The past two years have introduced several changes in the way enterprise applications and networks are built and accessed, and identity has become the new perimeter today. With businesses using multiple cloud providers and a growing number of enterprises preferring software as a service, a significant percentage of enterprises face challenges in securing identity. With the usage of public cloud platforms and cloud-based applications accelerating, it is imperative that enterprises focus their attention on securing the cloud, specifically when it comes to securing privilege access and identity in the cloud.
The dynamic nature of the cloud introduces a host of changes and challenges related to identity and access management (IAM) and particularly to privileged access management (PAM), since privileged credentials associated with human users as well as applications and machine identities are exceptionally powerful and highly susceptible to compromise in cloud environments. Once an attacker obtains privileged credentials, they can gain full access to sensitive databases, or even to an organization’s entire cloud environment. Many recent attacks targeting Identity as a Service (IaaS) and Platform as a Service (PaaS) environments have exploited unsecured credentials resulting in data breaches.
Insider threats that are increasing rapidly are another area of serious concern. The Ponemon Institute’s 2020 Cost of Insider Threats report found that the average global cost of insider threats rose by 31% in two years to US$11.45 million, while the number of total incidents nearly doubled in the same time period. As insiders are trusted, they can misuse their privileged access to act in a way that could harm their organization. These risks have amplified with the usage of cloud-based systems. Now, even ordinary user credentials in the cloud and DevOps environments can hold as much power as administrator-level credentials do for other types of systems.
Additionally, with DevOps approaches and methodologies becoming more popular, ensuring the security of applications has become more challenging. One of the biggest security challenges in DevOps environments is Privileged Access Management. DevOps processes require the use of human and machine privileged credentials that are powerful and highly susceptible to cyberattacks.
Best practices to secure privileged access and identity
While each organization’s cloud journey is unique, there are some common best practices that can help in securing privileged access and identity:
- Leverage the power of automation: Leverage automated tools to identify and secure privileged credentials across your organization. Automating privileged credential rotation for both human and non-human users eliminates manually intensive, time consuming and error-prone administrative tasks, safeguarding credentials used in hybrid and cloud environments.
- Monitor and record sessions proactively: Monitoring and recording capabilities enable security teams to view privileged sessions in real-time, and maintain a comprehensive, searchable audit trail of privileged user activity. By maintaining strict isolation between endpoints and targets, security teams can help mitigate the risk of malware spreading from infected endpoints to critical systems by never exposing endpoints (typically the weak point in the attack chain) to privileged credentials.
- Grant least privileges: Each identity must have only the permissions essential to performing its intended function. Enforcing least privilege helps organizations follow cloud security best practices and meet the requirements of compliance frameworks. By removing only excessive entitlements, organizations can limit their risk exposure without removing entitlements necessary for ongoing cloud operations. Implementing least privilege requires identification of excessive entitlements and permissions for each cloud environment that an organization operates. Once identified, excessive permissions for human and machine identities should be removed immediately. All permissions and entitlements should be reviewed on a continuous basis to verify least privilege and proactively mitigate risk of lateral movement by attackers.
- Secure Root-level accounts and Cloud Management Console: As cloud management consoles and portals enable comprehensive management of an organization’s cloud resources, they are an attractive target for attackers. To reduce risk, organizations must take a least privilege approach and identify what permissions a user or application needs to the console to do their job. To reduce the attack surface, enterprises can also consider providing just in time access to the cloud management console. With just in time access, permissions and access should be provided for when the session is launched, and the user is not given these permissions on an on-going basis like with standing access.
Each public cloud provider has accounts with irrevocable administrative privileges such as the AWS root user account, Azure Global Admin role, and the Google Cloud Platform (GCP) Super User account. These accounts should not be used for any day-to-day administrative tasks. Additionally, multi-factor authentication (MFA) should be required for root access and privileged access: best practices always call for monitoring and recording any sessions where the root account is used. Unauthorized access to the management console and root-level accounts carries huge risks and as a result it is crucial to secure both.
- Secure the DevOps Pipeline: Organizations must secure all DevOps tool admin access. Organizations should maintain a single security posture through a centralized console to identify and authorize the credentials for all DevOps tools and access under a common, enterprise-wide policy. All access, especially by highly privileged users to DevOps tools should be secured using technologies such as SSO and MFA for an added layer of authentication.
It is also a common practice to post-application code to GitHub and other public repositories. However, this code often contains embedded API keys and other credentials and secrets, and attackers troll these repositories to locate and abuse them. To address this issue, organizations must remove hard-coded credentials completely.
In a multi-cloud environment, attackers have shown that they look for the path of least resistance and can pivot successfully from cloud to on-premises systems or in reverse. This can be mitigated by leveraging a PAM solution that can monitor and secure the privileged access activity for both human and non- human entities across hybrid and multi-cloud environments. This can be further strengthened by layering PAM with identity as a service (IaaS) capability including single sign-on and multi-factor authentication, allowing organizations to protect all users by leveraging a single identity provider to authenticate and grant access.
(The author Mr. Sumit Srivastava – Solutions Engineering Manager – India & SAARC at CyberArk and the views expressed in this article are his own)