Table of Contents
Share this entry
Most employees have access entitlements they don’t need and probably shouldn’t have. Few people are going to willingly give up that excess access; either they don’t realize they have it or they expect they will need it eventually. Nor is there a thorough internal check on entitlements. In a traditional identity inventory, users are often in a group that has a wide range of permissions, the permissions of the group are approved, and that would be that for another 90 days until the next inventory review. But individual users in that group likely have more entitlement privileges than they should have access to, resulting in threats to the data.
And it is even worse for non-human identities. The end-to-end permissions of non-human identities to the container are extensive, yet it is likely that only one or two of the entitlement paths are known. This opens up the cloud to misconfigurations.
Things in the cloud move quickly, and there are so many different identities there that trying to keep track of permissions is nearly impossible. A single employee could be given a new job task that mistakenly gives them access to everything in a production account. Without continuous monitoring for such universal permissions, they’ll go undetected, leading to misconfigurations, and eventually to data breaches.
Least Privilege Is Needed in the Cloud
Identity management – or lack thereof – will eventually be an organization’s biggest cloud security problem. In 2020, 50 percent of cloud security failures were the result of poor management surrounding identity, access, and privileges, according to Gartner. By 2023, that number jumps to 75 percent. The biggest management problem is an excess of privileges.
When identities have too many privileges, it makes it easier for those permissions to be misused or hijacked. Identities to gain more permissions over time, with none removed, which turns them into a shadow admin – an identity with so many privileges it has the functionality of an admin but doesn’t show up on audit reports or in other organizational reports as a legitimate admin.
Moving from one IaaS provider to another also presents privilege vulnerabilities. For example, an enterprise may start off in one cloud, taking time to understand the environment the team would be working in, before moving to another IaaS provider. Despite similarities across cloud providers, there are always distinct and important differences in each individual environment. This opens the door for mistakes and misconfigurations, as well as excess access across platforms, because there is a lack of a comprehensive identity and permissions inventory.
Least privilege means giving an identity – whether human or non-human – only essential privileges necessary to perform a task or function, and nothing else. Getting to least privilege, however, requires an identity management tool like Cloud Identity Entitlement Management.
Manage to Least Privilege
Getting to least privilege requires understanding the entire identity inventory – what identities are in the cloud, what they have access to, and what their function is. It’s critical that identities don’t have conflicting responsibilities that could put the organization at risk. For example, you don’t want an admin that manages your encryption that also has the ability to access, and decrypt/encrypt, your data. Also, change happens quickly in the cloud, which can lead to toxic combinations of privilege, such as entitlements that begin to creep in scope so the identity has access and permissions that have nothing to do with its intended functionality.
IAM tools are useful for on-premise management, leading many organizations to continue their use with cloud identities. This doesn’t work. “When transferred to the cloud, they lack the granular and resource-level visibility to identify or remediate access risks and excessive permissions,” Dark Reading reported.
CIEM, on the other hand, goes beyond the limitations in IAM solutions. It is a cloud-native and identity-centric next-generation tool designed to not only manage cloud-based identities but also to enforce and manage least privilege access. To manage the least privilege approach, CIEM relies on machine learning and analytics.
Get to Least Privilege and Stay There
Once your CIEM solution gets all of your identities to least privilege, the next step is to make the process continuous. It will:
Continuous monitoring. Identities and access can’t be checked sporadically to be at least privilege, but manual monitoring is too time-intensive to be anything but sporadic. CIEM allows for relentless, continuous monitoring of identity entitlements, with alerts whenever events deviate from governance and operational models. Orphaned, inactive, or otherwise suspicious identities are swiftly detected and deactivated.
Know your permissions. CIEM helps you evaluate the risks your human and non-human identities present across multiple public clouds. It provides end-to-end visibility into trust relationships as they exist in the environment.
Removes unnecessary permissions. Along with alerting you of deviations from operational models, CIEM solutions remove unused and unnecessary privileges across the cloud environment and remediates any issues conflicting with achieving least privilege.
Enable your teams to be part of the solution. Machine learning and analytics require human input, so your Security, Cloud, Audit, IAM, and DevOps teams need to be included with integrating the CIEM solution. By structuring your cloud into “swimlanes” that reflect your different needs for monitoring and control, Sonrai can help provide organized analysis, context-based alerts, and actions the way you organize your cloud.
Enforce a least privilege policy. Security, Cloud, Audit, IAM, and DevOps teams should also develop a least privilege policy for use across the cloud environment. Your CIEM solution automates the policy and implements it across the entire cloud ecosystem.
The more access entitlements your cloud identities have, the greater the risk for your cloud environment’s security. Implementing least privilege may have once been a daunting task, but CIEM solutions offer the management tools needed to get to least privilege and then stay there.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditRead the latest news and insights
Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.