A Letter to the Modern CISO: Part 3

Your Cloud Can Be Deleted At Any Moment

This blog is the final piece of a three-part series. The series begins here

As jarring as it sounds, your cloud is probably at risk of being deleted at any moment, and you probably have no idea. You likely have limited visibility into who, or what, can access your data and what they might be doing with it. It’s likely your DevOps and Security teams don’t understand how all of this can happen either. As we see from our research, most organizations are doing a poor job (at best) in managing their Identity risks. These results could be detrimental to your company as ‘access’ rules the kingdom.

Everything in the cloud has an Identity.  More traditional teams are extremely familiar with things like users and groups, but applying this knowledge to the cloud is where the trouble begins. Teams are so focused on these types of Identities, and making their cloud security fit into outdated identity governance models, that they fail to understand that the biggest risk lies elsewhere: machine identities. Machine identities include things like AWS Roles, Azure Service Principles, GCP Service Accounts. They can exist on their own or be assigned to resources, such as VMs and Serverless functions, where each of those becomes its own form of a machine identity.  On top of that, you have things like the cloud services themselves. I consistently see organizations that are barely aware of, let alone tracking the Identities in their cloud. More specifically, they are failing to manage their machine identities, from understanding how they work, to where they exist in their cloud and finally, how they are being used.  This an alarming thought as it is these types of Identities putting your cloud at risk.

Machine identities are proliferating and are outnumbering human identities quickly. This growth is frightening considering the fact that Identity risks are reported at the bottom of addressed concerns.  In sum, machine identities are one of the biggest risks in your cloud, they are growing quickly, yet incongruently, your teams are failing to manage ⅔ of the risks that arise from them.

1 in 10 identities can delete your cloud

Read the MITRE® ATT&CK for Cloud Report.

Approximately 10% of the Identities in your cloud have enough permission to delete your cloud. Not only can they delete your cloud, but they can do pretty much anything they want with it. This includes spinning up resources and services, causing costs to skyrocket. It also includes the ability to access all of your data to modify, disrupt, delete, and steal it. Looking at our research we see that the average cloud has approximately 31,000 identities. So, when you do the math, that is approximately 3,100 identities in the cloud that can cause major damage to your business. The scariest part of all of this is that most companies are unaware of this reality. The ones that are aware think using the same identity governance tooling and processes that they do in their data center will secure their cloud. Nothing can be further from the truth.

Identity risk is the single greatest risk you have in your cloud.  You likely lack the general ability to inventory all of your Identities, to understand their true end-to-end permissions, and know where, when, and how those identities are being used.  On top of that, the number of Identities in your cloud is increasing at an alarming rate and your teams are only able to manage about ⅓ of the ones that they can see. It only takes one over-privileged identity to do major damage in your cloud, and you likely have hundreds, if not thousands of them. I recommend that you rethink the importance, and risks, of Identities in your cloud.

Pioneering Cloud Security

The intention of this essay is to help you, the CISO, succeed in a competitive and shifting landscape by effectively managing future risks to your organization. This change starts with gaining awareness. To recap where many CISOs find themselves today, if you believe your cloud is secure, it is likely not where you think it is. Or, if you are aware of your lack of visibility and control over your cloud, you are feeling frustrated, left behind and even out of place – a Cloud Security Imposter. This is not a matter of capability or individual performance, but a larger systemic problem in the industry. Cloud has eviscerated traditional security controls, and added new unique risks. Now it is time for security professionals to catch up with it.

This essay should help you walk away with several points: you lack visibility across your cloud; the security burden has fallen into the lap of DevOps yet there is a gap in training and knowledge; a majority risks are not being addressed, especially the most pressing ones; and you have a significant number of Identities in your environment that can steal data or delete your cloud. It is my recommendation that your organization takes charge of your security program, putting Identity and data access at the center of it. With the proper visibility and toolset, security can be done better in the cloud than ever before in the on-prem world. For security professionals, sufficient security is not a matter of want, motivation, or desire, but instead a matter of awareness and sufficient remediation and prevention. 

Stop risking your reputation and the security of your organization. It is time to be recognized as the cloud pioneer who made your cloud an exceptional showcase of security.

cloud security platform banner