectively manage the unique associated risks. CISOs that ignore the risks are left completely exposed and are putting their company, reputation and job at risk.
As the limitations of traditional security approaches become obvious, it’s creating real frustration. After working strictly in the cloud with industry-leading enterprises for the past six years, I’ve seen it all and can sympathize with CISOs facing cloud security challenges. Still, I want organizations to consider this a call to action to take charge of their cloud security.
Exposing threats among us
We analyzed our entire customer base last year and found that approximately 60% of organizations were unsuccessful in meeting even the most basic state of security for their cloud assets. And of those 40% that achieved it, less than 10% attained what could be considered a moderate level of security. Essentially, most organizations are either not prioritizing or are unsuccessfully attempting to secure their cloud.
When looking at the state of cloud security across this range of organizations, I see five major concerns:
1. The least addressed risks were audit (31%), least privilege (30%), and credentials (24%). When considering that credentials and least privilege both relate to securing identities in the cloud, there’s a dangerous gap that should keep CISOs up at night. Identity has replaced networks as the “boundary” for security in the cloud but is the least likely to be addressed in an organization. Attackers will compromise identities to laterally move through an organization’s cloud and escalate privileges in order to access data and damage your business (more on that in a bit). 81% of breaches involve a compromised identity.
2. The fact that audit security is in the lowest three is problematic. Audit security controls ensure that an organization’s cloud has the necessary auditing and logging enabled. Most organizations are missing critical logs and audit findings. This simple misconfiguration is involved in many of the cloud data breaches in today’s headlines, as organizations had no idea their environment was compromised. To make matters worse, even if these organizations could identify the exposed data store, without the proper audit logs they’d be unable to determine who or what accessed it and what they might have done with it.
3. Far too many organizations are exposed to potential risks, a concerning state below what should be considered the bare minimum. It’s no wonder we see headlines of a new cloud-based data breach every two weeks! And all the talk about how organizations must get their clouds to a state of zero trust or a certain level of resiliency sounds tone-deaf when so few have reached even a base level of security.
4. A lot of risks are going unaddressed. Our research found that only 43% of detected risks are being addressed. That means across the average cloud, almost 60% of all risks are not being managed. Furthermore, the overall risk level in key areas such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud workload protection platform (CWPP) and data are considered “high”’ While a few organizations were at only a “medium” level in some areas, none were at “low” risk.
5. On the bright side: CSPM risks top the list of those being handled most often. Of the 43% of risks being addressed, the top three are encryption (64%), data protection (50%), and network (48%). Still, it’s worth noting that just over half of the risks across these top three categories are being addressed (54%). The concern grows when recognizing that all three risks stem from CSPM. None of the other areas – CIEM, CWPP and data – showed up as being addressed in a meaningful way. Put another way, there is a clear and reported lack of focus on securing risks related to identity, data and workload.
I’ve witnessed numerous examples in recent years that led me to conclude that most security leaders may be unaware of the severity of the risks in their cloud. This includes one situation where very sensitive corporate information was stored in publicly exposed data stores accessible without authorization and the company was completely unaware; VPN access and transmissions secrets exposed to all identities across a large organization; cloud access secrets exposed to the internet without authorization and auditing enabled; and multiple vulnerable virtual machines, exposed to the internet, with identities attached that had access to highly sensitive data and the ability to manipulate, ransom, steal and/or delete this data.
This lack of visibility is one of today’s greatest and most urgent cloud security concerns. Casting light on these challenges means unearthing, prioritizing and helping the business manage risks in every corner of the cloud. This will only happen if CISOs commit to educating and training security and DevOps teams on the basics of cloud and how to secure it. Here’s why that matters.
You shifted left – right off a cliff
In many organizations, cloud security is outsourced to DevOps teams, and the outcomes are predictably poor from a security perspective. Developers are building clouds with Infrastructure as Code (IaC), but the security procedures haven’t caught up – it’s all-Dev-no-Ops.
To be fair, DevOps teams have been tasked with a responsibility that’s inconsistent with the CISO’s goals and resources. They’re not incentivized to prioritize security, as they are constantly directed to get code out the door faster and faster. In those organizations with strong cloud security, however, it’s no surprise that the DevOps teams often play a strong role in this success.
The security team is usually in the dark when it comes to the cloud. Training and education for IT teams making the shift from the data center to the cloud suffers from rampant underinvestment, as well as for the DevOps teams who find themselves tasked with securing the cloud. Security teams are also in the dark when it comes to visibility across their entire cloud and the risks within it. This lack of visibility combined with the lack of training results in teams that do not fully understand the cloud, the potential risks and what to do about them. For the risks that they do understand, they lack the strategy or tools to accurately detect them. At the end of the day, CISOs are left holding a ticking time bomb.
Consider this: CISOs likely have limited visibility into who or what can access their data and what they might do with it. Security and DevOps teams likely don’t understand how all of this can happen either. As the research shows, most organizations are doing a poor job of managing their cloud identity and data risks. This is incredibly detrimental to the security of any organization’s cloud, as “access” rules the kingdom.
Your cloud can be deleted at any moment
Everything in the cloud has a relationship to identity. While traditional security teams are likely familiar with users and groups, applying this knowledge to the cloud is where the trouble begins. Teams are so focused on addressing these types of identities and making their cloud security fit into outdated identity governance models that they fail to understand the biggest risk lies elsewhere: the non-person identities.
Non-person identities (NPI) include things like AWS Roles, Azure Service Principles and GCP Service Accounts. They can exist on their own or be assigned to resources, such as virtual machines and serverless functions, where each of those becomes its own form of NPI. Organizations are failing to manage their NPIs, from understanding how they work, to where they exist in the cloud, to how they are being used. This is alarming because it’s these NPIs that are putting clouds at risk.
To make matters worse, NPIs are proliferating much more quickly than human identities. This growth is frightening because identity risks are at the bottom of the list of addressed concerns; as evidence, teams are already failing to manage two-thirds of the risks that arise from NPIs.
Our analysis found it’s not unusual for a typical enterprise organization’s cloud to have approximately 31,000 identities. In fact, approximately 10% of those identities – 3,100 identities – have enough permissions to delete that organization’s entire cloud. Not only can they delete the cloud, but they can do anything they want with it. This could include spinning up resources and services, causing costs to skyrocket.
It could also include the ability to access all your data to modify, disrupt, delete or steal it. The scariest part is that most companies are completely unaware of this reality. Unfortunately, even those that are aware believe that applying the same data center identity governance approach will secure their cloud. Nothing can be further from the truth.
Identity risk is the single greatest threat to an organization’s cloud. This is not a matter of capability or individual performance, but a larger systemic problem. CISOs likely lack the general ability to inventory all of those identities, understand their true end-to-end permissions, and know where, when and how those identities are being used. It only takes one over-privileged identity to do major damage to a cloud – and most organizations likely have hundreds, if not thousands, of them. I strongly recommend that CISOs rethink the importance and risks of identities in their cloud.